Name of Your Organization:

SECUI.COM Corporation

Web Site:

http://www.secui.com/eng/

Compatible Capability:

SECUI SCAN

Capability home page:

http://www.secui.com/eng/product/product_01.asp?MovieNum=SCANNER

General Capability Questions

Product Accessibility <CR_2.4>

Provide a short description of how and where your capability is made available to your customers and the public (required):

SECUI.COM’s customers can purchase our SECUI SCAN vulnerability assessment through SECUI.COM’s web site at http://www.secui.com/eng/product/product_01.asp?MovieNum=SCANNER.

SECUI SCAN inspects customer’s systems and displays vulnerability information with CVE content. SECUI SCAN shows vulnerability assessment information at policy management menu and reports.

Mapping Questions

Map Currency Indication <CR_5.1>

Describe how and where your capability indicates the most recent CVE version used to create or update its mappings (required):

SECUI SCAN updates the latest vulnerability information including CVE content from our update server. Users can check the updated list at the ‘Notice’ screen of the SECUI SCAN Console.
Map Currency Indication

Map Currency Update Approach <CR_5.2>

Indicate how often you plan on updating the mappings to reflect new CVE versions and describe your approach to keeping reasonably current with CVE versions when mapping them to your repository (required):

SECUI’s vulnerability research group checks the CVE content every day at the MITRE website. And once a week, we update the vulnerability policy repository including the latest version of CVE contents.

Map Currency Update Time <CR_5.3>

Describe how and where you explain to your customers the timeframe they should expect an update of your capability’s mappings to reflect newly available CVE content (required):

SECUI.COM provides two types of update services to provide up-to-date vulnerability policy repository. One is the regular update every week, and the other is the irregular update for an urgent situation. SECUI SCAN can perform the update automatically from the update server when the repository is updated. This updated vulnerability policy repository contains the latest CVE content.

Map Content Selection Criteria <CR_5.4>

Describe the criteria used for determining the relevance of a given CVE Identifier to your Capability (required):

The CVE content applied to SECUI SCAN is selected based on the risk of vulnerabilities and the popularity of applications.

Map Currency Update Mechanism <CR_5.4>

Describe the mechanism used for reviewing CVE for content changes (required):

SECUI SCAN update is performed via a secured HTTPS. After finishing the update, the updated file is verified by an integrity mechanism.

Map Content Source <CR_5.5>

Describe the source of your CVE content (required):

  • CVE (http://cve.mitre.org/)
  • SecurityFocus (http://www.securityfocus.com/)
  • CERT (http://www.cert.org/)
  • IBM Internet Security Systems (http://xforce.iss.net/)
  • Plus other security sites
Documentation Questions

CVE and Compatibility Documentation<CR_4.1>

Provide a copy, or directions to its location, of where your documentation describes CVE and CVE compatibility for your customers (required):

The concept of CVE and CVE compatibility is included in SECUI SCAN manual as follows:

SECUI SCAN V2.0 manual, 5. Appendix and 5.2 Glossary (Page 5-15)

Documentation of Finding Elements Using CVE Names <CR_4.2>

Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CVE names to find the individual security elements within your capability’s repository (required):

SECUI SCAN manual describes how to search information with CVE name.

SECUI SCAN V2.0 manual, 3.3.2 Policy Item Setting > CVE Name Search (Page 3-36)

Documentation of Finding CVE Names Using Elements <CR_4.3>

Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CVE names associated with individual security elements within your capability’s repository (required):

SECUI SCAN manual describes the process how to search the CVE names associated with an individual vulnerability.

SECUI SCAN V2.0 manual, 3.3.2 Policy Item Setting > CVE Name Search with security elements (Page 3-38)

Documentation Indexing of CVE-Related Material <CR_4.4>

If your documentation includes an index, provide a copy of the items and resources that you have listed under "CVE" in your index. Alternately, provide directions to where these "CVE" items are posted on your web site (recommended):

In the SECUI SCAN V2.0 manual:

  • 5. Appendix
  • 5.2 Glossary
  • 3.3.2 Policy Item Setting > CVE Name Search

Type-Specific Capability Questions

Tool Questions

Finding Tasks Using CVE Names <CR_A.2.1>

Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CVE name (required):

The Policy Editor supports full-text searches for vulnerability information, including CVE references. A user can search the associated tasks with a specific CVE name in Policy Editor.

Step 1) Select "Related URL" for the search category.
Finding Tasks Using CVE Names

Step 2) Input the CVE name in the search box of the Policy Editor and click the "search" button. A user can use CVE name starting with "CVE" or "CAN" string.
Finding Tasks Using CVE Names

Step 3) The vulnerability information including the CVE name will be listed as a search result.
Finding Tasks Using CVE Names

Step 4) If a user selects the vulnerability item by double-click, the CVE name with a detailed description will be displayed.
Finding Tasks Using CVE Names

Finding CVE Names Using Elements in Reports <CR_A.2.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CVE names for the individual security elements in the report (required):

All reports of SECUI SCAN provide scan result and vulnerability information with the associated CVE names. A user can search the report content with any reference code as well as CVE name.

Step 1) Click the search menu icon at the top of the report window.
Finding CVE Names Using Elements in Reports

Step 2) Input the string you are looking for in the search box.

Step 3) Then, a user can locate the page including detailed information as well as the CVE name.
Finding CVE Names Using Elements in Reports

Getting a List of CVE Names Associated with Tasks <CR_A.2.4>

Give detailed examples and explanations of how a user can obtain a listing of all of the CVE names that are associated with the tool’s tasks (recommended):

A user can get a list of CVE names associated with a specific task by full-text search.

Input a vulnerability ID or string to search associated CVE names in the search box of the Policy Editor. Then, the user can get a list of associated CVE names with hyperlink.

For more detailed information, refer to CR_A.2.1.
Getting a List of CVE Names Associated with Tasks

For getting an associated CVE names in report, refer to the CR_A.2.2.

Selecting Tasks Using Individual CVE Names <CR_A.2.6>

Describe the steps that a user would follow to browse, select, and deselect a set of tasks for the tool by using individual CVE names (recommended):

In order to find tasks that include associated CVE name, a user opens the Policy Editor and inputs the CVE name into the search box. And then vulnerability policies will be listed. Once a specific vulnerability has been selected, the user can check or uncheck the check box of that vulnerability policy to enable or disable them.

Non-Support Notification for a Requested CVE Name <CR_A.2.7>

Provide a description of how the tool notifies the user that task associated to a selected CVE name cannot be performed (recommended):

CVE/CAN names, if available, are included in vulnerability report and information. If a user tries to search for a non-supported CVE name, notification message will be shown as "There’s no result."

Media Questions

Electronic Document Format Info <CR_B.3.1>

Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CVE-related text (required):

We provide user manuals in DOC and PDF format. The manual describes the CVE, CVE-NAME and CVE-Compatible.

The scan results can be exported and saved to various format documents. SECUI SCAN supports HTML, DOC, PDF, XLS, CSV and TXT electronic document formats. All formats allow for text search with a specific CVE-related content.

Electronic Document Listing of CVE Names <CR_B.3.2>

If one of the capability’s standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CVE names are listed for each individual security element (required):

The Policy Editor and Report of SECUI SCAN provide vulnerability information with the CVE name associated with the element.

For the detailed information, refer to CR_A.2.2.

Electronic Document Element to CVE Name Mapping <CR_B.3.3>

Provide example documents that demonstrate the mapping from the capability’s individual elements to the respective CVE name(s) (recommended):

Whenever the vulnerability’s name and summary appear in vulnerability information and reports, the applicable CVE number is included in the description.

Graphical User Interface (GUI)

Finding Elements Using CVE Names Through the GUI <CR_B.4.1>

Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability’s elements by looking for their associated CVE name(s) (required):

SECUI SCAN supports full-text searches and CVE name searches for vulnerability information.

Step 1) Input the CVE name in the search box in Policy Editor and click the "search" button.
Finding Elements Using CVE Names Through the GUI

Step 2) Then, the vulnerability associated with the input CVE name will be listed as a search result.
Finding Elements Using CVE Names Through the GUI

Step 3) If a user selects the vulnerability item in the list, the CVE name with a detailed description will be displayed.
Finding Elements Using CVE Names Through the GUI

GUI Element to CVE Name Mapping <CR_B.4.2>

Briefly describe how the associated CVE names are listed for the individual security elements or discuss how the user can use the mapping between CVE entries and the capability’s elements, also describe the format of the mapping (required):

By clicking an element on the left side of the policy tree in the Policy Editor, detailed information along with the CVE name will be displayed.
GUI Element to CVE Name Mapping

GUI Export Electronic Document Format Info <CR_B.4.3>

Provide details about the different electronic document formats that you provide for exporting or accessing CVE-related data and describe how they can be searched for specific CVE-related text (recommended):

SECUI SCAN can export the reports to HTML, DOC, PDF, XLS, PPT, CSV, and TXT document formats. Thus, each report is searchable with CVE name.

Questions for Signature

Statement of Compatibility <CR_2.7>

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CVE Compatibility Requirements as well as all of the additional mandatory CVE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Hee Moon Bae

Title: Director of R&D Center

Statement of Accuracy <CR_3.4>

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability’s Repository and the CVE entries our capability identifies."

Name: Hee Moon Bae

Title: Director of R&D Center

Statement on False-Positives and False-Negatives <CR_A.2.8 and/or CR_A.3.5>

FOR TOOLS ONLY - Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):

"As an authorized representative of my organization and to the best of my knowledge, normally when our capability reports a specific security element, it is generally correct and normally when an event occurs that is related to a specific security element our capability generally reports it."

Name: Hee Moon Bae

Title: Director of R&D Center

Page Last Updated or Reviewed: April 28, 2016