Software Vulnerabilities

To ensure software products are kept up-to-date, lot of software products provide available patches and services packs as part of manual update or as part of automated updates(similar to Windows Updates). If your machine has been updated with the latest application patches and service packs. Does this mean applications have no vulnerability ? NO Updates consist of the vulnerabilities analyzed and fixed by the product company. if the product make use of  third party software, who supports to fix the vulnerability in third party software? The product company would support a specific version of third party software and might not support the later versions of third party software.

How to become aware of the vulnerabilities reported on a particular product, but not accepted as vulnerability by the product manufacturer? if you need this information, a good website to check would be the National Vulnerability Database. NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). NVD supports Common Vulnerability Scoring System (CVSS), which provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. They make the vulnerabilities publicly open and shareable, without distribution restriction.  Based on impact, vulnerability can be either software flaws that could directly allow serious damage or software flaws that are stepping stones for a successful attack. To understand the software vulnerability cycle starting from discovering the vulnerability to fixing the vulnerability, we can have a look at the article Transformational Vulnerability Management Through Standards

NVD provides two RSS 1.0 data feeds. The first feed provides information on all recent CVE vulnerabilities. The second feed provides only fully analyzed CVE vulnerabilities. The advantage of the latter is that we are able to provide vulnerable product names in the title. You can subscribe to these feeds and build your applications that would help to understand the vulnerability of the products used in your enterprise.