The National Vulnerability Database (NVD) is an information resource provided by the U.S. government that catalogs security vulnerabilities in a standardized, searchable format. It includes databases containing software and hardware products, their known security flaws (including misconfigurations), as well as their severity and impact. The NVD is an important resource for IT professionals to stay up-to-date with potential security concerns in their IT infrastructure.
This comprehensive guide explains the National Vulnerability Database and its importance in cybersecurity, as well as providing an overview of its functionality, and how you should leverage it in your IT security operations to assess, classify, and mitigate the vulnerabilities lurking in your software and systems.
What is the National Vulnerability Database? NVD structure and components explained
The National Vulnerability Database was established in 2005 as a U.S.-funded successor to the Internet Category of Attack Toolkit (ICAT) which had been cataloging software vulnerabilities since 1999. As of 2021, the NVD has documented over 150,000 vulnerabilities.
The NVD is built around a database of vulnerabilities and affected products. The key components and features of the NVD are:
- Vulnerabilities: This also includes information about specific product and software versions and the Common Vulnerabilities and Exposures (CVE) for each vulnerability. Products are uniquely identified using their Common Platform Enumeration (CPE).
- Severity ratings and impact metrics: Common Vulnerability Scoring System (CVSS) scores and impact metrics provide information on the severity and possible implications of the vulnerability, including the effect on the confidentiality, integrity, and availability of the affected product.
- Mitigation recommendations: For each vulnerability, the NVD provides recommended measures you should take to either eliminate the vulnerability (for example, with a software patch or configuration change that resolves it), or mitigate it with additional configuration or protection.
The NVD provides search and filtering functions so you can check your devices and software for vulnerabilities that may need mitigation or patching. Additionally, the NVD also provides a searchable repository of checklists: guidelines and best practices for specific products that you can follow to better protect your IT infrastructure from known attack vectors.
How does the NVD work to address cybersecurity concerns?
The process for a vulnerability being added to the NVD first involves the identification of the problem, usually by a security researcher, a vendor or a developer who finds a problem in their own product, or sometimes even a regular end user noticing a flaw in a device or software they use.
Potential vulnerabilities are then reported and assigned a unique ID in the CVE database to track the issue. This report should include details of the vulnerability including what products it affects, the impact of the exploit, and any identified mitigation steps. Once a CVE has been created, the National Vulnerability Database will review the entry and determine its severity, assign a CVSS, and publish it to its online database.
How to use the NVD for vulnerability assessment and management
To properly manage and mitigate IT security vulnerabilities, you should regularly search for relevant threats using the NVD, either manually or using automation and security products that source data from the CVE and NVE databases.
You can access the National Vulnerability Database from their website at nvd.nist.gov and search for relevant vulnerabilities by their CVE or CPE, or look up checklists that you can follow to enhance your security configurations for the specific software you have deployed.
Building on the best practice of regularly performing network mapping and vulnerability assessments, you can incorporate checking the NVD with your routine network mapping tasks. This will ensure that all devices on your network are fully patched against known threats, or that unpatched threats are effectively mitigated (e.g. with additional firewall rules for specific endpoints).
For example, you may have legacy hardware (such as expensive/hard to replace industrial or medical equipment) that requires a specific software version that the NVD flags as insecure. Once the threat is identified, you can isolate the machine, perhaps only allowing secure remote access if it is required, and restricting its access to the wider network/internet. This would allow you to continue using the system without risking exposure to a known attack method.
NVD IT security challenges and limitations
You cannot rely solely on the NVD to provide information about your IT security landscape. Your infrastructure is a unique mix of different pieces of hardware and software, each providing its own configuration challenges and security vulnerabilities, some of which may enable each other.
The National Vulnerability Database isn’t comprehensive — it doesn’t (and can’t) include every vulnerability out there. Many vulnerabilities go undiscovered (and unexploited in the wild), while threat actors may find vulnerabilities that they do not disclose so that they can be actively exploited.
It may also take time for known vulnerabilities to appear in the NVD, as there may be a delay between the time an exploit is made public (and thus, available to hackers) and when it has been properly documented and cataloged as a CVE and made its way into the NVD.
That’s why it’s important to ensure you have robust threat detection and response and perform routine vulnerability assessment and mitigation — ideally using tools that utilize diverse sources of intelligence, and implement heuristics to detect potentially malicious code or behavior.
Future of the National Vulnerability Database
The role of the National Vulnerability Database is evolving, especially with emerging AI-powered detection and response methodologies that can consume threat intelligence as it is published, and automatically formulate and deploy mitigation strategies that are best suited to their operating environment. This will become increasingly valuable in the face of complex AI-powered threats that implement the same technologies.
You can also play a role in the future of the NVD, by submitting your own discoveries as a CVE. If you are deploying endpoint management and protection software, you should ensure that it provides sufficient visibility so that you can quickly and clearly identify potential novel threat vectors.