Name of Your Organization:

NetClarity

Web Site:

http://www.netclarity.net

Compatible Capability:

NetClarity Auditor 128 and Update Service

Capability home page:

http://www.netclarity.net
General Capability Questions

1) Product Accessibility <CR_2.4>

Provide a short description of how and where your capability is made available to your customers and the public (required):

The Auditor family of appliances are sold both directly through NetClarity, reachable at 973-251-0823 (ask for Sales), and to the government through IBM, reachable at 301-803-2674 (Philip J. Waclawik).
Mapping Questions

4) Map Currency Indication <CR_5.1>

Describe how and where your capability indicates the most recent CVE version used to create or update its mappings (required):

NetClarity posts the latest CVE version used to create or update its mappings at their web site, www.netclarity.net/html/cves_defined.html (see illustration).

This version indicates the last date and time candidates were retrieved. You can get to this screen from the NetClarity home page ( www.netclarity.net ) by selecting Support and choosing CVEs Defined from the menu.

The current posting on the web site is shown in the accompanying illustration.

5) Map Currency Update Approach <CR_5.2>

Indicate how often you plan on updating the mappings to reflect new CVE versions and describe your approach to keeping reasonably current with CVE versions when mapping them to your repository (recommended):

Engineers at NetClarity manually check the CVE database at MITRE every day to determine if changes have occurred. If they determine a change has occurred, they update the NetClarity products by updating the NetClarity Update Server's database.

6) Map Currency Update Time <CR_5.3>

Describe how and where you explain to your customers the timeframe they should expect an update of your capability's mappings to reflect a newly released CVE version (recommended):

NetClarity posts how often it updates the CVE version being used in Auditor to its web site at www.netclarity.net/html/cves_defined.html . A capture of the web site screen is shown under question #4 above. You can get to this screen from the NetClarity home page ( www.netclarity.net ) by selecting Support and choosing CVEs Defined from the menu.
Documentation Questions

7) CVE and Compatibility Documentation<CR_4.1>

Provide a copy, or directions to its location, of where your documentation describes CVE and CVE compatibility for your customers (required):

Pages in the Introduction to the NetClarity Auditor System & Audit Setup Guide contain an explanation of what a CVE is and indicate that CVEs are named by MITRE Corporation, that the names are used in Auditor reports, and that details about each CVE can be found at the MITRE CVE web site by using the CVE names. An explanation of CVE-compatibility is also included in the Introduction.

8) Documentation of Finding Elements Using CVE Names <CR_4.2>

Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CVE names to find the individual security elements within your capability's repository (required):

Information about how to search for CVE names is covered in the NetClarity Auditor Reports Guide , under Interpreting Vulnerability Descriptions on page 8 (shown below).

9) Documentation of Finding CVE Names Using Elements <CR_4.3>

Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CVE names associated with individual security elements within your capability's repository (required):

Information about how to search for CVE names is covered in the NetClarity Auditor Reports Guide , under Interpreting Vulnerability Descriptions on page 8 (shown above in #8).

10) Documentation Indexing of CVE-Related Material <CR_4.4>

If your documentation includes an index, provide a copy of the items and resources that you have listed under "CVE" in your index. Alternately, provide directions to where these "CVE" items are posted on your web site (recommended):

In the Auditor System & Audit Setup Guide:

CVEs

  • CVE-compatibility 3
  • Defined 2
  • tests executed 58

In the Auditor Reports Guide:

CVEs

  • CVE Compatibility 1
  • Levels to include in reports 4
  • Reporting levels, defined 5, 24
  • Searching reports for 8
  • Sorting report content by 4
  • Types in each level 5, 24
Candidate Support Questions

11) Candidates Versus Entries Indication <CR_6.1>

If CVE candidates are supported or used, explain how you indicate that candidates are not accepted CVE entries (required):

NetClarity Auditor products make no distinction between CVEs and CVE candidates. Auditor scans for all vulnerabilities, CVEs and CVE candidates alike.

Reports present a CVE with a name in the CVE-YYYY-NNNN format and a CVE candidate with a name in the CAN-YYYY-NNNN format.

12) Candidates Versus Entries Explanation <CR_6.2>

If CVE candidates are supported or used, explain where and how the difference between candidates and entries is explained to your customers (recommended):

NetClarity Auditor scans for all vulnerabilities, CVEs and CVE candidates alike. Reports present a CVE with a name in the CVE-YYYY-NNNN format and a CVE candidate with a name in the CAN-YYYY-NNNN format. Both types of vulnerabilities are treated as equally significant by NetClarity.

In the NetClarity Auditor System & Audit Setup Guide and Auditor Reports Guide , there is information about what a CVE is and similar information about what a CVE candidate is.

13) Candidate to Entry Promotion <CR_6.3>

If CVE candidates are supported or used, explain your policy for changing candidates into entries within your capability and describe where and how this is communicated to your customers (recommended):

When a CVE candidate vulnerability is promoted to an actual CVE, NetClarity Update Service changes its name and presents that CVE in the CVE-YYYY-NNNN format rather than the CAN-YYYY-NNNN format. By accessing the NetClarity Update Service from the Automatic Update process in the Setup page, you automatically update CVE candidates CVEs in your appliance.

No special alert occurs to indicate that a CVE candidate is now an accepted CVE.

16) Candidate Mapping Currency Indication <CR_6.6>

If CVE candidates are supported or used, explain where and how you tell your users how up-to-date your candidate information is (recommended):

The most recent version of the MITRE CVE database used in Auditor is posted on the NetClarity web site, www.netclarity.net/html/cves_defined.html .

When you update your Auditor using the NetClarity Update Service, any CVE candidate vulnerability that has been promoted to an actual CVE is automatically updated. No notification about the change is given, but none is necessary to use the product effectively.

Type-Specific Capability Questions

Tool Questions

17) Finding Tasks Using CVE Names <CR_A.2.1>

Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CVE name (required):

Customers select specific types of vulnerability tests by category on the Configuration page of the product. They then view the text that explains the type of tests (tasks) being performed. The customers can scroll down through the textual descriptions of the tasks being performed to find a particular task.

18) Finding CVE Names Using Elements in Reports <CR_A.2.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CVE names for the individual security elements in the report (required):

After running the tests, the customer can then view the results in a report, available through the Reports page. If a CVE is found, its name appears in the text for that vulnerability. By going to the Reports page, the customer can open the report in PDF format. Acrobat opens inside the browser and the customer can search the report for a particular CVE name using Acrobat's search function.

Service Questions

23) Service Coverage Determination Using CVE Names <CR_A.3.1>

Give detailed examples and explanations of the different ways that a user can use CVE names to find out which security elements are tested or detected by the service (i.e. by asking, by providing a list, by examining a coverage map, or by some other mechanism) (required):

Customers who use NetClarity vulnerability assessment appliances can update the product's vulnerability information on a schedule they determine, by accessing the NetClarity Update Server over a secure internet connection. Once the updates are downloaded, the user can use the vulnerability assessment appliance as described earlier in this document.

24) Finding CVE Names in Service Reports Using Elements <CR_A.3.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the user can determine the associated CVE names for the individual security elements in the report (required):

After running the vulnerability tests, the customer can then view the results in a report, available through the Reports page. If a CVE is found, its name appears in the text for that vulnerability. By going to the Reports page, the customer can open the report in PDF format. Acrobat opens inside the browser and the customer can search the report for a particular CVE name using Acrobat's search function.
Media Questions

31) Electronic Document Format Info <CR_B.3.1>

Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CVE-related text (required):

At this time, NetClarity provides a PDF formatted report and access to the full text of the report in text format inside the product interface. Future formats include CSV and XML, to be implemented. The PDF and text formats can be searched for any text string, including a string containing a CVE name.

33) Electronic Document Element to CVE Name Mapping <CR_B.3.3>

Provide example documents that demonstrate the mapping from the capability's individual elements to the respective CVE name(s) (recommended):

Sample reports are included with the product and show CVE names associated with descriptive text in the report. The samples include Sample_Full.pdf, which you can access from the Reports page in the Auditor. A section from that sample is shown below:

Another section from the same sample showing the mapping to a candidate CVE is shown in the next illustration:

Questions for Signature

37) Statement of Compatibility <CR_2.7>

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CVE Compatibility Requirements as well as all of the additional mandatory CVE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Gary S. Miliefsky

Title: President and CTO of NetClarity, Inc.

38) Statement of Accuracy <CR_3.4>

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability's Repository and the CVE entries our capability identifies."

Name: Gary S. Miliefsky

Title: President and CTO of NetClarity, Inc.

39) Statement on False-Positives and False-Negatives <CR_A.2.8 and/or CR_A.3.5>

FOR TOOLS ONLY - Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):

"As an authorized representative of my organization and to the best of my knowledge, normally when our capability reports a specific security element, it is generally correct and normally when an event occurs that is related to a specific security element our capability generally reports it."

Name: Gary S. Miliefsky

Title: President and CTO of NetClarity, Inc.

Page Last Updated or Reviewed: April 28, 2016