As we've discussed, the ugly truth about vulnerabilities is that every system has them! Every single one. And we're not just talking about a couple of issues here and there. Think thousands upon thousands, with more being discovered every day. Our goal is to identify the ones applicable to our environment and deal with them. To do that, we'll need a list.

So, off we go searching for vulnerabilities listings. It should be no surprise that one of the first entries that comes up is NIST's National Vulnerability Database (NVD). At the time of this writing, the NVD contained the following information.

• 79,261 CVE vulnerabilities (CVE: Common vulnerabilities and exposures from MITRE, a nonprofit that operates several R&D centers)
• 368 Checklists (Detailed guidance on operating and application security settings)
• 249 US‐CERT Alerts (U.S. Computer Emergency Readiness Team)
• 4,455 US‐CERT Vuln notes (U.S. Computer Emergency Readiness Team Vulnerability Notes)
• 10,286 OVAL Queries (Another MITRE‐coordinated effort on standardizing reporting on machine states for computers)
• 115,051 CPE Names (Common platform enumeration: A structured naming methodology for information technology assets)

Who Is Who in Vulnerabilities Tracking

Keep working the list and you'll run into all the usual suspects: MITRE, OWASP, CERT, and several security vendors. The situation can quickly become confusing and overwhelming. If you thought threat assessment was a bear, welcome to vulnerability ...