Name of Your Organization:

NGS Software (Assurance Division, NCC Group UK PLC)

Web Site:

http://www.nccgroup.com/en/our-services/security-testing-audit-compliance/information-security-software/

Compatible Capability:

NGS SQuirreL for Oracle

Capability home page:

https://www1.ngssoftware.com/

General Capability Questions

Product Accessibility <CR_2.4>

Provide a short description of how and where your capability is made available to your customers and the public (required):

All NGS standalone vulnerability assessment software scanning products are available, via download, from the central customer management portal web site: https://www1.ngssoftware.com.

Once the customer has created an account, evaluation versions of all software solutions are then made available for download. Purchased products are then licensed via a separate module. This then enables full versions, with the appropriate time and usage restrictions applied (according to the license type purchased), of the purchased products to be downloaded from the same customer management portal web site.

Mapping Questions

Map Currency Indication <CR_5.1>

Describe how and where your capability indicates the most recent CVE version used to create or update its mappings (required):

NGS continually monitors cve.mitre.org for any changes to CVE Identifiers (both new and old). Additional sources are also monitored for any announcements made in relation to new vulnerabilities, such as Bugtraq, vendors, NVD etc. Any information gleaned from this active monitoring is filtered down into the NGS products before each new product update, ensuring continual CVE compliance.

Map Currency Update Approach <CR_5.2>

Indicate how often you plan on updating the mappings to reflect new CVE versions and describe your approach to keeping reasonably current with CVE versions when mapping them to your repository (required):

Mapping of all CVE Identifiers is carried out each time products are updated. Since various sources are being actively monitored for changes and additions (Bugtraq, NGS and vendor advisories, full disclosure, NVD etc.) these updates may occur at any time, each and every time there is a change to existing vulnerabilities or addition of new vulnerabilities. There is a minimum product update every three months.

Map Currency Update Time <CR_5.3>

Describe how and where you explain to your customers the timeframe they should expect an update of your capability’s mappings to reflect newly available CVE content (required):

NGS notifies all existing customers each and every time a product is updated via email to the registered customer account. All NGS products can also be configured to automatically download new updates every time they are run, or on a manual basis, when the customer wants to check for updates. All updates are performed through the customer portal web site.

Map Content Selection Criteria <CR_5.4>

Describe the criteria used for determining the relevance of a given CVE Identifier to your Capability (required):

The relevance of any given vulnerability (including those with CVE Identifiers) is determined at the time of updating each and every product. NGS have different products for different types of vulnerability assessment scanning, so this is important to make sure the relevance is correct at the time of each update for each product.

Map Currency Update Mechanism <CR_5.4>

Describe the mechanism used for reviewing CVE for content changes (required):

NGS continually monitors cve.mitre.org for changes and additions to the CVE database, as well as several other sources (Bugtraq, NGS and vendor advisories, NVD etc.). Any changes are immediately noted and reflected in the next set of product updates. The frequency at which this occurs for each product is determined by the number and severity of changes that are relevant to that product.

Map Content Source <CR_5.5>

Describe the source of your CVE content (required):

NGS continually monitors cve.mitre.org for any changes to the CVE database. Additional sources are also monitored for any announcements made in relation to new vulnerabilities, such as Bugtraq, vendor advisories, NVD, NGS’s own advisories as well as public disclosure and any other relevant professional sources.

Documentation Questions

CVE and Compatibility Documentation<CR_4.1>

Provide a copy, or directions to its location, of where your documentation describes CVE and CVE compatibility for your customers (required):

The standard imbedded help documentation and users guide for all NGS products lists all the information regarding the CVE as a repository and all points relating to CVE compatibility. Since this information is imbedded within each and every product, it is updated every time there is a change or update to any product. All products and updates are available through the standard customer portal web site.

CVE and Compatibility Documentation

Documentation of Finding Elements Using CVE Names <CR_4.2>

Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CVE names to find the individual security elements within your capability’s repository (required):

The standard imbedded help documentation and users guide for all NGS products lists all the information regarding the CVE as a repository and all points relating to CVE compatibility. Since this information is imbedded within each and every product, it is updated every time there is a change or update to any product. All products and updates are available through the standard customer portal web site.

Documentation of Finding Elements Using CVE Names

Documentation of Finding CVE Names Using Elements <CR_4.3>

Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CVE names associated with individual security elements within your capability’s repository (required):

The standard imbedded help documentation and users guide for all NGS products lists all the information regarding the CVE as a repository and all points relating to CVE compatibility. Since this information is imbedded within each and every product, it is updated every time there is a change or update to any product. All products and updates are available through the standard customer portal web site.

Documentation of Finding CVE Names Using Elements

Documentation Indexing of CVE-Related Material <CR_4.4>

If your documentation includes an index, provide a copy of the items and resources that you have listed under "CVE" in your index. Alternately, provide directions to where these "CVE" items are posted on your web site (recommended):

The standard imbedded help documentation and users guide for all NGS products lists all the information regarding the CVE as a repository and all points relating to CVE compatibility. Since this information is imbedded within each and every product, it is updated every time there is a change or update to any product. All products and updates are available through the standard customer portal web site. This is covered in section <CR_4.1>.

Type-Specific Capability Questions

Tool Questions

Finding Tasks Using CVE Names <CR_A.2.1>

Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CVE name (required):

When opened, users can access information for all checks, including those that carry CVE Identifiers, in all NGS SQuirreL software products by entering the ‘View/Edit Core Checks’ series of dialogs. From here it is possible to search for checks by entering CVE Identifiers which then displays the resulting checks.

Finding Tasks Using CVE Names

Finding CVE Names Using Elements in Reports <CR_A.2.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CVE names for the individual security elements in the report (required):

Again, in the output reports from all NGS SQuirreL software products, vulnerabilities with CVE Identifiers are clearly listed. Reports can be produced in many different formats, including HTML, RTF and XML and all list associated CVE Identifier numbers.

Finding CVE Names Using Elements in Reports

Selecting Tasks Using Individual CVE Names <CR_A.2.6>

Describe the steps that a user would follow to browse, select, and deselect a set of tasks for the tool by using individual CVE names (recommended):

When opened, users can access information for all checks, including those that carry CVE Identifiers, in all NGS SQuirreL software products by entering the ‘View/Edit Core Checks’ series of dialogs. From here it is possible to search for checks by entering CVE Identifiers and then viewing the resulting checks. These checks can then be selected or deselected through the ‘Module Settings’ dialog.

Non-Support Notification for a Requested CVE Name <CR_A.2.7>

Provide a description of how the tool notifies the user that task associated to a selected CVE name cannot be performed (recommended):

When opened, users can access information for all checks, including those that carry CVE Identifiers, in all NGS SQuirreL software products by entering the ‘View/Edit Core Checks’ series of dialogs. From here it is possible to search for checks by entering CVE Identifiers and then viewing the resulting checks. If a valid CVE Identifier is input and no checks are returned, then there is currently no check yet assigned to this identified vulnerability.

Service Questions

Service Coverage Determination Using CVE Names <CR_A.3.1>

Give detailed examples and explanations of the different ways that a user can use CVE names to find out which security elements are tested or detected by the service (i.e. by asking, by providing a list, by examining a coverage map, or by some other mechanism) (required):

When any NGS SQuirreL software product is provided as part of a Managed Service, a list of all CVE Identifier covered checks will be provided to any customer upon request. This request could be a query against a provided list of CVE Identifiers, to make sure they are covered, or a simple request asking for a list of all CVE Identifiers that are covered.

Finding CVE Names in Service Reports Using Elements <CR_A.3.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the user can determine the associated CVE names for the individual security elements in the report (required):

When any NGS SQuirreL software product is provided as part of a Managed Service, the output reports from all scan runs will clearly list any vulnerabilities with CVE Identifiers. Reports can be produced in many different formats, including HTML, RTF and XML and all list associated CVE Identifier numbers. These reports are passed onto the customer for review.

Finding CVE Names in Service Reports Using Elements

Service’s Product Utilization Details <CR_A.3.4>

Please provide the name and version number of any product that the service allows users to have direct access to if that product identifies security elements (recommended):

No customer access is granted to NGS Software products that are provided as part of a Managed Service.

Online Capability Questions

Finding Online Capability Tasks Using CVE Names <CR_A.4.1>

Give detailed examples and explanations of how a "find" or "search" function is available to the user to locate tasks in the online capability by looking for their associated CVE name or through an online mapping that links each element of the capability with its associated CVE name(s) (required):

When opened, users can access information for all checks, including those that carry CVE Identifiers, in all NGS SQuirreL software products by entering the ‘View/Edit Core Checks‘ series of dialogs. From here it is possible to search for checks by entering CVE Identifiers which then displays the resulting checks. This is covered in section <CR_A.2.1>

Finding Online Capability Tasks Using CVE Names

Finding CVE Names Using Online Capability Elements <CR_A.4.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the online capability allows the user to determine the associated CVE names for the individual security elements in the report. (required):

When viewing any NGS Product vulnerability report, any vulnerability listed that has an associated CVE Identifier will contain a link to the NVD online database that will identify the particular vulnerability.

Finding CVE Names Using Online Capability Elements

Online Capability Element to CVE Name Mapping <CR_A.4.3>

If details for individual security elements are not provided, give examples and explanations of how a user can obtain a mapping that links each element with its associated CVE name(s), otherwise enter N/A (required):

Not Applicable.

Aggregation Capability Questions

Finding Elements Using CVE Names <CR_A.5.1>

Give detailed examples and explanations of how a user can associated elements in the capability by looking for their associated CVE name (required):

When opened, users can access information for all checks, including those that carry CVE Identifiers, in all NGS SQuirreL software products by entering the ‘View/Edit Core Checks’ series of dialogs. From here it is possible to search for checks by entering CVE Identifiers which then displays the resulting checks.

Finding Elements Using CVE Names

Finding CVE Names Using Elements in Reports <CR_A.5.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the capability allows the user to determine the associated CVE names for the individual security elements in the report (required):

Again, in the output reports from all NGS SQuirreL software products, vulnerabilities with CVE Identifiers are clearly listed. Reports can be produced in many different formats, including HTML, RTF, and XML and all list associated CVE Identifier numbers.

Finding CVE Names Using Elements in Reports

Selecting Tasks Using Individual CVE Names <CR_A.5.6>

Describe the steps that a user would follow to browse, select, and deselect a set of tasks for the capability by using individual CVE names (recommended):

When opened, users can access information for all checks, including those that carry CVE Identifiers, in all NGS SQuirreL software products by entering the ‘View/Edit Core Checks’ series of dialogs. From here it is possible to search for checks by entering CVE Identifiers and then viewing the resulting checks. These checks can then be selected or deselected through the ‘Module Settings’ dialog.

Selecting Tasks Using Individual CVE Names

Media Questions

Electronic Document Format Info <CR_B.3.1>

Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CVE-related text (required):

All NGS software products output reports in a choice of Text, RTF, HTML, and XML formats, as well as being able to export directly to an external database via ODBC. All these formats contain CVE Identifiers for all relevant checks.

Text reports can be searched using the associated viewer or editor search function. RTF reports can be searched using a Word or equivalent editor search function. HTML reports can be searched using a browser search function. XML reports can be searched using either an XML parser or a browser search function. Databases can be searched using a number of locally provided DB tools including SQL.

Electronic Document Listing of CVE Names <CR_B.3.2>

If one of the capability’s standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CVE names are listed for each individual security element (required):

Electronic Document Listing of CVE Names

Standard HTML report output example. All report types use same column format and contain all information.

Electronic Document Element to CVE Name Mapping <CR_B.3.3>

Provide example documents that demonstrate the mapping from the capability’s individual elements to the respective CVE name(s) (recommended):

See the answer to <CR_B.3.2>.

Graphical User Interface (GUI)

Finding Elements Using CVE Names Through the GUI <CR_B.4.1>

Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability’s elements by looking for their associated CVE name(s) (required):

See example provided. This is the same as <CR_A.5.1>

Finding Elements Using CVE Names Through the GUI

GUI Element to CVE Name Mapping <CR_B.4.2>

Briefly describe how the associated CVE names are listed for the individual security elements or discuss how the user can use the mapping between CVE entries and the capability’s elements, also describe the format of the mapping (required):

See examples provided. This is the same as <CR_A.5.1>.

GUI Element to CVE Name Mapping

GUI Export Electronic Document Format Info <CR_B.4.3>

Provide details about the different electronic document formats that you provide for exporting or accessing CVE-related data and describe how they can be searched for specific CVE-related text (recommended):

All NGS software products output reports in a choice of Text, RTF, HTML & XML formats, as well as being able to export directly to an external database via ODBC. All these formats contain CVE Identifiers for all relevant checks.

Text reports can be searched using the associated viewer or editor search function. RTF reports can be searched using a Word or equivalent editor search function. HTML reports can be searched using a browser search function. XML reports can be searched using either an XML parser or a browser search function. Databases can be searched using a number of locally provided DB tools including SQL.

Questions for Signature

Statement of Compatibility <CR_2.7>

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CVE Compatibility Requirements as well as all of the additional mandatory CVE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Bill Grindlay

Title: Principal Software Developer

Statement of Accuracy <CR_3.4>

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability’s Repository and the CVE entries our capability identifies."

Name: Bill Grindlay

Title: Principal Software Developer

Statement on False-Positives and False-Negatives <CR_A.2.8 and/or CR_A.3.5>

FOR TOOLS ONLY - Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):

"As an authorized representative of my organization and to the best of my knowledge, normally when our capability reports a specific security element, it is generally correct and normally when an event occurs that is related to a specific security element our capability generally reports it."

Name: Bill Grindlay

Title: Principal Software Developer

Page Last Updated or Reviewed: April 28, 2016