The National Vulnerability Database & Third Party Security Risk
The National Vulnerability Database is a US government-run system that records a wide range of security and compliance information and protocols. Originally developed in 2000, it’s grown into a powerful tool that helps businesses close major security gaps and protect their data—but it’s far from perfect. Ultimately, someone had to have discovered the recorded vulnerabilities before they could be logged, giving bad actors plenty of time to act on these security gaps. Research suggests that 75% of vulnerabilities are published online before being logged and remedied.
Of course, software vulnerabilities aren’t the only thing recorded in the National Vulnerability Database. It also rates the severity of a given vulnerability using its own scoring system, classifies vulnerability types and identifies what systems it impacts. In other words, the database provides a comprehensive overview of potential problems, allowing users to fix problems, evaluate system security and ensure that they are in compliance with all relevant guidelines. The question: Is that enough when it comes to reducing security risk in general and third-party security risk in particular?
Despite everything that the National Vulnerability Database does, many have argued that it isn’t sufficient when it comes to meeting modern security standards. Today’s complex threat environment demands more, and the good news is that the tools your business needs to close the threat gap are out there. By developing a comprehensive approach to vulnerability management for your organization as well as your third parties, rather than relying exclusively on the database, your organization can demonstrate your commitment to information security.
Security vs. Vulnerabilities
There are many reasons why the National Vulnerability Database isn’t sufficient for managing your system’s security, but the root of the problem rests in a single word: vulnerability. In the tech sector, vulnerabilities are generally thought of as synonymous with Common Vulnerabilities and Exposures (CVE). As such, the standardized CVE list works in parallel with the National Vulnerability Database, and all updates to the CVE list should go on to be listed in the National Vulnerability Database.
Having parallel systems can be a useful accuracy check, but using these tools exclusively is limiting and leaves gaps in our understanding of security issues. For example, when Synopsys published their 2020 Open Source Security and Risk Analysis report, four of the top ten vulnerabilities lacked established CVEs associated with them. That means, we knew there was a problem, but we didn’t have the information to fix it at its root.
A Rising Tide
We’ve already established that the National Vulnerability Database and CVEs more generally have a timeliness problem; it takes us too long to identify them and even longer to get them properly recorded, leaving organizations vulnerable. That’s not the only problem facing businesses today, though. We’ve also seen a surge in the number of CVEs that fall into a broader range of threat categories. These shifts combined represent a challenge that could put our databases and solutions even further behind the curve.
Open source communities and others interested in tackling the challenge of software vulnerabilities are working hard to identify threats more quickly, but it’s not enough. The only way to conquer the problem is by using a broader array of strategies to both identify and resolve major security issues before they can be exploited, putting critical data at risk.
Expanding Threat Watch
Part of addressing potential vulnerabilities before we’ve identified their specific CVEs is expanding the sources we use to think about threats. For those with the budget and staff, this might mean using outside research and system metrics. This is how the Department of Homeland Security’s Continuous Diagnostics and Mitigation Program works, but most organizations don’t have the resources to undertake such an advanced program. Instead, the average organization relies on commercial tools to supplement the public database.
Another aspect of addressing system vulnerabilities on a macro-level is taking into account all of the points of interaction modern organizations have with other services— and Panorays can help with this. Our cyber posture rating looks at all of your digital assets to determine your true digital perimeter. We look at how secure your third-party services are—or aren’t—and how a hacker would approach your system. At Panorays, we recognize that security isn’t only about specific system flaws, but about all of your organization’s points of connection. Just because a program works fine on its own; it doesn’t mean it will smoothly plug into your system.
As noted, the National Vulnerability Database is a key tool for identifying CVE threats, and one of the benefits of this system is that once a vulnerability is identified, its CVE code is linked to a solution. The basic premise: When the database tells you something is wrong, it will also tell you how to fix it—and that’s great if there’s someone in your business’s IT department who handles that process. But what if there’s no clear plan for correcting problems, or limited staff, making prioritizing these repairs difficult? These common problems all contribute to security gaps.
At Panorays, we help your organization close security gaps in a myriad of ways, but one of the simplest and most important benefits we offer: third-party patch management. If any of your suppliers overlooks a key patch—and our research shows that this happens frequently—we’ll identify the problem and sound the alarm. Vendor security failures shouldn’t compromise your system, and now they don’t have to.
How Panorays Can Help
The National Vulnerability Database carries a heavy load and every organization should pay attention to the information recorded there. But your security strategy cannot stop there. That’s why, if you’re ready to take your organization’s security to the next level, it’s time to utilize Panorays’ automated, comprehensive and easy-to-use third-party security platform.
Contact us today to set up a demo and learn what comprehensive third-party security looks like in action. With CVEs on the rise, you can’t be too careful—and you can’t afford not to work with Panorays.