On making cveapi.com and what it means for the democratization of cybersecurity

Written by Dieter Van der Stock and Shaina Raskin

At Polyverse, we believe that the democratization of cybersecurity is the only true way to solve the problem. In the same manner that open-source technology benefits from community engagement, democratizing data allows an engaged community to push the envelope for a better and more in-depth understanding of today’s biggest threats.

In the interest of increased democratization of data, we were excited about the cveapi.com project and immediately offered all support within our means to promote it. On a recent call with Dieter Van der Stock, we asked why he created this resource in the first place.

“In short: I made cveapi.com because I needed it, and to my surprise, it didn’t exist yet. Not in the form that I needed it anyway.

At Articulate, the company I work for, we have a vulnerability-management process where, among other things, we “open a file” on each vulnerability we triage. In that file, we gather all the information we can find on the vulnerability, what services of ours are impacted, and what we’re doing to fix it and mitigate the risk. These files are kept and versioned in a Github repo.

I was writing a tool to automate some of the more tedious parts of that process. We make heavy use of the Hubot Slack bot, and my goal was for anyone to be able to say “hubot open a file on CVE-xxxx-xxxx.” Hubot would then pre-populate the file with the CVE description, severity, and several links to advisories.

There wasn’t any API where I could retrieve that information though, which really surprised me. It’s one of those “how is this not a thing yet” moments. The NIST NVD database does provide data feeds on CVE’s in json though, grouped by year. So I went on a little personal hackathon to pull those in and make them available per CVE in API form.

The initial reaction has been pretty great. It seems that I wasn’t the only one who wanted this to be a thing, so, hooray for scratching itches, right? I hope it can be of use to as many people and companies as possible. It’s all open data (thank you, MITRE and NIST NVD), and we all need convenient access to it to do our security work.”

After learning that this API existed, we at Polyverse knew we had to get involved because, like Dieter, we faced similar challenges when it came to security tools. We couldn’t figure out why a tool like the one he built for CVEs didn’t exist yet. Common Vulnerabilities and Exposures or CVEs are the common name structure the cybersecurity industry provides for publicly known cybersecurity vulnerabilities. Any time a new exploit is released its information gets uploaded to publicly accessible databases. The central database that is most widely used is the Common Vulnerabilities and Exposures database, which is supported by the US Department of Homeland Security. Presumably, the more CVEs that get patched in a system, the more secure that system should be.

Today, CVEs found within these large databases are not easily searchable or consumable. People cannot collaborate around them or build tools on top of them. Whether that be general analysis such as understanding the scope and severity of buffer overflows compared to use of weak passwords, or more complex searches such as finding the package with most new CVEs in a certain period, these feats are cumbersome and require heavy lifting by everyone. When we first attempted to measure what vulnerabilities our very own Polymorphic Linux mitigated, we had to look at each CVE in the database by hand. This was a time-consuming process that is unsustainable and hard to replicate for future endeavors. Data is only valuable when it is easily consumable. It is a challenge to know whether companies and individuals are making the right cybersecurity investments when there is no easy way to tell what vulnerabilities warrant the most significant investment.

At Polyverse we think about this question often. We openly acknowledge that we only solve certain types of problems — which we do very well — but this isn’t everything. We want to understand precisely how big of a problem we solve? Is this is the right investment for our company? If we as a company have such a use-case, then so must others in our industry. Democratizing data enables ALL ideas to flourish and move the state of the art forward. The community is more powerful than any single company, no matter how large.

By encouraging open APIs such as the CVE API, we hope to help solutions flourish by promoting usable data.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.