Upgraded Vulnerability Database Enables Advances in Security Automation
For Immediate Release: September 16, 2008
Facilitating efforts to automate important computer security tasks, the National Institute of Standards and Technology (NIST) has upgraded the National Vulnerability Database (NVD), a comprehensive repository of public information on potential vulnerabilities in computer systems. The upgrade centers on the NVD’s dictionary, which identifies names of products such as operating systems and applications.
The new version, known as NVD 2.2, conforms to a product-naming scheme known as the Common Platform Enumeration (CPE, http://cpe.mitre.org). With NVD 2.2, the official CPE dictionary of 15,500 products is now incorporated into the NVD data.
More than 80,000 updates to the NVD vulnerability data were made in preparation for this upgrade. The CPE standard enables the NVD product dictionary to achieve a new level of rigor and quality—and enables advances in security automation. In the earlier NVD product dictionary, data was usable only for human consumption because its structure was loosely defined. However, the new dictionary enables the data to be used for automated, machine-to-machine communications.
This update enables security tools and databases to correlate information with each other based on standardized product identifiers. For example, a database of network assets (which would list hardware and software as well as patches and service packs) can be correlated with a database of security vulnerabilities to identify what vulnerabilities might be present on instances of software. This is made possible because NVD links its large repository of vulnerability information to standard product names.
NVD data and CPE is used within the computer security specification known as the Security Content Automation Protocol (SCAP), SCAP technology is used by initiatives of the Office of Management and Budget (OMB). General Services Administration (GSA), and the Department of Defense. Thus, the NVD adoption of CPE and NIST’s maintenance of the CPE dictionary will promote standardization of product names throughout the federal government and into much of commercial industry.
NVD was developed by researchers in NIST’s Computer Security Division with support from the Department of Homeland Security’s National Cyber Security Division. NVD may be accessed at http://nvd.nist.gov.