What is CVE, CWE and NVD
Subramanny Kadawadkar
SOC| SIEM | SOAR | Splunk | Raw logs | Alert and Analysis | Incident Response | Threat Intelligence | Vulnerability Assessment | Compliance | Malware Analysis | OWASP | MITRE Attack | CORTEX XSOAR | Cyber Security
What is a vulnerability?
A vulnerability is a weakness which can be exploited in a cyber-attack to gain unauthorized access to or perform unauthorized actions on a computer system. Vulnerabilities can allow attackers to run code, access system memory, install different types of malware and steal, destroy or modify sensitive data.
What is CVE?
CVE, or Common Vulnerabilities and Exposures, is a publicly released list of known computer security threats. A catalog of vulnerabilities in software products provides a reference point to identify and manage potential risks.
Importance of CVE:
Using CVE, software developers and security teams can recognize and track vulnerabilities in a consistent, standardized way. It allows them to quickly reference a vulnerability in security advisories, patches, and other communications. It ultimately helps to improve the speed and effectiveness of vulnerability management and mitigation, making it easier to protect systems and data from potential attacks.
CVE Example:
A software developer finds a security hole in their program that allows intruders to access protected data without permission.
They tell the right people about it and obtain a special CVE ID, like "CVE-2021-12345". This vulnerability is listed on the CVE List and can be used to track and refer to it in security bulletins, updates, and other messages.
What is CWE?
CWE, or Common Weakness Enumeration, is a collection of standardized names and descriptions for common software weaknesses.
It categorizes weaknesses based on their type and scope, providing a framework for discussing and addressing software security threats. CWE also includes mappings to other vulnerability databases, such as CVE.
CVEs refer to the actual vulnerabilities, while CWEs refer to the underlying weaknesses that can lead to those vulnerabilities.
领英推荐
Importance of CWE:
By taking advantage of CWE, software engineers and security personnel can categorize and comprehend the type of software flaws. It permits them to prioritize and tackle the most imperative vulnerabilities. It also provides a common language for discussing and describing software weaknesses, which helps to improve communication and collaboration between different teams and organizations.
CWE Example:
A security analyst is analyzing the source code of a program and finds that it is using a weak encryption protocol that an intruder could easily break.
They assign a CWE label to the issue, such as "CWE-327: Use of a Broken or Risky Cryptographic Algorithm". This labeling offers a shared terminology for characterizing the vulnerability and enables others to comprehend the extent of the hazard and its potential consequences. You can see the complete list of CWE labels and specifications on the MITRE website.
For reference, the label for CWE-79 is (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')).
What is NVD?
The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security related software flaws, misconfigurations, product names, and impact metrics.
Originally created in 1999 (called Internet - Categorization of Attacks Toolkit or ICAT), the NVD has undergone multiple iterations and improvements and will continue to do so to deliver its services. The NVD is a product of the NIST Computer Security Division, Information Technology Laboratory.
The NVD performs analysis on CVEs that have been published to the CVE Dictionary. NVD staff are tasked with analysis of CVEs by aggregating data points from the description, references supplied and any supplemental data that can be found publicly at the time. This analysis results in association impact metrics (Common Vulnerability Scoring System - CVSS), vulnerability types (Common Weakness Enumeration - CWE), and applicability statements (Common Platform Enumeration - CPE), as well as other pertinent metadata. The NVD does not actively perform vulnerability testing, relying on vendors, third party security researchers and vulnerability coordinators to provide information that is then used to assign these attributes. As additional information becomes available CVSS scores, CWEs, and applicability statements are subject to change. The NVD endeavors to re-analyze CVEs that have been amended as time and resources allow to ensure that the information offered is up to date.
Conclusion:
We must have realized that vulnerabilities come in various forms and can be classified based on severity. Common breaches like insecure software configuration or lack of patching can be mitigated by following security best practices. However, the fact remains that vulnerabilities exist, and there is no way to avoid them completely. How quickly an organization or developer responds to susceptibilities and how quickly they can mitigate them matters.
#senselearner