The quality of information provided in BDSAs is unmatched. The Vulnerability Analyst team has a rigorous set of established quality standards and guidelines for each advisory. Every vulnerability is reviewed by a senior analyst, guaranteeing its accuracy and thoroughness. The NVD, along with Black Duck’s competitors often provide inaccurate, out-of-date, or unconfirmed descriptions.
This extra layer of accuracy in each advisory is overseen by an analyst who also provides a description for a general audience, so it includes information about where the vulnerability lives in the code, attack vectors, etc. This level of detailed information is available only through BDSAs. Additionally, analysts build custom CVSS scores from scratch, providing the most accurate and pinpointed severity advice.
The information provided in BDSAs are accessible for various audiences, meaning you do NOT have to be a security expert to understand and address the vulnerability. BDSAs include two descriptions, one that is clear, concise, and accessible by the layperson, and the other technical. This makes it easy for businesses to be strategic with their development and security resources. With the inclusion of this detail and remediation advice, you don’t have to waste time doing your own research about discovered vulnerabilities. Everything you need to understand, prioritize, and fix a vulnerability is nicely packaged in a BDSA.
With our efficient processes, extensive source overage, and focus on open source, we can provide more critical vulnerability information faster to our customers. This is very much unlike the NVD process, which is slow and inefficient, and sometimes takes weeks to publish critical vulnerability information. Additionally, BDSAs are not limited simply to CVEs. Because not every vulnerability is issued a CVE reference, BDSAs include vulnerabilities beyond them, giving you the most complete view of risk. Finally, BDSAs are focused on open source—other sources may spread themselves too thin by also analyzing proprietary software, slowing down their process and diluting their quality.
- Scoring. BDSAs leverage the CVSS scoring system, as specified by FIRST.org, to assign severity scores in alignment with CVSS versions 2.0 and 3.x. The scores included in a BDSA are assigned by CyRC, as opposed to simply parroting those issued by the NVD, which tends to provide worst-case scenario scores, making your perceived level of risk elevated and inaccurate.
When assigning scores, BDSAs take many things, such as exploitability, into consideration. This provides the most precise CVSS score. In addition, BDSAs include temporal metrics into scoring considerations, whereas sources like the NVD do not.
- Version accuracy. BDSAs include the results of independent research to give highly accurate advice on the versions affected. In contrast, the NVD is simply a catch-all that can incorrectly list versions as affected when they are in fact not.
Any BDSA field that can be completed will be populated. If not, it means that all available information is included, and the BDSA will be marked as such and completed as soon as additional information is made available. Feeds like the NVD go through a lengthy process of fluctuating statuses, leaving questions unanswered and applications unsecured. BDSAs provide the most complete information as soon as it is available.