I-NIST's Vuln Database Downshifts, Imibuzo Ekhuthazayo Ngekusasa Layo

Kusukela ku-2005, the Isizindalwazi seNational Vulnerability Database (i-NVD) ibilokhu ithumela imininingwane emayelana namakhulukhulu obungozi obuvamile kanye nokuchayeka (CVEs) okutholwe abacwaningi bezokuphepha abavela emhlabeni wonke. Kepha ngenyanga edlule, isizindalwazi esibucayi esixhaswe nguhulumeni sasuka ekubeni yithuluzi elibalulekile saya endaweni ecishe ibe mnyama.

Yilapho i-NVD ithumele kuwebhusayithi yayo isimemezelo esifihlekile sithi abasebenzisi “bazobona okwesikhashana ukubambezeleka kwemizamo [yethu] yokuhlaziya” njengoba i-National Institute of Standards and Technology (NIST) isebenzisa amathuluzi nezindlela ezithuthukisiwe. Ayikho enye incazelo ezayo.

Iqhwa alikho kubhodi lonke: Iphesenti elincane lama-CVE libhalwa yi-NIST, kodwa alikho ngesivinini esifanayo esike sabonwa eminyakeni edlule. Lokhu kubeka abaphathi bezokuphepha bebhizinisi esibophweni sokuhlala bephezu kwezinsongo ezintsha.

Imodeli ye-CVE yakhiwe ozakwethu abangu-365 abaqoqa izinsongo, cishe ingxenye yazo isekelwe e-US, ehlanganisa abathengisi besofthiwe abahlukahlukene, ama-bug bounty operators, namafemu ocwaningo azimele. Umhlanganyeli ngamunye uthumela izinsongo ezintsha ngokuvumelana ne-schema esicophelelayo ukuze aqinisekise ukuthi izinto ezintsha zihlukile. Kusukela ekuqaleni konyaka, sekuthunyelwe ama-CVE amasha angaphezu kuka-6,000.

Kodwa ngesizathu esithile esingachazwanga, cishe uhhafu walokhu ushiye noma yimiphi imininingwane ku-NVD, imininingwane eyenza idatha yokuba sengozini isebenziseke kubaphathi bezokuphepha bebhizinisi nakumathuluzi amaningi okuphatha ubungozi angasiza ukuvimbela umonakalo ongaba khona kubahlaseli.

Elinye lalawa mathuluzi yisithwebuli se-Tenable's Nessus vulnerability. Abacwaningi bayo baveza ukuthi i-NIST's NVD inikeza umongo owengeziwe ekubeni sengozini ngakunye, umongo onganquma ukuthi usongo lubucayi futhi ludinga ukupeshishwa ngokushesha noma lungathinta inani elibanzi lezinhlelo zokusebenza nezinhlelo zokusebenza.

Dan Lorenc, CEO of Chainguard, wabhala okuthunyelwe ku-LinkedIn ngenyanga edlule ukubhala isimo. "Okufakiwe [kwakamuva] kwe-CVE akuqukethe imethadatha mayelana nokuthi iyiphi isoftware ethintekayo," ebhala. "Lena yinkinga enkulu futhi ukushoda kwanoma yisiphi isitatimende sangempela ngenkinga [nge-NIST] kuyakhathaza."

U-Lorenc akayedwa kulowo muzwa. "Leli yisethi yedatha ebalulekile kuzwelonke," kusho uJosh Bressers wase-Anchore, naye uthumele ukuphawula mayelana nalesi simo ekuqaleni kwale nyanga. “Bengingalindela ukuxhumana okucacile ngoba akekho ongazi lutho. Konke kuyimfihlakalo.”

Abamele i-NIST abaphendulanga ezicelweni zokubeka amazwana ezivela ku-Dark Reading.

Ngaphambi kokumiswa kweqhwa kukaFebruwari, i-NIST ibuyekeza njalo i-CVE ngayinye ngale methadatha ewusizo; ngesinye isikhathi lezi zibuyekezo zazithatha amasonto noma izinyanga kusukela ngosuku lokutholwa kwazo ukuze zidalulwe kokufakiwe kwe-NVD. “Kodwa-ke, njengoba imboni ibonile, ukulinda i-NIST ukuthi yengeze amarekhodi e-CVE kuza ngezindleko. Njengoba kukhishwa ama-CVE amaningi minyaka yonke, manje sinamathuba amaningi okuthi abathengisi be-software banikeze amarekhodi aphelele e-CVE,” Abacwaningi abakhokhelwayo bathi. Uma kuhunyushwa, lokho kusho ukuthi omunye umuntu kufanele athathe ukudelela.

I-Morphisec, umthengisi wamathuluzi okuphepha, ishicilele okuthunyelwe kwebhulogi echaza isimo se-NVD ekuqaleni kwale nyanga. “Izinhlangano ezincane zihlale zijaha ama-patches. Ukuntuleka kwemethadatha nge-NVD kusho ukuthi balahlekelwa izinzuzo ezisheshayo futhi kuzonciphisa ukuphepha kwabo kukonke, "kusho uMichael Gorelik, i-CTO ye-Morphisec. “Lokhu kusho ukuthi ukuphazamiseka kwebhizinisi okungase kube khona akunakugwenywa, ikakhulukazi endaweni ecebile ye-ransomware esinayo namuhla. Le yinkinga enkulu esheshayo kunezinsongo ezilethwa yiGenAI. ”

UTom Pace, oyi-CEO yakwaNetrise, uthi ukumiswa kweqhwa kuyinkinga. “Asisawazi umthelela wokuba sengozini okuthile,” usho kanje. “Akusona isimo esihle lesi. Le sethi yedatha kuthenjelwe kuyo abantu abaningi emhlabeni jikelele. Lokhu kuzokwenza ukupeyisha kube nzima futhi kuhambe kancane.” Lokho kusho ukuthi abalingisi ababi banesikhathi esiningi sokuthola indlela yabo kumanethiwekhi ezinkampani.

Enye Indlela Eyodwa: I-MITER Iyakhuphuka Ukuze Ugcwalise Igebe

I-NIST ingase ibe i-ejensi enesibopho se-NVD, kodwa ingxenye enkulu yomkhiqizo womsebenzi wangempela engemuva kwayo ivela kunkontileka yezokuvikela eyaziwayo i-MITRE, njengoba inakekela iqoqo le-CVE. U-Pace uthi, “Akuwona uchwepheshe — kungani u-MITER engabambi ukuxega? I-NIST ineqembu elincane noma kunjalo.” Ubiza i-MITER ngokuwela phansi emsebenzini wayo nokushiya amaqembu ezokuphepha ebumnyameni.

Izicelo Zokufunda Okumnyama zokuthola ulwazi olwengeziwe ezivela ku-MITER zinqatshiwe: “I-MITRE ayikwazi ukukhuluma ngalesi sihloko okwamanje,” kusho ummeleli wenkampani. I-Pace iyabuza, "Imboni ezimele ingazitholela yona ngokwazo?"

Imboni yangasese ibisebenza kwezinye izindlela ze-NVD, ukuze uqiniseke. Ukufeza lokho, omunye umeluleki wezokuphepha uphawule ku-LinkedIn wathi “i-NVD ayikwazi ukulungiswa futhi kufanele siyiyeke futhi siyilungise kokubili kanye ne-CVE ndawonye. Uhulumeni wase-US ngeke ukuxazulule lokhu, futhi izixazululo kufanele ziqhutshwe yizinkampani ezizimele.”

Kukhona amanye amaqoqo edatha amaningi adalwe phakathi namashumi eminyaka. Abathengisi abambalwa bezokuphepha, abafana ne-Tenable, Qualys, ne-Ivanti, badale amaqoqo abo okuba sengozini aqukethe imininingwane yemethadatha eyengeziwe nezinye izinto ukuze basize ukuvimbela ukuhlaselwa. Futhi kunemizamo eminingana yomthombo ovulekile ebilokhu iqhubeka iminyaka kodwa muva nje ithole ukunakwa okwengeziwe, ngenxa yeqhwa le-NVD.

Umzamo owodwa womthombo ovulekile uvela I-VulnCheck, eneqoqo layo le-NVD++. Enye i- Vula i-Vulnerability Database (OVD) kusuka ku-a izinhlobonhlobo zabathengisi, okufaka i-Google, i-SonarSource, i-GitHub, i-Snyk, nezinye. Kokubili lokhu kuvele ngenxa yokukhungatheka kwabasebenzisi be-NVD ababefuna ukuba nemibuzo ezenzakalelayo engcono yedatha yokuba sengozini. I-NIST NVD ibeke imikhawulo yesilinganiso kule mibuzo, kokubili i-NVD++ ne-OVD eyisusile. Ukushintshela kunoma yiliphi iqoqo elisuka ku-NIST's NVD akulula futhi kuzodinga umzamo othile wokuhlela nesikhathi sokuhlola.

Omunye umzamo uvela eChina, lapho izinhlaka zikahulumeni eziningi zihlangene ukuze zibe nakho isizindalwazi sabo sokuba sengozini. Lokho kungaba yizindaba ezimbi emhlabeni wonke ngoba kuzoba nemikhawulo kulokho okuzoshicilelwa, njengokuntula noma yimiphi imiqondo yobufakazi efana ne-NVD nemizamo yezinhlelo ezivulekile. Abacwaningi baqagela ukuthi lokhu kungaholela ekuhlaselweni okwengeziwe kwamaShayina osuku oluyi-zero, empeleni, kusebenzise lobu bungozi.

Esinye Isixazululo: I-New Industry Consortium

Ulwazi olukuwebhusayithi ye-NVD lucaphuna umfelandawonye ongasebenzisa isizindalwazi, nakuba abacwaningi bezokuphepha benokungabaza. Isitatimende besincane kakhulu kulokho okucacisiwe, njengokuthi ubani ozoba yingxenye yomzamo. U-Pace uthi, “Besilokhu sidalula futhi sicebisa ubungozi ngokulandela inqubo efanayo iminyaka, futhi ngempumelelo. Kungani sizodinga i-consortium manje?" UBressers uthi i-consortium ingenzeka, kepha udeveli uzoba semininingwaneni lapho enza umlandeli owusizo kakhudlwana ku-NVD. Ubalula ukuthi ubungozi buqhubeka bubona ukukhula okubonakalayo nokuthi noma yisiphi isisombululo kufanele sikhule ngokufanele.

Okokugcina, enye inkimbinkimbi ngokumiswa kwe-NVD ukuthi iphikisana nezidingo zokubika ezivela kwezinye izingxenye zikahulumeni wobumbano. Inguqulo yakamuva, i-Rev. 5, yohlelo lwe-Federal Risk and Authorization Management ugunyaza ukuthi osonkontileka bakahulumeni kufanele basebenzise i-NVD njengomthombo ogunyaziwe wezinsongo. “Kuzwakala sengathi i-NIST ngandlela thize izama ukuhlehlisa lolu hlelo noma ilukhiphe kuyilapho ezinye izindawo zikahulumeni ziphoqeleka ukuthi lwamukelwe,” kuphawula u-Lorenc eposini lakhe lebhulogi. “Kwenzakalani lapha?”

Ngesonto elizayo, abacwaningi abasengozini bazohlangana ukuze Ingqungquthela ye-VulnCon e-Raleigh, NC, lapho “i-NVD symposium” iku-ajenda. Mhlawumbe imininingwane eyengeziwe izovela ngaleso sikhathi.

I-SEO Powered Content & PR Distribution. Khuliswa Namuhla.
I-PlatoData.Network Vertical Generative Ai. Zinike Amandla. Finyelela Lapha.
I-PlatoAiStream. I-Web3 Intelligence. Ulwazi Lukhulisiwe. Finyelela Lapha.
I-PlatoESG. Ikhabhoni, I-CleanTech, Amandla, Environment, Ilanga, Ukuphathwa Kwemfucuza. Finyelela Lapha.
I-PlatoHealth. I-Biotech kanye ne-Clinical Trials Intelligence. Finyelela Lapha.
Source: https://www.darkreading.com/cybersecurity-operations/nist-vuln-database-downshifts-prompting-questions-about-its-future

I-Generative Data Intelligence

I-NIST's Vuln Database Downshifts, Imibuzo Ekhuthazayo Ngekusasa Layo

Enye Indlela Eyodwa: I-MITER Iyakhuphuka Ukuze Ugcwalise Igebe

Esinye Isixazululo: I-New Industry Consortium

CoinJar Blog Roundup: Bitcoin Market Dynamics, Compliance Culture, Binance Drama, and AI’s Role in Crypto

I-CoinJar Blog Digest: Ukuzulazula ku-Cryptocurrency Landscape - Ukusuka ku-Bitcoin Bottoms kuya ku-Compliance Guides, kanye ne-Binance Drama kuya kumathuluzi e-AI ku-Crypto

Latest Intelligence

I-Saakuru kanye ne-Blockpass Bahlangana Ukuqinisa Ukuhambisana Kwe-Web3, Phakathi Nokuhlinzwa Kwe-Memecoins kanye Nokuthuthukiswa Kwe-Crypto: I-Crypto Roundup Ephelele

I-Saakuru ne-Blockpass Zihlangana Ukuze Ziqinise Ukuthobela ku-Web3: Inkathi Entsha Yethuba Lomnotho

I-Saakuru kanye ne-Blockpass Zihlanganisa Ukuthobela I-Web3: Ukuqinisa Amathuba Ezomnotho Ngokuqinisekiswa Kobunikazi Okuthuthukisiwe

I-Saakuru kanye ne-Blockpass Bajoyina Amabutho Ukuqinisa Ukuthobela Ku-Web3 Revolution: Ukugxumela Ethubeni Lezomnotho Nokuqondisa Ukuqondisa

Izimpi Zezomthetho kanye Namandla Emakethe: Icala lika-Binance lase-Ontario, i-Meme Stock Mania, kanye ne-Cryptocurrency Landscape

Isiyaluyalu Sezomthetho Nezimakethe ku-Crypto: U-Binance Ubhekene Necala Lase-Ontario, Ukusesha Okuphansi Kwe-Bitcoin, kanye Nokuhlinzwa Kwe-Robinhood Amidst Smart Money Moves