It’s been a while since NIST changed the API for their NVD (National Vulnerability Database), so I (finally) got around to writing some code against that API. This API gives you a way for your code to query CVE’s (Common Vulnerabilities and Exposures) against a broad range of products (or against specific products). What this immediately brought to my mind was what I always ask my clients to put in someone’s job description “monitor vendor announcements and industry news for vulnerabilities in the products in use by the organization”. This can be a tough row to hoe, especially if we’re not talking the Microsoft / Cisco / Oracle and other “enterprise flagship” products - the ones that might immediately come to mind - if you monitor the cve list you’ll see dozens or hundreds of CVEs scroll by in a day. Also, subscribing to all the vendor security newsgroups and feeds can also quickly turn into a full-time proposition. I think using the NIST API can be a viable alternative to just plain “keeping up”. CVE’s often are a few days behind vendor announcements and patches, but on the other hand the CVE database is a one-stop-shop, (theoretically) everything is posted here.
Article Link: https://isc.sans.edu/diary/rss/26958