HomeMalware & ThreatsCybersecurity Experts Sound Alarm on Growing NVD Backlog

Cybersecurity Experts Sound Alarm on Growing NVD Backlog

Published on

spot_img

The United States’ federal database for tracking security vulnerabilities is facing significant challenges, with nearly 10,000 vulnerabilities left unanalyzed due to a halt in operations. As experts warn of the potential risks this backlog poses to critical sectors, questions are being raised about the future of the National Vulnerability Database (NVD) and who should be responsible for managing it.

Michael Daniel, president and CEO of the Cyber Threat Alliance, believes that resolving the critical question of who should populate the database is essential to fixing the NVD’s issues. There is ongoing debate over whether the NVD should remain under the management of the National Institute of Standards and Technology or be transferred to the Cybersecurity and Infrastructure Security Agency or even the private sector.

With over 9,700 Common Vulnerabilities and Exposures (CVEs) remaining unanalyzed by the NVD, according to NIST data, the backlog continues to grow. NIST attributed the backlog to various factors, including an increase in software vulnerabilities and changes in interagency support. NIST is exploring longer-term solutions, including potentially establishing a consortium of industry, government, and stakeholder organizations to address the issues.

The NVD backlog is not only a concern for the federal government but also major cybersecurity vendors that rely on its data for vulnerability management. Scott Kuffer, co-founder of Nucleus Security, warns that the backlog could impact the ability of cybersecurity vendors to detect vulnerabilities in their environment, leading to potential security risks.

While some argue that the private sector should take on a larger role in vulnerability reporting and management, others believe that keeping the database under federal control is essential for fostering collaboration and ensuring consistent standards. The NVD relies on third-party security researchers and vendors to assign risk attributes to CVEs, but the lack of timely and consistent data poses challenges for organizations trying to prioritize their patching efforts.

Industry professionals, including Kaylin Trychon of Chainguard, have called on Congress to investigate the challenges facing the NVD and allocate additional resources to enhance its operations. Trychon believes that privatizing the NVD could lead to confusion and potential security incidents, emphasizing the importance of treating the database as critical infrastructure.

Experts agree that automated processes could help improve the quality and timeliness of NVD data, but organizations will still need to make informed decisions about which vulnerabilities to patch first. Ensuring the NVD’s data is consistent and up-to-date is crucial for organizations to prioritize their security efforts effectively and protect against potential cyber threats.

Source link

Latest articles

AI, Deepfakes, and Digital ID in Corporate Cybersecurity: Exploring the Emerging Frontier

The emergence of deepfakes has sparked a new wave of concern in the cybersecurity...

The Challenge of CVE Incentives

In the realm of cybersecurity, the issue of software vulnerabilities is becoming increasingly challenging...

Nearly 44,000 affected by First American data breach

First American Financial Corporation faced a significant data breach in December, leading to the...

Desperate Cybercrime Fighters Call for a Ban on Ransomware Payments, Reports Bloomberg

Cybersecurity experts are increasingly urging governments and organizations to ban ransomware payments in an...

More like this

AI, Deepfakes, and Digital ID in Corporate Cybersecurity: Exploring the Emerging Frontier

The emergence of deepfakes has sparked a new wave of concern in the cybersecurity...

The Challenge of CVE Incentives

In the realm of cybersecurity, the issue of software vulnerabilities is becoming increasingly challenging...

Nearly 44,000 affected by First American data breach

First American Financial Corporation faced a significant data breach in December, leading to the...
en_USEnglish