Current alternatives include diverse vendor sources: Independent providers of aggregated vulnerability information such as Flashpoint, VulnCheck, Tenable, BitSight and others are another option. Many of these vendors offer curated datasets that capture vulnerabilities often missed or delayed by CVE, Lefkowitz points out. They also offer critical context such as exploitability, ransomware risk, and social risk.”To operationalize this intelligence, organizations must rethink how they process and respond to vulnerabilities,” Lefkowitz says. That starts with decoupling workflows from rigid dependencies on CVE/NVD and ensuring their security tools can handle vendor-specific vulnerability identifiers if needed. “Risk prioritization should be threat-informed, factoring in exploit code availability, asset exposure, and even ransomware targeting likelihood,” Lefkowitz noted. Security decision makers should consider vulnerability platforms that integrate directly into their SIEMs, SOARs, patching tools and ticketing systems, he advises.There are other options for organizations to diversify their sources of vulnerability information including vendor advisories, GitHub disclosures, and platforms like HackerOne or Bugcrowd which frequently publish vulnerabilities sometimes before the details make it into a formal database like CVE.Software vendors like Oracle, Microsoft, and Red Hat routinely publish cybersecurity bulletins for their software, Mackey from BlackDuck says. Similarly, GitHub maintains a repository of vulnerability information known as GitHub Advisory Database and there are several regional vulnerability databases in Australia, the EU, Japan, and China that organizations can tap as well, Mackey says. Examples include AusCERT, VulDB, JPCERT CC, and CNNVD. Consider also providers of Software Composition Analysis (SCA) tools who often augment NVD data to create their own security advisories, Mackey says.”Of course, there are many different application security testing techniques such as static application security testing, interactive application security testing, and fuzzing that can be used to identify vulnerabilities that were never disclosed,” he says. “Each of these options are valuable, but when combined with each other, a complete view of application risks due to cybersecurity can be obtained.”CISA’s catalog of Known Exploited Vulnerabilities (KEV) is another useful, and in the case of US federal agencies, mandated, resource for vulnerability data. The catalog is a list of exploited cybersecurity vulnerabilities that pose a risk to government and critical infrastructure organizations. Its primary use case is to guide them in identifying and remediating high-risk vulnerabilities that pose an immediate threat. Once CISA enters a vulnerability in KEV, US civilian federal agencies have a strict deadline within which they have to remediate the flaw or to discontinue use of the affected product until they can remediate it. Though its intended audience is relatively narrow, any organization can use KEV to prioritize patching efforts.The key though is keeping expectations in check. The CVE program’s core functions include providing a common taxonomy and nomenclature for scoring and rating vulnerabilities in terms of risk. If the security community were to lose the program, researchers and bug hunters would no longer be speaking a common language when categorizing and rating security vulnerabilities, warns Ben Radcliff, senior director, cyber operations at Optiv. Any lack of cohesion and transparency in publishing known security vulnerabilities would likely lead to slower, inconsistent responses to threats from security teams, particularly when presented with zero-day vulnerabilities, Radcliff says.”The primary barrier to standing up a CVE alternative would be regaining consensus from the entire global security community,” he predicts. “CVE is long-established and well respected and so has had a lot of history in building trust in the fidelity of its collected findings. Any post-CVE approach would be likely to remain decentralized and inconsistent for the foreseeable future.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4008708/beyond-cve-the-hunt-for-other-sources-of-vulnerability-intel.html
