{"id":20520,"date":"2024-04-11T09:56:24","date_gmt":"2024-04-11T16:56:24","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=20520"},"modified":"2024-04-19T09:20:23","modified_gmt":"2024-04-19T16:20:23","slug":"mind-the-gaps-whats-up-with-the-nvd","status":"publish","type":"post","link":"https:\/\/webdev.securin.xyz\/articles\/mind-the-gaps-whats-up-with-the-nvd\/","title":{"rendered":"Mind the Gaps: What\u2019s up with the NVD?"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

The growing backlog of vulnerabilities awaiting analysis at the NVD is attracting a lot of attention. Securin\u2019s analysts took a deep dive into the problem. Here\u2019s what we found, and what it means for your organization.<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
<\/div>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t

What\u2019s up with NVD?<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

Since February, <\/span>a slowdown <\/span><\/a>at the NVD has caused a growing backlog of vulnerabilities submitted and requiring analysis. The reasons for the delay include increasing numbers of software to be analyzed and a change in interagency support. Whatever the causes, it\u2019s fair to say that the knock-on effects for cybersecurity in general and vulnerability management in particular are significant.\u00a0<\/span><\/p>

The threat research team at Securin took a deep dive into the problem.\u00a0 Here\u2019s what we found – and what it means for anyone tasked with protecting their organization from cyberattacks.<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
<\/div>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t

CVEs: More Data, More Gaps, More Problems<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

The number of CVEs published every year has increased almost <\/span>2x<\/b> in five years. Reasons for this include:\u00a0<\/span><\/p>

  • Increasing complexity of software and technology systems<\/span><\/li>
  • Expanding threat landscape<\/span><\/li>
  • Heightened security awareness\u00a0<\/span><\/li>
  • Improved vulnerability and reporting mechanisms<\/span><\/li><\/ul>

    In theory, all of this is good news. The more vulnerabilities we detect, the better prepared we can be, right? The reality is that more data can bring more challenges for vulnerability management, as organizations struggle to understand, prioritize and address the growing volumes of vulnerabilities effectively.\u00a0<\/p>

    Unintended end result:<\/b> potential for leaving critical systems exposed to exploitation. The growing number of CVEs bring welcome visibility to security issues, the challenges however arise from incomplete data points required for CVE analysis & prioritization.\u00a0<\/span><\/p>

    So what are these missing data points and why is context so important in vulnerability management? Let\u2019s take a look.<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

    \n\t\t\t\t
    \n\t\t\t\t\t
    \n\t\t\t
    <\/div>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t

    1. The CPE Problem: Missing Context<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t

    When it comes to vulnerability analysis, prioritization and mitigation, context is everything. With high volumes of CVEs and increasing complexity, context is key to understanding where to focus your attention and which threats require the most immediate mitigation. That\u2019s where CPE comes in.<\/span><\/p>

    CPE, or Common Platform Enumeration, structures IT systems, software, and packages affected by a CVE. It offers vital context for understanding vulnerability impact.. Vulnerability scanners use CPE to detect affected assets and configurations, crucial for prioritizing and remediating security risks. Without it, organizations risk inefficient vulnerability management, leaving systems and data vulnerable to exploitation.<\/span><\/p>

    Here are some of the issues the Securin team has uncovered:<\/span><\/p>