A Crowdsourced Catalog of Cybersecurity Vulnerabilities

Cyber criminals rarely work in isolation. Whether employed by nation states or organized crime, they act within a loosely confederated community—a vast underground affiliate network they can rely on to support their relentless attempts to exploit network weaknesses and turn them into profit, be it through ransomware, identity theft, or other means.

To stay toe-to-toe with these organized adversaries, cybersecurity professionals must operate within a community of their own, combining complimentary skills and services, and sharing knowledge and best practices.

One formal manifestation of this community is the Common Vulnerabilities and Exposures (CVE) list maintained by MITRE, a not-for-profit corporation dedicated to solving problems for a safer world. Booz Allen recently partnered with MITRE to become an official contributor to the list. 

“It’s important to us to contribute however we can to the greater cyber community that we’re a part of,” says Jesse Glarrow, who leads a Booz Allen cyber team focused on attack surface reduction and vulnerability remediation. “We spend so much time engaged in things like security research, vulnerability assessment, penetration testing, and exploit development. Partnering with MITRE to add our discoveries to the CVE list is one more way we can share the fruits of that labor with the wider world.”

The goal of MITRE’s CVE list is to build and maintain an authoritative catalog of all known software vulnerabilities. To date, the list provides information on close to 100,000 vulnerabilities.

For an organization considering a software purchase, the list is a useful reference for comparing the potential risks of different products.  For cybersecurity professionals, it’s an essential tool for tracking and mitigating the vulnerabilities present in the applications that run on the networks they protect. Software vendors can use the list as a crowdsourced means of discovering vulnerabilities in their own products.

Those vendors that, like Booz Allen, are authorized to contribute to the list, can use it to publicly disclose vulnerabilities in the very software that they create.

“By publicly posting a vulnerability you’ve uncovered in a piece of software that you yourself produced, you not only show that you’re aware of the issue,” says Jesse. “You also demonstrate your unflinching commitment to keeping your clients and customers safe.”

Contact us for more information on Booz Allen’s MITRE CNA program.