Sign in / up

back to article NIST's security flaw database still backlogged with 17K+ unprocessed bugs. Not great

NIST has made some progress clearing its backlog of security vulnerability reports to process – though it's not quite on target as hoped. The US government standards body just blew its self-imposed September 30 deadline to bring the speed at which its National Vulnerability Database (NVD) processes new flaws up to its pre- …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    Core issues

    Granted there will always be bugs, with most of them are due to legacy code and poor design - Microsoft I'm looking at you.

    Maybe it's finally time to start fining companies for making known poorly secured software. Just like if a drug company knowingly made drugs that harm people.

    That should help cut down the flood of exploits,,, in a year or two.

    Google and Apple need to allow real firewalls on the phones they sell. (only reason they won't support them is to prevent you blocking their data harvesting) and not the half ass, what we allow you to think you have control over piddly settings.

    4 0 Reply
    1. DS999 Silver badge
      Reply Icon

      Re: Core issues

      A firewall would do almost nothing to secure a phone. Exploits are found in the kernel, system libraries, browser or applications. There are basically zero incoming network exploits, and a firewall that blocked outgoing traffic isn't going to do anything unless you had it set on "ask before allowing" for any external connection which would render the device essentially useless.

      Even if you plowed through weeks of frustration figuring out what traffic you had to allow by default to use it normally, there are no guarantees that an exploit pilfering data wouldn't rely on something you'd already whitelisted like cloud replication to get the data off your phone.

      2 2 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Core issues

        a real firewall on a phone can;

        block all IP except ranges approved. (and ports)

        log what apps are actually talking and to who/where

        can be configured to block ranges (like all of goog, or Stark Industries)

        Those have value to me

        1 0 Reply
  2. Malcolm Weir Silver badge

    This seems another infrastructure fail

    So it turns out there is one political philosophy that believes that industry can do anything better than the government can. How true that belief is turns out to be irrelevant to an awkward side-effect: the specific things that for-profit outfits can't do very well (like certify aircraft or manage vulnerability disclosures) also get reduced funding, even if they happen to be the most cost effective solution. So people like NIST are woefully underfunded, because who wants to give the Department of Commerce more money? And, yes, part of the problem is that the agencies aren't asking for more money, as their leadership either shares the "starve the beast" philosophy or because no one wants to make the case that higher taxes can be worthwhile...

    5 0 Reply
    1. An_Old_Dog Silver badge
      Reply Icon

      Re: This seems another infrastructure fail

      It's not that the NVD necessarily needs (much) "more" money, but it certainly does need the money it used to have, which was cut. The NIST website alludes to that cut with the euphemism, "a change in interagency support."

      To make good budgeting decisons on this, we need to know not only the increase over time of new vulns, but also the rate at which the rate of incoming vulns is increasing.

      4 0 Reply
  3. -tim
    Facepalm

    It has been pining for the fjords for a while

    Several years ago I submitted a few major bugs that were ignored by the vendor. They weren't even going to help.

    That bug would take full control of a system by visiting a web page and I had a demo. Some of its was reported years later.

    The database needs to be split into Major products and Minor products as well. The crying wolf over the recent cups printing system is an example of something that should not be in the same database as something where every system must be updated at once like a nasty Windows issue. We hear about bad Apache issues all the time but they don't involve the web httpd server which has a million times more installs than any of the Apache Foundation projects. It would make my daily security news scans much simpler if they would stop adopting stray dogs from the Java flea circus or change that name.

    0 0 Reply
    1. John_Ericsson
      Reply Icon

      Re: It has been pining for the fjords for a while

      The dismal of the CUPS vulnerability by the open source advocates and developers is FAR more worrying than the none authenticated RCE vulnerability itself.

      0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like