NIST Wants Help Digging Out of Its NVD Backlog

  /     /     /  
Publicated : 23/11/2024   Category : security


NIST Wants Help Digging Out of Its NVD Backlog


The National Vulnerability Database cant keep up, and the agency is calling for a public-private partnership to manage it going forward.



After warning it cant keep up with the exploding number of bugs being submitted to the National Vulnerability Database (NVD), the National Institute of Science and Technology (NIST) has asked for additional resources from the US government and the private sector.
The agency said in February it was experiencing
delays updating the NVD.
This week, it admitted the delays have ballooned into a bona fide backlog. NIST said it is working to address the highest priority vulnerabilities first.
This is based on a variety of factors, including an increase in software and, therefore, vulnerabilities, as well as a change in interagency support, NIST said in a statement regarding its
NVD backlog
.
Staff at NIST are being shuffled around
to triage the vulnerability analysis delays, but longer-term solutions are required, the agency explained. One specific suggestion NIST highlighted was the creation of a public-private consortium to support the NVD, made up of industry, government, and other stakeholder organizations that can collaborate on research.
NISTs NVD is foundational to security operations, according to Jason Soroko, senior vice president of product at Sectigo. And getting additional analysts working through the backlog is critical, he added.
The problem is scale, Soroko says. NIST is going to open up the program to a consortia of vetted organizations from the industry in order to deal with the backlog of vulnerabilities that need to be analyzed and understood before being put into the NVD database. The move is a good one.
NIST needs a new approach if the agency is going to be able to keep up with the explosion in CVEs, explains Saumitra Das, vice president of engineering at Qualys.
NIST NVD has been a cornerstone of vulnerability management for a long time, Das says. However, the exponential growth in CVE issuance has created pressure which will necessitate a different and prioritized approach as mentioned in this statement. Budget cuts happening for the first time in a decade are possibly part of this issue as well, apart from the sheer volume.
Because NIST and the NVD have been so important to cybersecurity in the past, John Bambenek, president at Bambenek Consulting, says hes hopeful that with an assist from the cybersecurity industry, NVD can get back on track.
The NVD is a major success story for NIST and cybersecurity, and hopefully a pivot to a private-public sector partnership can be reached quickly to scale up the program, Bambenek says. This announcement illustrates that the explosion in vulnerability possibilities has grown so large that not even the US government can adequately keep their hands around the problem.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
NIST Wants Help Digging Out of Its NVD Backlog