Experts Warn the NVD Backlog Is Reaching a Breaking Point
Federal Database Nears 10,000 Unanalyzed Vulnerabilities Amid Halt in OperationsThe United States' federal database for tracking security vulnerabilities has virtually ground to a halt. Analysis of newly disclosed vulnerabilities and exposures has become nearly nonexistent as experts warn that the massive backlog and ongoing issues could result in supply chain risks across critical sectors.
See Also: Live Webinar | All the Ways the Internet is Surveilling You
Put simply: The National Vulnerability Database is broken, and there isn't an easy fix.
One critical question must be resolved to fix NVD's issues, said Michael Daniel, president and CEO of the Cyber Threat Alliance and a former cybersecurity coordinator on the National Security Council. Who should be responsible for populating the database with information to provide comprehensive and actionable risk information? There's debate over whether the database, currently managed by the National Institute of Standards and Technology, should migrate to the Cybersecurity and Infrastructure Security Agency or even to the private sector, which handles much of the vulnerability management process.
"There are pros and cons to these different approaches," Daniel told Information Security Media Group. He said the relevant stakeholders across the security and vulnerability management communities should come together "and come to a consensus on which approach would produce the best outcome."
"Once we answer this question, we should make sure that the function is robustly funded and supported," he added.
At least 9,762 CVEs currently remain unanalyzed by the NVD, according to NIST data. The number is likely to increase. As of Monday, NIST has analyzed only two of the nearly 2,000 new CVEs received in May.
NIST acknowledged the NVD's backlog in late April when the agency posted a notice that attributes the issues to "a variety of factors," including "an increase in software and, therefore, vulnerabilities, as well as a change in interagency support."
NIST did not provide further details about the apparent disruption in interagency support and did not respond to a request for comment on the ongoing backlog. The agency said in its April notice that it was "looking into longer-term solutions," including potentially establishing a consortium of industry, government and stakeholders organizations to collaborate and improve the NVD.
The NVD backlog could potentially affect major cybersecurity vendors Such as CrowdStrike, Microsoft Defender for Endpoint, and even some of the leading cloud security posture management tools - such as Orca and Wiz, according to Scott Kuffer, co-founder of the risk-based vulnerability management platform Nucleus Security.
"If they are deriving their main scanning engines on top of the NVD, which most of these are, then their ability to detect vulnerabilities is severely impacted, if not hindered altogether," Kuffer told ISMG.
"The biggest impact is that there will be vulnerabilities in your environment that you do not see or know about," he added.
Some threat analysts have argued that the private sector should take on more responsibility in detecting and reporting vulnerabilities since industry has already proven capable in real-time detection methods. Private sector entities are already responsible for designating vulnerabilities as a CVE and their expertise and agility could improve the overall effectiveness of vulnerability management efforts.
The counterargument is that the database remain in federal hands, the better to foster public-private sector collaboration on vulnerability management and ensure consistent standards and oversight. A centralized approach at the federal level could also help potentially mitigate private sector conflicts of interest and ensure critical vulnerabilities are addressed across sector risk management agencies, further protecting national security and critical infrastructure.
The NVD program does not perform vulnerability testing; it relies on third-party security researchers, vendors and vulnerability coordinators to assign risk attributes and additional information to CVEs. NVD staff members are tasked with aggregating data points from CVE descriptions and compiling any additional data that can be found publicly online.
Kaylin Trychon, vice president of marketing for the IT service management firm Chainguard, signed an April letter to Congress and the Department of Commerce, along with nearly 50 other security professionals, expressing the need to restore and enhance NVD operations. The letter urged Congress to launch an investigation into the challenges surrounding the database and help restore the vulnerability enrichment process.
The letter suggested Congress treat the NVD as critical infrastructure and an essential service, which could potentially expand funding and federal resources for the database and its enrichment operations. Trychon thinks handing the responsibilities of the NVD to the private sector would lead to disaster.
"There will be more resources created that attempt to step in or replace NVD, and it will cause even more confusion in an already complex space," she told ISMG. "This is something that as an industry we cannot afford, and it could result in a very preventable security incident."
Experts told ISMG a portion of what the NIST analysts were doing before the slowdown could be automated, allowing for more high-quality, timely and consistent NVD data. But even then, resource-strapped organizations still have to decide which vulnerabilities to patch and in what order.
"The NVD data helps organizations make those prioritization decisions," Daniel said. "If the NVD data isn't consistent or timely, then it makes the whole ecosystem less secure because companies are unable to make good prioritization decisions."