Vulnerability Databases. The Way from Collecting to Working
Whenever we talk about vulnerabilities, we can hear about different databases where we can find them. There are a lot of different vulnerability databases, but what was the first? And how do vulnerabilities appear in these databases? In this article, we will try to know about it.
What Is a Vulnerability Database?
A vulnerability database is a tool that lets to access information on known vulnerabilities. Experts collect, verify and share information with a large community to improve cybersecurity knowledge. Vulnerability databases help organizations track and correct vulnerabilities in their systems. Vulnerability scanners are made on the basis of vulnerability databases. A vulnerability scanner is an automated testing tool that searches for vulnerabilities and flaws in the system. Scanners are fully automated and only seek vulnerabilities and report potential exposures. After that, a penetration test takes place. You should distinguish these two tools, as far as they are connected, but not the same.
Databases cover a variety of vulnerabilities. They differ from each other according to the purpose. Vulnerabilities include:
- Hardware – poor encryption, component degradation, and firmware vulnerabilities.
- Software – user interface issues, timing flaws, privilege-confusion bugs, memory assignment bugs, and design bugs.
- Network – insecure architectures, insufficient authentication, and uncontrolled access.
How Vulnerability Database Works
The first step in collecting vulnerabilities is reporting them. Reports can come from different sources from developers to users. There is a waiting period for every vulnerability which was reported. It lasts from 30 to 90 days before the information becomes public. This waiting period is needed for developers to create and release patches. Moreover, during this time clients can set up these patches to protect themselves, even before public notification. It depends on notification policies and products. After the patch is issued, the vulnerability becomes public for the whole community with its specifics.
How Vulnerabilities Are Scored
One of the most popular lists of vulnerabilities is a CVE by MITRE, a nonprofit organization, sponsored by the government. The system was established in September 1999. This organization has created a classification for vulnerabilities. This system is a CVSS – the Common Vulnerability Scoring System. Once a vulnerability is discovered it is listed in CVE but without any specifics of it. After the waiting period, specifics will be updated in the CVE.
CVE Identifiers
Identifiers were created to simplify the use and understanding of vulnerabilities for people all around the world. As far as every system had its own databases and identifiers, it was too hard to identify one and the same vulnerability. Since that every vulnerability has its ID, Reference, and Description:
- CVE ID has the year when a vulnerability was researched, and the number.
- Reference contains links to patches, documents with recommendations, and comments from developers.
- Description contains the definition of the vulnerability.
Popular Vulnerability Databases
- NVD (National Vulnerability Database)
The NVD was established in 2005 by the US government. It is the main database when we speak about open source vulnerability databases. The NVD does not publish vulnerabilities but analyzes CVEs from the MITRE list. This analysis consists of CVSS score, links to available patches, information about how the vulnerability works, and its impact rating. All of these items will help you to understand and prioritize the remediation of vulnerabilities that you have.
- OSVDB (Open Source Vulnerability Database)
The OSVDB was created in 2004 by Jake Kouns, the founder of Risk Based Security – the company which operates a commercial version of the OSVDB – the VulnDB. The aim of OSVDB was to provide detailed information about security vulnerabilities for non-commercial use. However, some enterprises used this database for commercial use without paying. After that, the OSVDB was shut down in April 2016. In 2011 Risk Based Security started a commercial version, named VulnDB. This database contains more than 140k entries. These entries include information on affected vendors, type of vulnerability, classification, and ID information. Moreover, many entries have threat intelligence and countermeasure information.
Additional Sources
Together with the databases of vulnerabilities, you can also use security bulletins. This is a source that helps you to know about security vulnerabilities, remediation strategies, and updates for software. Some IT enterprises have their own security bulletins, for example, IBM, Microsoft, etc. According to the sensitive information containing in bulletins, it does not contain detailed vulnerability exploitation information. Security bulletins inform customers about vulnerabilities. Customers are responsible for checking actual or potential damage from vulnerabilities.
Moreover, there are agencies and services which provide information about vulnerabilities. For example, CIS Benchmarks developed through volunteer efforts of IT experts, vendors, and CIS Benchmarks developers. In our Database Vulnerability Assessment, we are using CIS Benchmarks guidance and DISA STIGS to identify and mitigate security vulnerabilities and set a secure configuration.
There are a lot of vulnerability databases that you can use for protecting your system. Vulnerability databases become the basis of vulnerability scanners, thanks to which you can automate the process of searching for vulnerabilities. Remember to be aware of vulnerabilities in your systems to protect sensitive data and your reputation.