NVD
Common Vulnerabilities and Exposures, siglas CVE, es una lista
de información registrada sobre conocidas vulnerabilidades de seguridad, donde
cada referencia tiene un número de identificación único.1 De esta forma provee una
nomenclatura común para el conocimiento público de este tipo de problemas y así
facilitar la compartición de datos sobre dichas vulnerabilidades.
Fue definido y es mantenido por The MITRE Corporation (por eso a veces a la lista se la conoce por el nombre MITRE CVE List) con fondos de la National Cyber Security Division del gobierno de los Estados Unidos de América. Forma parte del llamado Security Content Automation Protocol.
La información y nomenclatura de esta lista es usada en la National Vulnerability Database, el repositorio de los Estados Unidos de América de información sobre vulnerabilidades.
https://es.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures
National
Vulnerability Database (NVD) is a government repository of standards-based vulnerability information.
The NVD is a
product of the National Institute of Standards and Technology (NIST) Computer Security Division and is
used by the U.S. Government for security management and compliance as well as automatic
vulnerability management.
The NVD is sponsored
by the Department of Homeland Security (DHS), NCCIC and US-CERT. NVD is used as
the repository for security-related content for NIST's security content
automation protocol (SCAP). The National Security Agency (NSA), OSD, DHS, NIST, and DISA are all
users of NVD as part of the government's information security automation
program.
The automation of
the systems through SCAP and NVD, for example, as well as patch management are
enabled by the Federal Desktop Core Configuration (FDCC), a checklist for mandatory
configuration settings on US government computers.
http://whatis.techtarget.com/definition/National-Vulnerability-Database-NVD
The National
Vulnerability Database is the U.S. government repository of
standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables
automation of vulnerability management, security measurement, and compliance.
NVD includes databases of security checklists, security related software flaws,
misconfigurations, product names, and impact metrics. NVD supports the Information Security
Automation Program (ISAP).
On Friday March
8, 2013, the database was taken offline after it was discovered that the system
used to run multiple government sites had been compromised by a software vulnerability
of Adobe ColdFusion.
In addition to
providing a list of Common Vulnerabilities and Exposures (CVEs), the NVD scores CVEs to
quantify the risk of vulnerabilities, calculated from a set of equations based
on metrics such as access complexity and availability of a remedy.
https://en.wikipedia.org/wiki/National_Vulnerability_Database
Temas relacionados