Resilient Cyber

S6E11: Josh Bressers & Dan Lorenc - Untangling the NVD Chaos

Mar 22, 2024

Experts discuss the drama around NVD and its impact on vulnerability management. They highlight concerns about lack of CVE enrichment and the grassroots effort to raise awareness. The podcast explores the underfunding and oversight of critical software ecosystem components. Future solutions from NIST/NVD, government, and industry are discussed to resolve the issue.

29:18

Episode guests

Dan Lorenc

Josh Bressers

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

The delay in enriching CVEs by NVD impacts severity scores and product data, disrupting the vulnerability ecosystem.

Open source initiatives are filling gaps in vulnerability data, emphasizing community collaboration to improve matching logic and enhance cybersecurity infrastructure.

Deep dives

The Importance of Cyber Resilience

Cybersecurity professionals emphasize the significance of systems that can endure a diverse threat landscape by remaining trustworthy and secure to withstand cyber incidents.

Introduction

2min

Challenges of NVD Data Enrichment and Vulnerability Management

16min

Exploring CPE Criticisms, Pearl Usage, and Government Involvement in Software Management

3min

Anticipation and Skepticism Regarding NVD Announcement at Volcan Conference

2min

Navigating the Complexity of Software Vulnerability Databases

7min

- First off, for folks that don't know you can you give them a brief overview of your background/organizations?

- Josh, let's start with you. Can you explain some of what is going on with the drama around NVD and what happened that caught everyone's attention?

- Dan - I know you've raised concerns around the implications for the community when it comes to the lack of CVE enrichment, how do you see this impacting the vulnerability management ecosystem?

- Josh - Your team has started providing some accompanying resources to try and address the gap, can you tell us a bit about that?

Dan - You've spun up an open letter to congress and have kicked off a bit of a grass roots effort to raise awareness around the problem. How is it going so far and what are you hoping to accomplish with the letter?

- Why do you both think this is such a big deal, and how can something so critical to the entire software ecosystem be so underfunded, overlooked and taken for granted?

- What are some things you all hope to see in the future to resolve this, both from NIST/NVD and the Government but also from industry as well?

Remember Everything You Learn from Podcasts

Save insights instantly, chat with episodes, and build lasting knowledge - all powered by AI.

Resilient Cyber

S6E11: Josh Bressers & Dan Lorenc - Untangling the NVD Chaos

Episode guests

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

The Importance of Cyber Resilience

Challenges with National Vulnerability Database (NVD)

Open Source Solutions in Vulnerability Management

Call for Collaboration and Industry Contributions

Remember Everything You Learn from Podcasts