Vulnerability Databases: The Holy Grail of Cybersecurity?
Known vulnerabilities in software are often registered in vulnerability databases.
Security relies on understanding the present and past vulnerabilities within your hardware and software stack. Responsible software and hardware companies publish detailed information about known vulnerabilities. However, remember that the number of reported vulnerabilities for a product does never ever reflect its quality.
In fact, a lack of openly published vulnerabilities should raise suspicion, as transparency is a hallmark of trustworthy and secure products. The amount of vulnerabilities you can find for a product is not related to the quality. Distrust products that have no open published vulnerabilities.
Some common disadvantages to known when using vulnerability databases:
Incomplete coverage: Most vulnerabilities in software are never registered in a vulnerability database. This is way security testing for software is vital. E.g. use Python Code Audit to check Python programs on weaknesses.
Delayed or outdated information: There is often a long time between discovery and registering. Often too long.
Severity scoring can be misleading: Only you know the context of where a product is used and can judge the importance of a vulnerability. Only you know what other defence measures are taken to make sure that the good old security principle ‘defence in depth’ is implemented.
Registering a vulnerability is a very complex process and not everyone can register a vulnerability. Many researchers or companies will never register a vulnerability is an ‘official’ Database. Besides the barriers for registering there is a perverse incentives for not creating a public vulnerability record.
Some commonly known vulnerability databases are:
OSV - A distributed vulnerability database for Open Source An open, precise, and distributed approach to producing and consuming vulnerability information for open source. A Google FOSS project to improve the security of FOSS projects.
Vulnerability Notes Database.The Vulnerability Notes Database provides information about software vulnerabilities. Vulnerability notes include summaries, technical details, remediation information, and lists of affected vendors.
National Vulnerability Database - US (aka NVD) This NVD of the US NIST organization is one of the world largest databases. You should hate it, but there are little alternatives that have the same reach. The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.
CWE Vulnerability Databases CWE (Common Weakness Enumeration - CWE™) is a community-developed list of common software and hardware security weaknesses. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts. Available on: http://cwe.mitre.org/
GitHub Advisory database The GitHub Advisory Database contains a list of known security vulnerabilities and malware, grouped in three categories: GitHub-reviewed advisories, unreviewed advisories, and malware advisories.
The Open Source Threat Intelligence Sharing Platform A threat intelligence platform for sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information.
VulnerableCode: VulnerableCode is a free and open database of open source software package vulnerabilities. The VulnerableCode project is a FOSS community resource to help improve the security of the open source software ecosystem and its users at large.
The collection of vulnerability databases is incorporated in the Open Security Reference Architecture. If you are aware of other open vulnerability databases, please let me know!
Python Code Audit uses the OSV to search for vulnerabilities in Python packages. But preventing security issues means you MUST validate your Python programs on code weaknesses before using a program. Python Code Audit is open source, simple to use and free to use!