The National Vulnerability Database (NVD) is one of the most valuable resources available in the fight to keep our software products safe, providing developers and security professionals with the info they need to fix their products when new vulnerabilities are published.
Along with the publication of new vulnerabilities in a range of commercial products and open source software components, the NVD provides an easy to navigate database platform that includes an analysis not found in other public resources.
Established in 2005, the NVD is operated under the auspices of the U.S. National Institute of Standards and Technology (NIST). It is sponsored by the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, and by Network Security Deployment.
If you are a developer or security team member, the NVD can help keep your organization’s software safe, if you know how to take advantage of the information being provided.
What Kind Of Information Is In An NVD Posting?
Within a posting on the NVD, visitors can find a breakdown of many of the details about a software security vulnerability, to help them understand what they are dealing with and what their next steps should be.
This includes a description of the CVE and the source of the information, which is generally from the MITRE Corporation. Then we are given a picture of how dangerous a specific vulnerability can be in the impact section. Based on the CVSS v2 and CVSS v3 Severity and Metrics, the NVD tells readers how the vulnerability has been rated (Critical, High, Medium, Low), as well as details about how the exploitation could actually be carried out.
There are also helpful links to information that is not listed on the National Vulnerability (Read more...)
*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Gabriel Avner. Read the original post at: https://resources.whitesourcesoftware.com/blog-whitesource/the-national-vulnerability-database-explained