Software vendors like Oracle, Microsoft, and Red Hat routinely publish cybersecurity bulletins for their software, Mackey from BlackDuck says. Similarly, GitHub maintains a repository of vulnerability information known as GitHub Advisory Database and there are several regional vulnerability databases in Australia, the EU, Japan, and China that organizations can tap as well, Mackey says. Examples include AusCERT, VulDB, JPCERT CC, and CNNVD. Consider also providers of Software Composition Analysis (SCA) tools who often augment NVD data to create their own security advisories, Mackey says.
“Of course, there are many different application security testing techniques such as static application security testing, interactive application security testing, and fuzzing that can be used to identify vulnerabilities that were never disclosed,” he says. “Each of these options are valuable, but when combined with each other, a complete view of application risks due to cybersecurity can be obtained.”
CISA’s catalog of Known Exploited Vulnerabilities (KEV) is another useful — and in the case of US federal agencies, mandated — resource for vulnerability data. The catalog is a list of exploited cybersecurity vulnerabilities that pose a risk to government and critical infrastructure organizations. Its primary use case is to guide them in identifying and remediating high-risk vulnerabilities that pose an immediate threat. Once CISA enters a vulnerability in KEV, US civilian federal agencies have a strict deadline within which they have to remediate the flaw or to discontinue use of the affected product until they can remediate it. Though its intended audience is relatively narrow, any organization can use KEV to prioritize patching efforts.
