NIST turns to IT consultants to clear National Vulnerability Database backlog Facing a growing backlog of reported flaws, NIST has extended a commercial contract with an outside consultancy to help it get on top of its National Vulnerability Database (NVD). NIST has an ongoing five-year $125 million contract with Maryland-based Analygence for various bits of IT and security-related work. That deal was …
> "Why are vulnerabilities out of control in 2024?"
Because such software is released without testing for such vulnerabilities. Taking one unit of time to write the code then it should be four more units spent on testing. Nine if it's to be used in a critical system. Instead of; release if it compiles and fix the bugs in the next version.
No this software has vulnerabilties because it was written and authorised by idiots who wouldnt know any better.
How exactly do you expect managers who dont understand the ost basics of technology to possible appreciate the importance or efforts to produce quality safe s/w ?
Yes, but… there are also some signs of vulnerabilities being claimed for what are essentially just bugs (and I’m not referring to the impact of Linux CVEs - https://sigma-star.at/blog/2024/03/linux-kernel-cna/ - maybe the register could dig up some stats for the latter).
Anecdotally, in my own day job, we’ve seen two or three recently filed by a third party (not the software developers), without disclosing to the project, with no attempt at a PoC, and claiming “if you this function incorrect arguments then you get an exception”.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
