[This was originally published on RiskBasedSecurity.com in the 2017 Q3 Vulnerability QuickView report.]
In October, Bill Ladd of Recorded Future released a study comparing CVE and the U.S. National
Vulnerability Database (NVD) with China’s National Vulnerability Database (CNNVD). This report, titled
“The Dragon Is Winning: U.S. Lags Behind Chinese Vulnerability Reporting” was covered by John Leyden in
The Register and Dune Lawrence for Bloomberg. Mr. Ladd’s article gives a good breakdown of the
relationship between CVE and NVD, as well as their shortcomings, which many in the industry still don’t
fully understand. We’ll examine Mr. Ladd’s four “key takeaways” and share our thoughts and perspective:
1 – “Organizations need access to the latest vulnerability (CVE) information to manage their exposure to risk.”
There is no disputing that organizations need access to the latest vulnerability information. However, perhaps the most dangerous part of Mr. Ladd’s takeaway is associating CVE with that role. CVE is a USA government funded project that calls itself “a dictionary of publicly known information security vulnerabilities and exposures” and says it “is not a vulnerability database”. Rather, CVE was designed to “provide common names for publicly known problems” with the design of “[allowing] vulnerability databases and other capabilities to be linked together, and to facilitate the comparison of security tools and services.”
CVE is one of many sources of vulnerability information available. As his own article points out, as well as this report and many other articles, CVE is not a vulnerability database and generally not associated with providing the “latest” information.
2 – “The U.S. National Vulnerability Database (NVD) trails China’s National Vulnerability Database (CNNVD) in average time between initial disclosure and database inclusion (33 days versus 13 days) — China isn’t directly integrated in managing CVEs, but are still able to report vulnerabilities more rapidly than the U.S.”
Mr. Ladd’s analysis is interesting and largely confirms what RBS has known and reported for a long time. Although CNNVD may be quicker to populate their database with some CVE IDs, but organizations focused on NVD vs. CNNVD are missing the larger issue: Both sources (CNNVD and NVD) are not vulnerability databases that can be depended upon to provide vulnerability intelligence to protect your network. Ultimately, those 13 days or 33 days will not matter if the vulnerability used to exploit your organization is not found in either source.
3 – “CNNVD actively gathers vulnerability information across the web. NVD should do this but instead waits for voluntary submission by vendors.”
As stated above, this would be a task MITRE would have to undertake. Unfortunately, even with such a drastic change for MITRE’s process, CVE, NVD, and CNNVD will still be far behind more mature services. This is part of the VulnDB methodology and has resulted in us having all of those CVE IDs mentioned above in our database, and more, while still marked as RESERVED in CVE. More important, that methodology is why there is such a huge difference in the number of vulnerabilities aggregated by RBS over MITRE as we continually find additional vulnerabilities not included in CVE-based databases.
The Register article ends with a quote from Katie Moussouris, who said “NVD is run by a small group with limited resources. Most who need real time vulnerability info don’t rely on it. Commercial services fill that role.” Ms. Moussouris is absolutely correct. Companies, serious about information security, cannot rely solely on CVE, NVD, or CNNVD, if they want to protect their organization’s assets. Finally, please don’t conclude from Ms. Moussouris’ comment that more tax dollars could fix the short-comings in NVD. In our opinion, the issue is more about a lack of vulnerability expertise, process efficiency and the mission to provide a comprehensive and timely vulnerability intelligence database.