Vulnerability defined as the weakness that allows the attacker to enter in and harm, it may be a flaw in design or misconfiguration.
In order to exploit the vulnerability attacker should have applicable tool or technique that connect to the system weakness.
Following are the top sources to trace new vulnerabilities.
- National Vulnerability Database
- Common Vulnerabilities And Exposures
- VulnDB – Vulnerability Intelligence
- DISA IAVA Database And STIGS
- Open Vulnerability And Assessment Language
- National Council of ISACs
National Vulnerability Database
NVD is the U.S. government repository of standards=based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables the automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security-related software flaws, misconfigurations, product names, and impact metrics.
79680 CVE Vulnerabilities 376 Checklists 249 US-CERT Alerts 4458 US-CERT Vuln Notes 10286 OVAL Queries 115232 CPE Names
International in scope and free for public use, CVE is a dictionary of publicly known information security vulnerabilities and exposures. CVE’s common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services.
- Scanning tools most commonly use CVEs for classification.
- SIEM tools would have the CVEs understanding while reporting.
The CERT Knowledgebase is a collection of internet security information related to incidents and vulnerabilities. The CERT Knowledgebase houses the public Vulnerability Notes Database as well as two restricted-access component.Vulnerability notes include summaries, technical details, remediation information, and lists of affected vendors.
VulnDB – Vulnerability Intelligence
Risk-Based Security offers the VulnDB, for comprehensive vulnerability intelligence through a continuously updated data feed. Based on the largest and most comprehensive vulnerability database, our VulnDB allows organizations to poll for the latest in software security vulnerability information. The VulnDB data feed subscription offering provides organizations with timely, accurate, and thorough vulnerability information.
- 3rd Party Libraries – Over 2,000 software libraries identified and tracked for issues
- RESTful API – Ability to integrate data easily with custom CSV export and usage of flexible RESTful AP
- Email Alerting – Ability to configure email alerts for multiple email addresses by Vendor, Product, Version and Search criteria
- Research Team – Our team performs further in-depth analysis of select vulnerabilities to provide customers with the most detailed information available on cause and impact.
- CVE Mapping – ~ 100% mapping to CVE/NVD
- Timely Alerts – 24×365 Monitoring and Alerting
- Risk Scores – Extended classification system and our own CVSSv2 metrics, as well as VTEM (Vulnerability Timeline and Exposure Metrics).
- Technical Analysis – Detailed analysis provided for vulnerabilities
- Detailed Information – Over 70 data fields including vulnerability source information, extensive references, and links to solutions
- Impact Analysis
- Mitigation Guidance
- Links to Security Patches
- Links to Exploits
- Vendor and Product Evaluations
DISA IAVA Database And STIGS
CVE IDs are mapped to the US Defense Information System Agency’s (DISA) Information Assurance Vulnerability Alerts (IAVAs), downloads of which are posted on DISA’s public Security Technical Implementation Guides (STIG) website.
“IAVA, the DISA-based vulnerability mapping database, is based on existing SCAP sources, and once in a while it contains details for government systems that are not a part of the commercial world,” says Morey Haber, VP of technology at BeyondTrust. “For any vendor doing .gov or .mil work, this reference is a must.”
SecurityTracker is a third-party vulnerability database library that is updated daily.
“The website tends to focus on non-OS vulnerabilities, but they are certainly included in the feed,” says Morey Haber, VP of technology at BeyondTrust. “Infrastructure and IoT tend to make the front page the most, and this site is a good third-party reference for new flaws.”
Open Vulnerability And Assessment Language
VAL® International in scope and free for public use, OVAL is an information security community effort to standardize how to assess and report upon the machine state of computer systems. OVAL includes a language to encode system details and an assortment of content repositories held throughout the community.
Tools and services that use OVAL for the three steps of system assessment — representing system information, expressing specific machine states, and reporting the results of an assessment — provide enterprises with accurate, consistent, and actionable information so they may improve their security. Use of OVAL also provides for reliable and reproducible information assurance metrics and enables interoperability and automation among security tools and services.
National Council of ISACs
Sector-specific Information Sharing and Analysis Centers (ISACs) are non-profit, member-driven organizations formed by critical infrastructure owners and operators to share information between government and industry. The primary goal of ISACs is to quickly disseminate physical and cyberthreat alerts and other critical information to the member organizations.
If your business operates within a critical infrastructure sector, consider becoming a member of an ISAC. Below you’ll find a small portion of the ISACs associated with the national council of ISACs. There are many more on the National Council of ISACs website.
MS-ISAC (multi-state): The MS-ISAC is the focal point for cyberthreat prevention, protection, response, and recovery for the nation’s state, local, tribal, and territorial (SLTT) governments.
FS-ISAC (financial services): FS-ISAC is the global financial industry’s go-to resource for cyber and physical threat intelligence analysis and sharing.
A-ISAC (aviation): The aviation ISAC provides an aviation-focused information sharing and analysis function to help protect global aviation businesses, operations, and services.
AUTO-ISAC (automotive): The automotive ISAC is a non-profit information-sharing organization that is owned and operated by automotive manufacturers and suppliers — 98% of vehicles on the road in the United States are represented by member companies in the AUTO-ISAC.
ONG-ISAC (oil and gas): The oil and natural gas ISAC was created to provide shared intelligence on cyber incidents, threats, vulnerabilities, and associated responses present throughout the oil and gas industry.
NH-ISAC (national healthcare): The official healthcare information sharing and analysis center offers non-profit and for-profit healthcare stakeholders a community and forum for sharing cyber and physical threat indicators, best practices, and mitigation strategies.
IT-ISAC (information technology): Members participate in national and homeland security efforts to strengthen the IT infrastructure through cyber information sharing and analysis.
There also are a growing number of Information Sharing and Analysis Organizations, or ISAOs, specific to various industries, groups, and regions. ISAOs stem from a 2015 Executive Order calling for the formation of more intel-sharing groups among specific communities.