Teacher
Professional
- Messages
- 2,670
- Reaction score
- 791
- Points
- 113
Why does the institute no longer provide answers to the most important questions?
The US National Institute of Standards and Technology (NIST) is trying to improve its National Vulnerability Database (NVD). However, the current changes are of concern to many organizations that use this database regularly to secure their systems.
The problem arose in mid-February 2024, when researchers noticed that details about the most important threats began to appear in NVD less and less often.
Usually, all critical metadata about disclosed vulnerabilities is added to the NVD: general descriptions, lists of affected software, risk assessments, and so on.
Without this information, IT specialists will know if there are problems, but they have to find out exactly where they exist, how serious they are, and how to fix them. Since February, more than 2,500 vulnerabilities have been added to the database without a detailed description.
Naturally, the situation caused discontent in the industry, and NIST had to respond. A few days later, the institute announced possible " delays in analytical work." This is due to the fact that the organization allegedly created a consortium to eliminate shortcomings in NVD and develop improved analysis tools.
However, this statement seems to have only increased the tension. Some experts asked for details about the composition and working procedure of the consortium. Others questioned the need for such drastic changes, given that the industry has established a "fairly efficient" system that has been used and produced results for many years. NIST has not yet provided further clarification.
According to one version, the institute plans to replace the currently used CPE identifiers (Common Product Enumerators) with SWID tags (Software Identification tags).
CPE (Common Product Enumerator) is a way to assign a unique identifier to a software product in a strict format consisting of several fields (vendor, product, version, etc.).
SWID (Software Identification Tags) is a more detailed XML-based format for describing installed software. SWID tags contain a lot of additional information besides the identifier — information about licenses, patches, files, and cryptographic hashes.
However, this is still just a guess.
The US National Institute of Standards and Technology (NIST) is trying to improve its National Vulnerability Database (NVD). However, the current changes are of concern to many organizations that use this database regularly to secure their systems.
The problem arose in mid-February 2024, when researchers noticed that details about the most important threats began to appear in NVD less and less often.
Usually, all critical metadata about disclosed vulnerabilities is added to the NVD: general descriptions, lists of affected software, risk assessments, and so on.
Without this information, IT specialists will know if there are problems, but they have to find out exactly where they exist, how serious they are, and how to fix them. Since February, more than 2,500 vulnerabilities have been added to the database without a detailed description.
Naturally, the situation caused discontent in the industry, and NIST had to respond. A few days later, the institute announced possible " delays in analytical work." This is due to the fact that the organization allegedly created a consortium to eliminate shortcomings in NVD and develop improved analysis tools.
However, this statement seems to have only increased the tension. Some experts asked for details about the composition and working procedure of the consortium. Others questioned the need for such drastic changes, given that the industry has established a "fairly efficient" system that has been used and produced results for many years. NIST has not yet provided further clarification.
According to one version, the institute plans to replace the currently used CPE identifiers (Common Product Enumerators) with SWID tags (Software Identification tags).
CPE (Common Product Enumerator) is a way to assign a unique identifier to a software product in a strict format consisting of several fields (vendor, product, version, etc.).
SWID (Software Identification Tags) is a more detailed XML-based format for describing installed software. SWID tags contain a lot of additional information besides the identifier — information about licenses, patches, files, and cryptographic hashes.
However, this is still just a guess.
