Friday, December 11, 2009

Using The National Vulnerability Database During Security Testing

The National Vulnerability Database (NVD) is a comprehensive cyber security vulnerability database
that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources. NVD's mission involves warning the public about vulnerabilities in computer systems. NVD provides this information using a search engine while integrating all publicly available U.S. government vulnerability resources. All of this information is given away for free with no licensing restrictions through XML and RSS feeds.

The NVD is easy to use and should be used during security testing. In fact, depending on which security tool you use, the results will most likely reference items in the NVD. I tried searching the NVD with some familiar software we use and the results were impressive. I did a search on the open source defect tracking system Bugzilla, and found numerous security flaws. I did this search by first going to this URL:
http://web.nvd.nist.gov/view/vuln/search?execution=e1s1
And then entering "bugzilla". The result was a list of 88 vulnerabilities that show up in an easy to read list with links that give you more specific details on each item:

Here's a closer look at some of the results from the list above:

CVE-2009-1213
Summary: Cross-site request forgery (CSRF) vulnerability in attachment.cgi in Bugzilla 3.2 before 3.2.3, 3.3 before 3.3.4, and earlier versions allows remote attackers to hijack the authentication of arbitrary users for requests that use attachment editing.
Published: 04/01/2009
CVSS Severity: 6.8 (MEDIUM)

CVE-2008-6098
Summary: Bugzilla 3.2 before 3.2 RC2, 3.0 before 3.0.6, 2.22 before 2.22.6, 2.20 before 2.20.7, and other versions after 2.17.4 allows remote authenticated users to bypass moderation to approve and disapprove quips via a direct request to quips.cgi with the action parameter set to "approve."
Published: 02/09/2009
CVSS Severity: 4.0 (MEDIUM)

Searching for vulnerabilities is just one feature of the NVD. There are number of checklists, statistics and other information available at the main NVD URL:
http://nvd.nist.gov/home.cfm
Posted by Ray Vizzone at 8:00 AM

0 comments. Add Comment.:

Post a Comment

Subscribe to: Post Comments (Atom)