Saturday, May 6, 2023

The NVD train is moving. Time to get on board!

 

Last Friday, I described in a post the meeting that the SBOM Forum had that day with the team at NIST that runs the National Vulnerability Database (NVD). The most interesting development in that meeting, from my perspective, was that not only were the NIST people interested in making improvements to the NVD like those we’re requesting, but they suggested to us that we investigate forming a public-private partnership of some sort to help implement these improvements – since they admitted they can’t consider any suggestions now that would require additional funding on their part.

We honestly hadn’t been thinking in those terms, but the idea of partnership makes a lot of sense. The fact is that the NVD’s shortcomings are costing the worldwide software industry – both from the software developer side and the software user side – many millions of dollars every year, if not every day. Moreover, they’re seriously inhibiting distribution to, and use of, SBOMs by organizations whose primary business isn’t developing software (which I call “end user organizations”). Once we have determined what we want to accomplish as well as what is feasible, we shouldn’t have a lot of trouble marshalling whatever resources are required for that.

One area we’re starting to discuss is especially interesting. A UK developer named Anthony Harrison, who is an active member of the SBOM Forum, recently pointed out some important facts:

1.      The NVD is by far the most widely used vulnerability database worldwide.

2.      Currently, even though there is heavy use of the NVD in Europe and Japan (and growing use in other parts of the world), every bit exchanged between a user in say Germany and the servers that house the NVD (based in the DC area) must travel over the Atlantic Ocean. Performance and reliability could be greatly improved in Europe and Asia by implementing some local presence such as a content delivery network (although there are other technologies that will achieve that same purpose – this problem has been solved many times before, for much larger databases).

3.      Because their citizens are increasingly using the NVD and noticing the performance problems, governments are feeling pressured to implement their own vulnerability databases. The governments of the UK and Japan, as well as others, are already preparing tenders (American translation: RFPs) to create their own national databases.

4.      As SBOMs start to be widely used by end user organizations, the performance problems will only increase. Currently, SBOMs are being heavily used by software developers to identify and manage vulnerabilities in products they’re developing. In fact, just one open source tool is being used over 300 million times a month (or if you will, 10 million times a day) to search for vulnerabilities present in the components in an SBOM – although that use is almost entirely by developers. When end user organizations start using SBOMs in mass, these numbers will seem laughably small.

It would be a literal tragedy if several major governments felt they had to create their own national vulnerability databases, simply because their citizens were telling them that was the only way they’ll be able to get reasonable performance for their vulnerability searches. If anything is universal, it’s software vulnerabilities. The vulnerabilities faced by a software company in Japan are almost the same as those faced by an end user organization in France. There should be no need for multiple countries to have their own national vulnerability databases.

Meanwhile, what would happen if those countries didn’t implement their own databases and instead invested just a fraction of what they would have spent on their own database in improving the NVD? Of course, that will require the NVD to take responsibility for improving the NVD’s performance and reliability worldwide, as well as fixing the many problems that led our group to approach NIST in the first place. My guess – optimistic fellow that I am – is that it would be eminently possible to structure a deal where all the countries concerned would individually invest far less money, yet end up with a single great database that is easily accessible worldwide - versus a number of barely adequate national databases that are constantly falling behind for lack of funding.

What would it take to make the NVD a great database? I’m glad you asked. In last week’s post, I provided a list of NVD improvements we were looking for when we met with NIST. Now, we have expanded that list and made it available in a Google Doc. We invite anyone to make comments and enter changes (they will initially be “suggestions”, pending approval. If we don’t want to include what you suggested, we’ll let you know why). We’ll look forward to seeing your suggestions!

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

No comments:

Post a Comment