Imagine you’re at a buffet, surrounded by all kinds of delicious food. You’re famished, and the sight of healthy and tasty food can’t hold you back. But suddenly, a tiny fly appears out of nowhere and starts buzzing around your plate. You try to swat it away, but it’s persistent and keeps bothering you.
That little fly is like a vulnerability—it may seem small and insignificant, but it has the potential to ruin your entire feast if you’re not careful. So, just like you’d protect your plate from that pesky fly, make sure to guard your assets against vulnerabilities, no matter how tiny or insignificant as they may seem.
A vulnerability refers to a weakness or flaw in a system, network, or software that can be exploited by attackers to compromise the confidentiality, integrity, or availability of the system or data.
Vulnerabilities can exist in various components, including operating systems, applications, protocols, and hardware which are typical attack surfaces.
Vulnerabilities have existed since the early days of computing. In the early days of computing, vulnerabilities primarily affected mainframe systems. Since then vulnerabilities have evolved ranging from buffer overflows to software and hardware related vulnerabilities
Nowadays we hear about Zero day vulnerabilities from time to time. Zero-day vulnerabilities are flaws that are unknown to software vendors and, therefore, lack an official patch.
The attackers look for a way to exploiting these vulnerabilities before they are patched. It poses a greatest risk to any organisation.
The existence of zero-day vulnerabilities led to the emergence of a vulnerability research community and the establishment of bug bounty programs, where researchers are rewarded for responsibly disclosing vulnerabilities.
So where would organisations look for , when they want to get more information about the software they want to deploy or the components they would like to use.The following are the organisaions who are engaged in this effort.
The main sources
NIST National Vulnerability Database (NVD)
NVD is a comprehensive repository of vulnerabilities maintained by the National Institute of Standards and Technology (NIST).
It provides vulnerability descriptions, severity ratings, and links to relevant patches, advisories, and mitigation guidance.
Common Vulnerability Scoring System (CVSS)
CVSS is a standardized framework for assessing and rating the severity of vulnerabilities.
It provides a numerical score based on various factors like exploitability, impact, and complexity. CVSS helps organizations prioritize and manage vulnerabilities based on their criticality.
Common Vulnerability Disclosure (CVD)
CVD refers to the process of disclosing and sharing information about vulnerabilities between security researchers, vendors, and the public. It involves responsible reporting, coordination, and remediation of vulnerabilities to ensure that affected systems are patched and secured.
This public disclosure raises awareness about the vulnerability, allowing users to take necessary precautions or seek appropriate patches or fixes. CVD can sometimes lead to immediate disclosure without prior coordination with the vendor.
Coordinated Vulnerability Disclosure (CVD)
There is another CVD, termed as Coordinated Vulnerability Disclosure also known as Responsible Disclosure. It involves a structured and cooperative process between the discoverer of the vulnerability and the organisation responsible for the affected software or system.
In this approach, the vulnerability is disclosed privately and directly to the vendor or organization, allowing them time to investigate, develop patches, and release updates before the details are made public.
The goal of CVD is to give the vendor sufficient time to mitigate the vulnerability, reducing the risk of exploitation before users can protect themselves.
Common Weakness Enumeration (CWE)
CWE is a project that has a community-driven list of common software weaknesses and vulnerabilities. It helps developers and security professionals understand and classify vulnerabilities based on their root causes, making it easier to address and mitigate them.
The project is sponsored by the National Cybersecurity FFRDC, which is operated by The MITRE Corporation, with support from US-CERT and the National Cyber Security Division of the U.S. Department of Homeland Security.
CVE (Common Vulnerabilities and Exposures)
CVE is a dictionary of publicly known information security vulnerabilities. Each vulnerability is assigned a unique identifier (CVE ID) and includes information on affected products, descriptions, and references to additional resources.
The United States’ National Cybersecurity FFRDC, operated by The MITRE Corporation, maintains the system, with funding from the US National Cyber Security Division of the US Department of Homeland Security.
What is the difference between CWE and CVE ?
CWE focuses on categorizing and describing common software weaknesses and vulnerabilities, whereas CVE provides a standardized naming scheme and list of known vulnerabilities.
CWE helps identify and address root causes of vulnerabilities, while CVE allows for the identification and tracking of specific vulnerabilities across different sources and platforms. Both CWE and CVE are widely used in vulnerability management and play complementary roles in understanding, addressing, and tracking vulnerabilities in software systems.
MITRE ATT&CK Framework
The MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) framework is a comprehensive knowledge base that describes adversary behaviors and techniques used during cyber attacks. It helps organizations understand the tactics employed by threat actors, detect their activities, and enhance their defenses accordingly.
OWASP (Open Web Application Security Project)
OWASP is a community-driven organization focused on improving the security of web applications. They provide resources, guidelines, and tools to address common vulnerabilities, such as the OWASP Top Ten, which lists the most critical web application security risks.
ASVS under OWASP is a community-driven framework that provides guidelines for designing, developing, and testing secure web applications. It covers a wide range of security controls, including authentication, access control, cryptography, and session management.
Notable Mentions
US-CERT (United States Computer Emergency Readiness Team)
US-CERT is a division of the Department of Homeland Security (DHS) that provides information on cybersecurity threats, vulnerabilities, and incident response. They offer alerts, advisories, and vulnerability notes to help organisations identify and mitigate vulnerabilities.
Each country around the world has established its own CERT and receives and exchanges information.
CERT/CC (Computer Emergency Response Team Coordination Center)
CERT/CC is a coordination center that works to improve cybersecurity across different sectors. They publish vulnerability notes, technical alerts, and security bulletins to assist organizations in understanding and mitigating vulnerabilities.
Bug Bounty Platforms
Bug bounty platforms like HackerOne, Bugcrowd, and Synack connect organisations with a community of ethical hackers who actively search for vulnerabilities in exchange for rewards. These platforms can help identify and address vulnerabilities before they can be exploited maliciously.
Security Forums, Blogs, Communities, Mailing Lists and RSS Feeds
Online security forums, such as Reddit’s r/netsec, Stack Exchange’s Information Security Community, and various specialized forums, serve as platforms for security professionals to discuss vulnerabilities, share insights, and learn from each other’s experiences.
Security blogs like infosecurity magazine, Schneier on security etc provide a lot of information.
Subscribing to security-related mailing lists and RSS feeds, security-focused blogs, can provide real-time updates on vulnerabilities, exploit techniques, and emerging security threats.
Security Conferences and Events
Attending security conferences, such as Black Hat, DEF CON, or RSA Conference, offers opportunities to learn about the latest vulnerabilities, cutting-edge research, and best practices from industry experts.
Security Research Papers and Publications
Academic research papers and publications in the field of cybersecurity often present new vulnerabilities, attack techniques, and mitigation strategies. Platforms like IEEE Xplore, ACM Digital Library, or arXiv are excellent resources for accessing such papers.
Exploit Databases
Exploit databases like Exploit-DB and Metasploit Framework provide information on known exploits and vulnerabilities. Security researchers and professionals can use these resources to stay updated on the latest vulnerabilities and potential attack vectors.
Security Advisories and Bulletins
Software vendors and organizations often release security advisories and bulletins to inform users about vulnerabilities and provide guidance on remediation. Examples include Microsoft Security Bulletins, Cisco Security Advisories, and Adobe Security Bulletins.
Security Information and Event Management (SIEM) Systems
SIEM systems collect and analyze security logs and events from various sources within an organization’s network infrastructure. They help detect and identify potential vulnerabilities, suspicious activities, and security incidents.
Penetration Testing Reports
Penetration testing, also known as ethical hacking, involves simulating real-world attacks to identify vulnerabilities in systems and applications. Penetration testing reports provide detailed information on discovered vulnerabilities, their potential impact, and recommended remediation steps.
Vendor Security Blogs and Advisories
Many software vendors maintain security blogs and publish advisories to communicate important security information, including vulnerability disclosures, patches, and best practices. Subscribing to vendor security blogs can help stay informed about vulnerabilities affecting specific products.
CVSS, CVD, MITRE ATT&CK, and OWASP are primary valuable sources of information and frameworks for vulnerability assessment, management, and mitigation. These sources offer valuable information for vulnerability assessment, risk management, and implementing effective security measures.
They help security professionals and organizations understand the severity of vulnerabilities, track attacker techniques, and implement best practices to protect their systems and applications.
It’s important to regularly consult and leverage these resources to maintain up-to-date knowledge about vulnerabilities and adopt proactive security practices to keep organisations secure.
Lets not forget, “Vulnerability is the birthplace of innovation, creativity and change.”
cyber Adventura 
Leave a comment