Tag: NVD
-
Our New Year Vulnerability “Trends” Prediction!
[This was originally published on RiskBasedSecurity.com.] Shortly after a year closes out, the industry is treated to dozens of security companies that want to tell you all about vulnerability totals and trends from the previous year. In many cases, the companies offering the predictions are armchair experts of a sorts, who do not aggregate vulnerability…
-
SQLi Disclosures and the Last Five Years (Transparent Statistics)
[This was originally published on the OSVDB blog.] Nothing like waking up to a new article purporting to show vulnerability statistics and having someone ask us for comment. But hey, we love giving additional perspective on such statistics since they are often without proper context and disclaimers. This morning, the new article comes from Help…
-
CVE Vulnerabilities: How Your Dataset Influences Statistics
[This was originally published on the OSVDB blog.] Readers may recall that I blogged about a similar topic just over a month ago, in an article titled Advisories != Vulnerabilities, and How It Affects Statistics. In this installment, instead of “advisories”, we have “CVEs” and the inherent problems when using CVE identifiers in the place…
-
Adobe, Qualys, CVE, and Math
[This was originally published on the OSVDB blog.] Elinor Mills wrote an article titled Firefox, Adobe top buggiest-software list. In it, she quotes Qualys as providing vulnerability statistics for Mozilla, Adobe and others. Qualys states: The number of vulnerabilities in Adobe programs rose from 14 last year to 45 this year, while those in Microsoft…
-
OSVDB Now Supports CVSSv2 Scoring
[This was originally published on the OSVDB blog.] OSVDB now displays CVSSv2 scores, mostly as calculated by the National Vulnerability Database (NVD): Along with the score, we display the date that NVD generated it and give users a method for recommending updates if they feel the score is inaccurate. While this is long overdue, this…
-
VDB Relationships (Hugs and Bugs!)
[This was originally published on the OSVDB blog.] Like any circle in any industry, having good professional relationships can be valuable to involved parties. In the world of security, more specifically Vulnerability Databases (VDBs), the relationships we maintain benefit the community behind the scenes. Like ogres and onions, there are layers. Someone from CVE and…
-
Scrubbing the Source Data
[This was originally published on the OSVDB blog.] A few months ago, Jeff Jones at CSO Online blogged about “Scrubbing the Source Data”, talking about the challenges of using vulnerability data for analysis. Part 1 examined using the National Vulnerability Database (NVD) showing how you can’t blindly rely on the data from VDBs. In his…
-
ICAT > NVD
[This was originally published on the OSVDB blog.] Someone brought this to my attention: http://nvd.nist.gov/National Vulnerability Database Welcome to NVD!!NVD is a comprehensive cyber security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources. It is based on the CVE vulnerability naming standard. NVD contains:11708 Vulnerabilities482 US-CERT…