As of June 29, 2018 the total number of vulnerabilities reported by the CVE is more than double year over year as reported by the National Institutes of Technology and Standards (NIST). When compared with last year’s total for the entire year of 14,714. This year to date is already 8,507 vulnerabilities.
The data above represents the new vulnerability database that has been analyzed and reported by the National Vulnerability Database (NVD). NVD is a vulnerability database built upon and fully synchronized with the CVE List NVD does not actively perform vulnerability testing; rather they rely on vendors, third party security community researchers and vulnerability coordinators to provide information that is then used to score vulnerabilities. The NVD is a product of the NIST Computer Security Division, Information Technology Laboratory (ITL), and is sponsored by the Department of Homeland Security’s ational Cyber Security Division.
What is CVE?
CVE = the Common Vulnerability and Exposures (CVE) list of data. CVE or Common Vulnerabilities and Exposures is a list of entries each containing a number, a description, and at least one public reference for publicly known vulnerabilities. CVE are the vulnerability entries used within the National Vulnerability Database. CVE is a dictionary of publicly disclosed cyber security vulnerabilities and exposures that are free to search, use, and incorporate into products and services.
What is the relationship between NVD and CVE?
The CVE List feeds NVD, which then builds upon the information included in CVE Entries to provide enhanced information for each entry such as fix information, severity scores, and impact ratings. As part of its enhanced information, NVD also provides advanced searching features such as by OS; by vendor name, product name, and/or version number; and by vulnerabilities, severity, related exploit range, and impact.
So what are Vulnerabilities?
“A weakness in the code found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability”. Mitigation of the vulnerabilities typically involves coding changes by a vendor commonly referred to as a “Patch”.
CVSS = Vulnerability Severity Scoring
Common Vulnerability Scoring System which provides severity scoring characteristics and impacts of IT Vulnerabilities. NVD provides qualitative severity rankings which are defined in CVSS V3.0 Ratings below.
CVSS also provides consistent and accurate impact scores which industry and government use. Common uses of CVSS scoring helps the Industry and Government prioritize vulnerability remediation activities and in calculating the severity of vulnerabilities discovered on one’s systems. As additional data becomes available CVSS scores are subject to further analysis which may or may not trigger changes to the NVD by the NIST Computer Security Division, and Information Technology Laboratory (ITL).0