CEO @ Aquia | Cyber Innovation Fellow @ CISA | Chief Security Advisor @ Endor Labs | 2x Author | Veteran
18,000+ 😳 That's the number of unenriched CVE's in the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) In fact, NVD hasn't enriched a SINGLE CVE from the period of February-May 2024 They are currently enriching less than 50% of CVE's every month too, demonstrating a backlog growth This is despite announcements of a new contract award to a Government Contractor and public statements to burn down the backlog by the end of FY2024 (which is obviously not going to happen). Some may be asking what's the big deal..? This means NVD and the number of other vulnerability databases that rely on it to enrich CVE's with CPE identifiers, to tie vulnerabilities to products has a major gap, which of course goes downstream to organizations vulnerability management teams as well. Folks like Tom Alrich, Andrey Lukashenkov, Jerry Gamblin and Patrick Garrity 👾🛹💙 have been trying to raise awareness around the issue and its implications for vulnerability management all year. It's clear that the NVD hasn't and may never fully function as it once did, and has lost a ton of credibility in the community. There are some alternatives growing but as Tom points out in the blog below, they aren't perfect and have some gaps as well. https://lnkd.in/ejNRqsME #ciso #cyber #vulnerabilitymanagement
Chris Hughes where does that leave EPSS? Is it dependent on NVD or just CVSS? We are using epss to drive our vulnerability remediation efforts due to the ever increasing number of cve’s. It’s an insurmountable task to remediate everything, so we decided to focus on what has the highest probability of exploitation. Specifically EPSS percentile along with a few other parameters like exploit maturity and fixability. What are your thoughts on this approach?
I've been debating if I should do an update on all the exploitation that's going on with CVE's that have continued to go unanalyzed... 🤷♂️ Weekend Project!
Chris Hughes this whole uncoordinated "security after the fact" approach just doesn't scale. We need to shift all the way left and incorporate security by design in everything we do.
### NVD Analysis Update for September 20th - 17524 CVEs published this year have not been analyzed. - NVD has analyzed 5591 CVEs published since February 15th. - For the 17524 unanalyzed CVEs, analyzing the pre-Feb 15th average, emptying the backlog would take 319 days.
Tom Alrich
1d
Chris: I never thought of it this way, but the NVD situation is exhibit A for what I'm going to call the XKCD principle: The likelihood that a single point of failure will bring the whole process crashing down is directly proportional to the importance of the process (I'll have the math of this proof worked out shortly... 😏).
Yep we are on the loosing track so far if things don’t get automated. I wrote about this https://phoenix.security/nvd-backlog-burndown-update/
Yossi Barishev
20h
So what would be the implication of this on VM platforms and solutions? How are vendors tackling this inherent flaw in the pipeline? What’s the optimal way to approach VM from an intelligence and data sourcing perspective?
Look at my videos tell me am insane it comes from me respect me please
CEO @ Aquia | Cyber Innovation Fellow @ CISA | Chief Security Advisor @ Endor Labs | 2x Author | Veteran
1dhttps://www.resilientcyber.io/p/death-knell-of-the-nvd