Cybersecurity experts have hailed the launch of the EU’s new vulnerability database as a positive step toward enhancing regional security.
The new European Vulnerability Database (EUVD), unveiled by the ENISA, will provide organizations with a centralized platform aimed at providing up-to-date information on security flaws akin to MITRE’s CVE database.
“The database provides aggregated, reliable, and actionable information such as mitigation measures and exploitation status on cybersecurity vulnerabilities affecting Information and Communication Technology (ICT) products and services,” the security agency said in a statement.
Mandated under the NIS2 Directive, ENISA said the new database has been developed in collaboration with a host of EU and international partners, including the MITRE CVE program.
Notably, ENISA said the EUVD allows for “better analysis and facilitates the correlation of vulnerabilities by facilitating the open source software Vulnerability-Lookup”.
This, the agency said, will help enhance cybersecurity risk management across the region.
“The EUVD offers therefore a trusted, more transparent and broader source of information and further improves situational awareness while limiting exposure to threats,” ENISA said.
New database welcomed after MITRE fiasco
Stephen Fewer, Principal Security Researcher at Rapid7, described the launch of the database as a “positive move” for the EU and will enable organizations operating in the region to reduce dependency on other countries.
“This development presents an opportunity to strengthen international security by creating resilience from a diversity of sources. A broader and more distributed set of trusted vulnerability databases will help ensure transparency and accessibility for all stakeholders,” he said.
The launch of the EUVD comes just weeks after disruption caused by the prospect of the MITRE CVE database closing down. In late April, there were concerns that the long-standing vulnerability database might cease operations after funding for the scheme dried up.
While CISA swooped in with an eleventh hour reprieve for the database, the debacle nonetheless raised questions about organizations relying on a single information source.
Dray Agha, senior manager of security operations at Huntress, said that relying solely on a US-funded CVE system “disrupted the global ecosystem” and could be a learning curve for the international cyber community.
“Nothing is stopping this from happening again for CVE or other US-funded programs as funding or governance issues arise,” he said.
“Alternatives like the EUVD offer much-needed backup and continuity, as well as an opportunity to geopolitically reframe this system.”
Agha added that an EU-led database will prove beneficial for enterprises as it can prioritize vulnerabilities relevant to European digital infrastructure, regulation, and languages, enhancing regional threat intelligence”.
How the EUVD will work
Threat information hosted by the database will be displayed through a series of dashboards, according to ENISA.
“The EUVD offers three dashboard views: for critical vulnerabilities, for exploited ones, and for EU coordinated ones,” the agency explained.
“The EU Coordinated Vulnerabilities lists the vulnerabilities coordinated by European CSIRTs and includes the members of the EU CSIRTs network.”
Vulnerability information will come from open source databases, with additional information added through advisories and alerts issued by CSIRTs.
Similarly, mitigation and patching guidelines published by vendors will also be available, alongside exploited vulnerability marks.
MORE FROM ITPRO
Source link
-
-
-
-
-
-
-
-
