NIST relaunches database of IT vulnerabilities

The National Institute of Standards and Technology has completely rewritten its old ICAT vulnerability Web site and relaunched it as the National Vulnerability Database, a more timely and comprehensive source of information about IT security threats.The new database () was launched last month and is funded by the Homeland Security Department. It incorporates the Common Vulnerabilities and Exposures search engine, a standardized naming scheme for IT vulnerabilities developed by Mitre Corp. of Bedford, Mass., and supported by DHS. NVD also integrates other government resources, such as alerts and advisories from US-CERT.Peter Mell, senior computer scientist at NIST's computer security division, said the database's predecessor was not filling the need for up-to-date security data.'ICAT had become an archival tool for CVE standard vulnerabilities and was only updated every three or four weeks,' Mell said. 'That is great for an archival tool, but for a vulnerability database, it's just rotten.'NVD synchronizes with CVE every four or five minutes.'We get the raw data from them and immediately post it,' Mell said. Within hours, the new data is analyzed and evaluated by NIST computer scientists.'It's an excellent extension of CVE,' said Steve Christey, information security engineer at Mitre and editor of the CVE list. 'It addresses a lot of needs people have been looking to CVE for' but that CVE was not intended to serve.CVE was launched in 1999 to provide a standard scheme for naming and describing IT security vulnerabilities. Without a standard language, researchers, vendors of security products and security professionals had no way to accurately discuss and compare vulnerabilities that were being discovered in increasingly greater numbers. End users of security products had no sure way of knowing just what vulnerabilities those products addressed.Today, most vendors and re- searchers reference CVE names and descriptions, and some 200 security products use the CVE scheme. The CVE list now contains about 12,000 unique names, but it is maintained only as a dictionary. 'A lot of people try to use it like a vulnerability database, but it's not,' Christey said.ICAT originally served as the vulnerability database. Mell said he began work on ICAT seven years ago and that the name originally stood for Internet Catalog of Attacks Toolkit. When the standard vulnerability naming scheme came out, he adjusted the database to conform to CVE, but the original name stuck.'So the name ICAT today has no meaning,' he said.As the pace of new vulnerabilities picked up, ICAT became inadequate as a source of information. DHS had a mandate to provide public information about IT vulnerabilities, and in July 2004 the department's National Cyber Security Division promised funding to upgrade ICAT.When that funding was delayed, 'I thought, let's just do it,' Mell said. He sat down in August of last year and read about five books on programming.Mell said he did about 90 percent of the programming for the project himself. 'It was a lot of fun, but I don't want to be a full-time coder,' he said.DHS funding for the project came through in time to pay for analysts who keep the NVD up-to-date.NVD is a collection of 36 programs with a database back end and a Web-browser front end. For the first time, all government public IT security resources are searchable through a single search engine by vulnerability, attributes, vendor or product. It also includes a statistical engine that can graph and chart the frequency and number of vulnerabilities over time for any company or product.The statistical program is not perfect, Mell warns. 'We have trouble with Linux.'The open-source operating system consists of a kernel and a multitude of distributions containing different features that complicate the job of creating an application that works with all of them. 'The result is that our statistical engine has a little difficulty with Linux.'The National Vulnerability Database has completely replaced ICAT, whose pages were redirected to the NVD site in mid-July. Before NIST announced the switch in August, news of the change spread by word of mouth and the new database has received more than 500,000 hits in its first weeks of operation.'I've gotten a lot of nice feedback,' Mell said. 'The only complaints I've gotten are how it provides the RSS and XML feeds,' and he has received some suggestions for improving those capabilities.About 20 percent of NVD's visitors are from the .gov and .mil domains. Mell said the target audience is system administrators, IT security operations staffs and security companies that map their products to CVE.'It's certainly targeted toward the entire world, not just government,' he said.