Many organizations in the software supply chain security community have assumed for years that the National Vulnerability Database (NVD), despite its various problems, is the de facto international standard for vulnerability databases. They also believe it can be relied on going forward to be the “bread and butter” database that meets most of the needs for most of the organizations involved with the community. However, the seeming inability of the NVD to fulfill that role since mid-February 2024, and the fact that there hasn’t even been an attempt to explain what the problem is, have made it clear this is no longer a good assumption.
In the wake of this event, there are three questions that need
to be answered. The Vulnerability Database Project of the OWASP SBOM Forum
proposes to develop answers to these three questions, based on discussions that
will be open to all parties concerned with software supply chain security in
general and vulnerability management in particular. If you would like to participate
in weekly discussions and help create a document addressing the first two of these
questions, and/or if your organization can support this effort through a
donation to OWASP (a 501(c)(3) non-profit corporation), please drop me an email
at tom@tomalrich.com.
The first question is, “What options are available
for NVD users, both to replace services they have been counting on from the NVD
and to go beyond what the NVD has traditionally offered?” There are many other
vulnerability databases available, both free and for charge. These provide one
or more services that the NVD has provided, but also go beyond the NVD in
various ways. Questions include:
1.
What are these other databases?
2.
How do their offerings map to what the NVD has
been offering?
3.
What are their offerings that go beyond the NVD?
4.
In what ways do they differ from the NVD, for
example in vulnerability identifiers supported (CVE, OSV, GitHub Security
Advisories, etc.), software identifiers supported (CPE, purl, or other), and types
of products supported (open source software projects, proprietary products, intelligent
devices – as well as sub-categories of these)?
5.
Given that most of these alternative databases
do not cover the entire range of what the NVD covers, how can NVD users “mix
and match” the different offerings so that, depending on their individual
needs, they end up with at least the same level of functionality they
previously received from the NVD and hopefully a lot more? And without ending
up with a hopeless mishmash of incompatible vulnerability data?
6.
Given that the CVE.org database is the original
source of most of the data in the NVD and that its infrastructure is much more
robust and modern than the NVD’s, how hard would it be for current NVD users to
switch over to using CVE.org as their primary vulnerability database – as one
major NVD user has recently done? What could be added to CVE.org to facilitate
this switch, such as a more end-user-friendly front end? What would be the
advantages of using CVE.org over the NVD, including much-sooner support for purl
and the fact that the originators of all CVE data – the 300+ CVE Numbering
Authorities (CNAs) – are part of CVE.org?
The second question is, “What steps should the US
government take with respect to this problem? These might include:
1.
Doing nothing and hoping the NVD has a
miraculous recovery.
2.
Actively investing in the NVD’s infrastructure,
which will probably require a complete rebuild from scratch.
3.
In place of the current situation, in which the
NVD is the primary vulnerability database and CVE.org is just an “alternate
data provider (ADP)” to the NVD, turn this situation around so that CVE.org is
the primary database and the NVD is an ADP.
4.
Get out of the vulnerability database business
and leave that to the private sector, while maintaining CVE.org as by far the
leading provider of vulnerability data – including investing heavily in the
CNAs, given their irreplaceable role in the vulnerability identification
process worldwide.
The third question is, “What is the best long-term
solution to the vulnerability database problem worldwide?" While there can
be many views, Tom believes the following are “self-evident truths” (with
apologies to Thomas Jefferson):
1.
Requiring a single uber vulnerability database
(“One Database to Rule Them All”) that will somehow gather, harmonize and
synchronize data from all other databases is a concept whose time has come and
gone. There are many vulnerability databases operated in different ways by
different organizations. Let them all continue to operate as they always have.
Instead, there needs to be an AI-powered central “switching hub”, which might
be called the Global Vulnerability Database (GVD). Queries to the GVD could use
any major type of software and vulnerability identifier; the hub would route
each query to the most appropriate database or databases and route the
response(s) back to the end user. It would also harmonize the responses when
needed.
2.
Of course, the GVD needs to be a truly global
effort. It cannot be under the control of any single government or private
sector organization, although all governments and organizations will be welcome
to contribute to it (Tom believes that raising funds to create and maintain
this “database” won’t be hard at all, given that nobody but US taxpayers is
currently allowed to contribute to the NVD. It isn’t at all surprising that the
NVD is chronically underfunded, despite being used worldwide).
3.
Developing the GVD will require a nonprofit
organization to manage the process. When (and if) the GVD is running smoothly, operation
of the database might be turned over to an organization like the Internet
Assigned Numbers Authority (IANA), which manages IP addresses and DNS. Otherwise,
the nonprofit organization would continue to operate the GVD in perpetuity.
The SBOM Forum Vulnerability Database Project will initially
focus on the first two questions. The group will collaborate on one or more
documents to answer these questions. Rather than wait until the documents are
complete, the group will publish a current draft every two months, to maintain
interest in the project among the software security community and to invite
feedback on the work so far.
When the first two questions are answered and the results
have been published, the group can start work on the third question. Since the
end result of that effort might be a workable design for the GVD, that effort
could easily take multiple years.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have
read here, I would love to hear from you. Please email me at tom@tomalrich.com.
My book "Introduction to SBOM and VEX"
is now available in paperback
and Kindle versions! For background on the book and the link to order it,
see this post.
No comments:
Post a Comment