Security experts have been tearing their hair out because no one has been managing the Common Vulnerabilities and Exposures security reports. Now, the NIST has hired a company to manage the backlog.

For months, the U.S. National Institute of Standards and Technology (NIST) had been grappling with a significant backlog of Common Vulnerabilities and Exposures (CVEs) reports, with a staggering 93% of flaws remaining untouched or analyzed in the National Vulnerability Database (NVD). In a bid to address this critical issue, NIST enlisted security contractor Analygence to tackle the problem.

Analygence doesn’t have a track record in dealing with code security. A company spokesperson acknowledged that it is new to this type of work. However, it’s not uncommon for businesses in the government contracting sphere to hire the expertise they need. Analygence seems to understand this well.

NIST and the contractor face a huge backlog. According to security company VulnCheck, as of May 23, 12,720 fresh vulnerabilities had been submitted to the NVD since February 12, when NIST stopped being able to deal with the onslaught of security reports. It is not a minor issue, particularly because of a surge of CVEs. For example, on August 22, 2023, 138 CVEs were filed.

On top of that, NIST is changing the format of CVE records from the CVE 4.0 to CVE 5.0 dataset. According to NIST, “Due to differences between these two datasets, there will be a large volume of changes to the NVD dataset.” Changes mean yet more work.

NIST expects to clear its backlog by the end of fiscal year 2024. That strikes me as terribly optimistic, but we can only hope they are successful. IT security depends on the NVD.

Bag ‘Em and Tag ‘Em

Whenever a CVE is released, NVD’s staffers must analyze it and tag it with its Common Weakness Enumerators (CWEs). They also provide a Common Platform Enumerator (CPE), which identifies the systems, software, and packages affected by the bug at the moment.

Then, it’s given a Common Vulnerability Scoring System (CVSS) score. That score determines whether the IT security crew shrugs its collective shoulders (3.9 or below) or calls “all hands on deck” to patch or remediate the problem as soon as possible (9.0 or higher). Without this score, many security teams don’t know whether a recently reported security hole should be treated as business as usual or an oncoming disaster.

Many of these can be ignored. Dan Lorenc, CEO of Chainguard, a software supply chain security company, recently wrote, “the ridiculous rash of awful CVEs” resulted from “scraping old issues and commits to file these in an automated fashion, without ever getting maintainers involved.”

Ah, but which ones can be ignored and which are serious business? Aye, there’s the rub. As Lorenc continued, “Scanners, analyzers, and most vulnerability tools rely on the NVD to set these fields so they can determine what software is affected by which vulnerabilities.”

Strap in tight, folk. Getting this system back into shape is going to take a while.

Photo credit: Afif Ramdhasuma on Unsplash