Last Friday, I described in a post
the meeting that the SBOM Forum had that day with the team at NIST that runs
the National Vulnerability Database (NVD). The most interesting development in
that meeting, from my perspective, was that not only were the NIST people interested
in making improvements to the NVD like those we’re requesting, but they
suggested to us that we investigate forming a public-private partnership of
some sort to help implement these improvements – since they admitted they can’t
consider any suggestions now that would require additional funding on their
part.
We honestly hadn’t been thinking
in those terms, but the idea of partnership makes a lot of sense. The fact is
that the NVD’s shortcomings are costing the worldwide software industry – both from
the software developer side and the software user side – many millions of dollars
every year, if not every day. Moreover, they’re seriously inhibiting distribution
to, and use of, SBOMs by organizations whose primary business isn’t developing
software (which I call “end user organizations”). Once we have determined what we
want to accomplish as well as what is feasible, we shouldn’t have a lot of
trouble marshalling whatever resources are required for that.
One area we’re starting to discuss
is especially interesting. A UK developer named Anthony Harrison, who is an
active member of the SBOM Forum, recently pointed out some important facts:
1.
The NVD is by far the most
widely used vulnerability database worldwide.
2.
Currently, even though
there is heavy use of the NVD in Europe and Japan (and growing use in other parts
of the world), every bit exchanged between a user in say Germany and the
servers that house the NVD (based in the DC area) must travel over the Atlantic
Ocean. Performance and reliability could be greatly improved in Europe and Asia
by implementing some local presence such as a content delivery network
(although there are other technologies that will achieve that same purpose –
this problem has been solved many times before, for much larger databases).
3.
Because their citizens
are increasingly using the NVD and noticing the performance problems, governments
are feeling pressured to implement their own vulnerability databases. The governments
of the UK and Japan, as well as others, are already preparing tenders (American
translation: RFPs) to create their own national databases.
4.
As SBOMs start to be
widely used by end user organizations, the performance problems will only
increase. Currently, SBOMs are being heavily used by software developers to identify
and manage vulnerabilities in products they’re developing. In fact, just one
open source tool is being used over 300
million times a month (or if you will, 10 million times a day) to search
for vulnerabilities present in the components in an SBOM – although that use is
almost entirely by developers. When end user organizations start using SBOMs in
mass, these numbers will seem laughably small.
It would be a literal tragedy if several
major governments felt they had to create their own national vulnerability
databases, simply because their citizens were telling them that was the only
way they’ll be able to get reasonable performance for their vulnerability
searches. If anything is universal, it’s software vulnerabilities. The
vulnerabilities faced by a software company in Japan are almost the same as
those faced by an end user organization in France. There should be no need for multiple
countries to have their own national vulnerability databases.
Meanwhile, what would happen if
those countries didn’t implement their own databases and instead invested just
a fraction of what they would have spent on their own database in improving the
NVD? Of course, that will require the NVD to take responsibility for improving the
NVD’s performance and reliability worldwide, as well as fixing the many
problems that led our group to approach NIST in the first place. My guess –
optimistic fellow that I am – is that it would be eminently possible to structure
a deal where all the countries concerned would individually invest far less
money, yet end up with a single great database that is easily accessible worldwide
- versus a number of barely adequate national databases that are constantly
falling behind for lack of funding.
What would it take to make the NVD
a great database? I’m glad you asked. In last week’s post, I provided a list of
NVD improvements we were looking for when we met with NIST. Now, we have
expanded that list and made it available
in a Google Doc. We invite anyone to make comments and enter changes (they will
initially be “suggestions”, pending approval. If we don’t want to include what
you suggested, we’ll let you know why). We’ll look forward to seeing your
suggestions!
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would
like to comment on what you have read here, I would love to hear from you.
Please email me at tom@tomalrich.com.
No comments:
Post a Comment