The new service, at http://nvd.nist.gov, integrates all publicly available US government resources on vulnerabilities and provides links to many industry resources and is built upon the Common Vulnerabilities and Exposures list.
For those trying to prevent such attacks, keeping up with the 300 or so new vulnerabilities discovered each month can be an overwhelming task, especially since a single flaw can be known by numerous names, NIST said in a statement.
Unlike the longstanding CVE list, maintained by The MITRE Corp, which is keyword searchable, the NVD is a database that allows users to slice and dice the data to more quickly look up specific types of vulnerabilities or specific vulnerable products.
For example, a search for Windows XP vulnerabilities entered in 2005 returns 45 hits, 2% of all the vulnerabilities reported during that period. Searching for vulnerabilities in all Cisco Systems products reveals 47 hits.
Users can also specify the severity of the vulnerability and, at a high level, how easy an exploit is. The database indicates there have been 620 high severity vulnerabilities reported so far this year, 456 of which are remotely exploitable.
There were 12,003 vulnerabilities in the database following Friday’s update. And the web site claims the database is growing at the rate of eight new vulnerabilities per day, the web site indicates.
The NVD site also publishes an arbitrary measure of workload, the Vulnerability Workload Index, which in snapshot reveals very little of use, but over time could prove an interesting trend indicator an a useful tool for squeezing budget.
This metric is currently 3.17, the 30-day average number of high severity vulnerabilities being revealed per day, where medium severity vulnerabilities count as 20% of a high severity one and low severity vulnerabilities count as 5% of a high severity.
