An organization known as MITRE and the US Department of Homeland Security via the National Vulnerability Database maintain a growing list of known vulnerabilities in network protocols, applications, operating systems, and even firmware. These vulnerabilities are validated, examined for thoroughness, assessed for ease of exploitation, and the resulting impact (complete compromise, disclosure of information, etc) is considered. MITRE takes these characteristics and a number of other factors to assign a “score” through the Common Vulnerability Scoring System or CVSS. More information can be found at: http://nvd.nist.gov/cvss.cfm.
One of the most useful sites for a manually getting vulnerability information about an application or operating system is http://cvedetails.com/.
Why might a security professional be interested in sorting on “Number of Exploits”? How might that change the priority by which we remediate (patching or correcting vulnerable systems)? If there are no CVEs associated with an application or operating system, does that mean it’s not vulnerable to exploitation? Explain your answer and the significance of this “gap”.Use the google search window at the top right of the cvedetails to conduct some searches on applications installed on your machine or where you work. Check your version of Adobe reader and browser. What version of Java are you running? http://www.java.com/en/download/installed.jsp Any vulnerabilities?