APPLICATION SECURITY

Public Security Repositories and

Knowledgebases
Muhammad Nadeem
[email protected]
Contents
• Lessons learned from a previous project
• CVE
• CVE Details
• CWE
• NVD
• CAPEC
• OVAL
• OSVDB

06/15/2025 Application Security 2

Lessons learned from a previous project
• Analyzing Tolven 2.0
• Health care system, widely used in United States
• About 3000 Java modules
• About 500,000 lines of code

• Fortify on Demand (cloud-based solution)

• Provides different licensing models
• Generates executive and detailed reports

06/15/2025 Application Security 3

06/15/2025 Application Security 4
06/15/2025 Application Security 5
Reports generated by HP Fortify
• Executive report – 82 pages
• Mid-level report – 220 pages
• Detailed report – more than 2500 pages
(Developers focused)

06/15/2025 Application Security 6

A page from the
detailed report

06/15/2025 Application Security 7

06/15/2025 Application Security 8
06/15/2025 Application Security 9
 HP Fortify
Report

CWE
Repository

06/15/2025 Application Security 10

06/15/2025 Application Security 11
06/15/2025 Application Security 12
06/15/2025 Application Security 13
Lessons learned
• Public repositories work as the knowledgebase for
modern tools
• The repositories do not contain vendor-specific solutions
• Experts from all over the world add/edit content
• A great source of information for developers/ security
folks

06/15/2025 Application Security 14

Vulnerability Repositories
• A vulnerability Repository is a platform aimed at
• collecting,
• maintaining, and
• disseminating
information about discovered vulnerabilities targeting
computer systems.

06/15/2025 Application Security 15

Moving on …
• Lessons learned from a previous project
• CWE
• CVE
• CVE Details
• NVD
• CAPEC
• OVAL
• OSVDB

06/15/2025 Application Security 16

Common Weakness Enumeration (CWE)
• The Common Weakness Enumeration (CWE) is a
category system for software weaknesses and
vulnerabilities.
• CWE is a project by MITRE.
• List of software weakness for developers and security
practitioners.
• A common language for describing software security
weaknesses.
• A standard measurement for software security tools.
https://cwe.mitre.org/index.html
• A common baseline standard for weakness
identification, mitigation,Application
06/15/2025 and prevention efforts
Security 17
The CWE Repository (cont.)
Previously Published
Vulnerability Taxonomy
Work OWASP’s
Checklist Secure
and Software’s
Cigital’s Taxonomy John
Gary Viega’s
McGraw’s CLASP and
GMU Work and Taxonomy
Stanford Taxonomy
IBM SEI VERACODE
NSA/CTC UC Berkeley Purdue Fortify’s
SPI Dynamics Brian
JMU Coverity Microsoft’s
Core Security Chess’s
Kestrel Technology Work and Mike
Parasoft
MIT LL Watchfire Taxonomy Howard’s
Work and
Unisys Security Institute Oracle Taxonomy
Cenzic KDM Analytics
UMD
NCSU
Gramma
Tech’s
Ounce Checklist
Lab’s and
Klocwork’s Taxonomy Taxonomy

Dictionary Checklist
and
Taxonomy

Building
Consensus
Common Weakness
About A Common
Enumeration
Enumeration
(CWE)

06/15/2025 18
06/15/2025 Application Security 19
06/15/2025 Application Security 20
The CWE Repository (cont.)
Description
Time of introduction
Applicable platforms
Modes of introduction
Common Consequences
Likelihood of exploit
Enabling factors of exploitation
Detection methods
Demonstrative examples
Observed examples
Potential mitigations
Relationships
Relationship notes
Taxonomy Mappings
Related attack patterns
White box definitions
References
Content history
06/15/2025 Application Security 21
CWE Process
• CVE provides real-world vulnerabilities.
• CWE provides specific and concise
definition of common software
weakness.
• Working to map each CWE list with
specific CVE-IDs.
• 3 organizational structures for CWE
elements:
• Lowest level for tool vendors & researchers.
• Mid level for security practitioners.
• Highest level for software practitioners &
other stakeholders.

06/15/2025 Application Security 22

CWE Lists
• Latest version – 3.1
• 995 CWEs
• 32 views
• 247 categories
• 716 weakness
• The lists are community initiative
• Three useful views:
• Research Concepts:(View ID: 1000)
• Development Concepts:(View ID: 699)
• Architectural Concepts:(View ID: 1008)
• It also provides filter for different
users.
• Basic
• Complete
• High level
• Mapping-friendly

06/15/2025 Application Security 23

 CWE compatibility
In order to obtain CWE Compatible status a product or a service must meet 4 out of 6 requirements:

CWE Searchable users may search security elements using CWE identifiers
security elements presented to users includes, or allows users to obtain,
CWE Output
associated CWE identifiers
Mapping Accuracy security elements accurately link to the appropriate CWE identifiers

capability's documentation describes CWE, CWE compatibility, and how CWE-

CWE Documentation
related functionality in the capability is used

for CWE-Compatibility and CWE-Effectiveness, the capability's documentation

CWE Coverage explicitly lists the CWE-IDs that the capability claims coverage and effectiveness
against locating in software

for CWE-Effectiveness, test results from the capability showing the results of
CWE Test Results
assessing software for the CWEs are posted on the CWE Web site

There are 48 organizations as of January 2018 that develop and maintain products and services that achieved CWE Compatible status.

06/15/2025 Application Security 24

Moving on …
• Lessons learned from a previous project
• CWE
• CVE
• CVE Details
• NVD
• CAPEC
• OVAL
• OSVDB

06/15/2025 Application Security 25

The CVE repository

~156,000 vulnerable components

06/15/2025 Application Security 26

Common Vulnerabilities and Exposures (CVE)
The Standard for Information Security Vulnerability Names

• CVE is a dictionary that provides definitions for publicly disclosed

cybersecurity vulnerabilities and exposures.
• The CVE List was launched by MITRE Corporation, as a
community effort in 1999.
• CVE is designed to allow vulnerability databases and other
capabilities to be linked together, and to facilitate the
comparison of security tools and services.
• CVE is free to use and publicly available to anyone interested in
correlating data between different vulnerability or security tools,
repositories, and services.
https://cve.mitre.org

06/15/2025 Application Security 27

 ~9,000 SQL Injection Vuln.

06/15/2025 Application Security 28

06/15/2025 Application Security 29
CVE data fields
• CVE-ID
• The new CVE-ID syntax is variable length
and includes:
• CVE prefix + Year + Arbitrary
Digits
• Description
• This is a standardized text description of
the issue(s).
• typically written by CVE Numbering
Authorities (CNAs), the CVE Team,
• References
• This is a list of URLs and other information
(such as vendor advisory numbers) for this
issue.
• Date entry created
• This is the date the entry was created.
06/15/2025 Application Security 30
CVE
• CVEs are assigned by a CVE
Numbering Authority (CNA).
• There are 85 organizations and
14 countries participating as
CNAs as of April 9, 2018:
• TOTAL CVE Entries is ~136,000
• (result from last updated or reviewed: May 18,
2020)
• How does a vulnerability or exposure
become a CVE Entry?
• The process begins with the discovery of a
potential security vulnerability or exposure. The
information is then assigned a CVE ID by a CVE
Numbering Authority (CNA), the CNA writes the
Description and adds any References, and then
the completed CVE Entry is posted on the CVE
website by the CVE Team.

06/15/2025 Application Security 31

The Exploits-DB

More than 44,000 exploits

06/15/2025 Application Security 32

The Exploits-DB

More than 33,000 verified exploits

06/15/2025 Application Security 33

The Exploits-DB

About 8,000 exploits with an App

06/15/2025 Application Security 34

06/15/2025 Application Security 35
CVE as Knowledgebase

• Work as a knowledgebase for API Security Tools

• OWASP Dependency Checker for Java
• RetireJS and NPM for JavaScript
• Safety (tool) for Python

https://cve.mitre.org

06/15/2025 Application Security 36

06/15/2025 Application Security 37
06/15/2025 Application Security 38
Moving on …
• Lessons learned from a previous project
• CWE
• CVE
• CVE Details
• NVD
• CAPEC
• OVAL
• OSVDB

06/15/2025 Application Security 39

CVE Details
• CVE Details provides an easy to use web interface to
CVE vulnerability data
• We can browse for vendors, products and versions and
view CVE entries, vulnerabilities, related to them.
• We can view statistics about vendors, products and
versions of products.
• CVE details are displayed in a single, easy to use page.
• Vulnerabilities are classified by cvedetails.com using
keyword matching and CWE numbers if possible, but
they are mostly based on keywords.
06/15/2025 Application Security 40
CVE Details
Browse: Search:
• Vendors • Vendor Search
• Products • Product Search
• Vulnerabilities By Date • Version Search
• Vulnerabilities By Type • Vulnerability Search
• By Microsoft References
Reports:
• CVSS Score Report Vulnerability Details:
• CVSS Score Distribution • CVSS Scores & Vulnerability Types.
• Products Affected By vulnerability.
• Number Of Affected Versions By Product.
• References for vulnerability.
• Metasploit Modules Related To
vulnerability.
06/15/2025 Application Security 41
 # of Vulnerabilities in
Products Reported Annually
800

700

600

500 Source: www.CVEDetails.com

400
Data still
300 incomplete for
2019
200

100

0
1998 2003 2008 2013 2018

06/15/2025 Application Security 42

 # of Vulnerabilities in Products
Reported Annually
800

700

600
Data still
500 Source: www.CVEDetails.com
incomplete for
400 2019

300

200

100

0
1998 2003 2008 2013 2018

06/15/2025 Application Security 43

 Vulnerabilities/product:
~38

06/15/2025 Application Security 44

 Vulnerabilities/product:
~13

06/15/2025 Application Security 45

Vulnerability search by vendor

06/15/2025 Application Security 46

Moving on …
• Lessons learned from a previous project
• CWE
• CVE
• CVE Details
• NVD
• CAPEC
• OVAL
• OSVDB

06/15/2025 Application Security 47

National Vulnerability Database (NVD)
• The NVD is a product of the NIST.
• NVD is a comprehensive information technology vulnerability database that integrates all publicly
available U.S. Government vulnerability resources and provides links to industry resources.
• This data enables automation of vulnerability management, security measurement, and
compliance
• It is built upon the CVE standard vulnerability nomenclature and augments the standard with a
search engine and reference library
• NVD includes databases of
• security checklists
• security related software flaws
• Misconfigurations
• product names
• impact metrics
• NVD scores vulnerabilities using the Common Vulnerability Scoring System (CVSS).

https://nvd.nist.gov/

06/15/2025 Application Security 48

NVD Vulnerability Summaries
• Provides vulnerability characteristics and references
• Description
• Vulnerability attributes (e.g., severity rating, related
exploit range)
• Vulnerable software and version numbers
• Hyperlinks to US-CERT and industry resources

06/15/2025 Application Security 49

NVD Search Capability
• Enables users to search a database
containing virtually all known
public computer vulnerabilities
• Enables searching by a variety of
vulnerability characteristics:
• vulnerability severity
• software name and version number
• vendor name
• vulnerability type
• vulnerability impact
• related exploit range
• Enables searching for
vulnerabilities that contain
specified US-CERT resources (e.g.
OVAL queries)
06/15/2025 Application Security 50
Current Status

https://nvd.nist.gov/general/nvd-dashboard

06/15/2025 Application Security 51

Relationship between NVD and CVE
• The CVE List feeds NVD ( which then builds
upon the information included in CVE Entries)
• NVD provide enhanced information for each
of CVE entry.
• NVD automatically updates as CVE changes
• CVE vulnerabilities appear on NVD within four
minutes
• NVD also provides advanced searching
features such as by OS; by vendor name,
product name, and/or version number; and by
vulnerability type, severity, related exploit
range, and impact.
• Both CVE and NVD are sponsored by US-CERT.
• Both are available to the public and free to
use.

06/15/2025 Application Security 52

Moving on …
• Lessons learned from a previous project
• CWE
• CVE
• CVE Details
• NVD
• CAPEC
• OVAL
• OSVDB

06/15/2025 Application Security 53

Common Attack Pattern Enumeration
and Classification (CAPEC)

• CAPEC is a publicly available catalog of attack patterns along with a

comprehensive schema and classification taxonomy created to assist
in the building of secure software.

• It was established by the U.S. Department of Homeland Security.

• https://capec.mitre.org/index.html

06/15/2025 Application Security 54

Common Attack Pattern Enumeration
and Classification (CAPEC)

• Initially released in 2007, the CAPEC List continues to evolve with

public participation and contributions to form a standard mechanism
for identifying, collecting, refining, and sharing attack patterns among
the cybersecurity community.
• It have similar knowledge-structuring efforts such as CWE and CVE .

06/15/2025 Application Security 55

06/15/2025 Application Security 56
06/15/2025 Application Security 57
CAPEC
• Total CAPECs 566
• Categories 49
• Attack Patterns 508
(Result from Last Update or Review: February 21,
2018)

• Two useful views:

• Mechanisms of Attack (View
ID: 1000)
• Domains of Attack (View ID:
3000)

06/15/2025 Application Security 58

CAPEC Lists
(Presentation Filter for different users like CWE)
BASIC COMPLETE

06/15/2025 Application Security 59

Moving on …
• Lessons learned from a previous project
• CWE
• CVE
• CVE Details
• NVD
• CAPEC
• OVAL
• OSVDB

06/15/2025 Application Security 60

Open Vulnerability and Assessment Language
(OVAL)
A Community-Developed Language for Determining Vulnerability and Configuration Issues on Computer Systems

• OVAL is an international, information security, community standard

to promote open and publicly available security content, and to
standardize the transfer of this information across the entire
spectrum of security tools and services.
• OVAL includes a language to encode system details, and an
assortment of content repositories held throughout the community.
• The language standardizes the three main schema of the
assessment process:
• an OVAL System Characteristics schema for representing system
information,
• an OVAL Definition schema for expressing a specific machine state,
• an OVAL Results schema for reporting the results of an assessment.

06/15/2025 Application Security 61

OVAL details
• OVAL Repository : is the central meeting place for the OVAL Community to discuss,
analyze, store, and disseminate OVAL definitions.
• OVAL Repository, was hosted by The MITRE Corporation. ( https://oval.mitre.org/ )
• The official OVAL Repository is now hosted by CIS. ( https://oval.cisecurity.org/ )
• OVAL definitions : are standardized, machine-readable tests that check computer
systems for the presence of software vulnerabilities, configuration issues, programs, and
patches.
• Four main classes of OVAL definitions:
• OVAL Vulnerability Definitions
• OVAL Compliance Definitions
• OVAL Inventory Definitions
• OVAL Patch Definitions
• Currently OVAL repository having 32,202 Total Definitions.
• The OVAL Repository uses the publicly known vulnerabilities
identified in the CVE List as the basis for its vulnerability definitions.

06/15/2025 Application Security 62

Demonstrate OVAL work

06/15/2025 Application Security 63

Moving on …
• Lessons learned from a previous project
• CWE
• CVE
• CVE Details
• NVD
• CAPEC
• OVAL
• OSVDB

06/15/2025 Application Security 64

Open-Source Vulnerability Database
(OSVDB)
• OSVDB was an independent and open-sourced database.
• It was founded in 2002.
• Its goal was to provide accurate, unbiased information
about security vulnerabilities in computerized equipment.
• As of November 2013, the database classified more than
100,000 vulnerabilities.
• On the 5th April 2016, the database was shut down,
although the blog will continue. (https://blog.osvdb.org/)
• CVE have reference map for source OSVDB.
(http://cve.mitre.org/data/refs/refmap/source-OSVDB.html)

06/15/2025 Application Security 65

CVE – OSVDB mapping

06/15/2025 Application Security 66

More resources
• Rapid7 :
The Rapid7 Vulnerability Database is a list of 70,000 vulnerabilities for
security analyst and researchers to identify and address known security
issues through vulnerability management solutions.
https://www.rapid7.com/db/vulnerabilities?page=4

• VULDB:
VULDB listed more than 115000 vulnerabilities. Their specialists work with
the crowd-based community to document the latest vulnerabilities on a
daily basis since 1970
https://vuldb.com/

06/15/2025 Application Security 67

More resources (cont.)
• Secure Coding Practices by OWASP
• Secure Coding Standards (for various programming languages)
• OWASP Cheat Sheet Project

06/15/2025 Application Security 68

Secure Coding Practices

• OWASP’s
checklist for
secure coding

• 200+
practices for
secure coding

06/15/2025 Application Security 69

Secure Coding Practices

• OWASP’s secure coding practices available for

- Input validation
- Output encoding
- Authentication and password management
- Session management
- Access control
- Cryptographic practices
- Error handling and logging
and more…

06/15/2025 Application Security 70

Secure Coding Practices

06/15/2025 Application Security 71

Secure Coding Standards

• SEI provides
coding
secure
standards
for
• C,
• C++,
• Android,
• Java, and
• Pearl
06/15/2025 Application Security 72
Secure Coding Standards

06/15/2025 Application Security 73

Secure Coding Standards

FIO04-J. Release resources when they are no

longer needed
(Common violation in database connectivity)

06/15/2025 Application Security 74

Secure Coding Standards

06/15/2025 Application Security 75

Secure Coding Standards

06/15/2025 Application Security 76

Secure Coding Standards

06/15/2025 Application Security 77

Secure Coding Standards

06/15/2025 Application Security 78

Conclusion

• Utilize public repositories and knowledgebases

• Incorporate the knowledge in your Secure SDLC
• Test/use the tools which utilize these repositories
and make the foundation of DevOps and
DevSecOps

06/15/2025 Application Security 79

A P P L I C A T I O N S E C U R I T Y

[email protected]

06/15/2025 Application Security 80