Name of Your Organization:

Harris Corporation

Web Site:

http://www.stat.harris.com

Compatible Capability:

STAT® Scanner

Capability home page:

http://www.stat.harris.com/solutions/vuln_assess/scanner_index.asp
General Capability Questions

1) Product Accessibility <CR_2.4>

Provide a short description of how and where your capability is made available to your customers and the public (required):

After customers have purchased STAT Scanner, they are directed to the secure Harris Customer Premier web site: https://premier.harris.com/stat/. They are emailed a product serial number and registration key, and a login and password for the secure premier site. Once they have logged in, they can download STAT Scanner and/or STAT Scanner vulnerability updates.
Mapping Questions

4) Map Currency Indication <CR_5.1>

Describe how and where your capability indicates the most recent CVE version used to create or update its mappings (required):

The CVE Version information is displayed in the CVE Lookup dialog. The CVE Lookup can be invoked by clicking on the CVE icon or by selecting "CVE Lookup" in the Help menu. See Figure 1.0 below. Current CVE Version number is 20030402.

Figure 1.0  STAT Scanner — CVE Lookup

5) Map Currency Update Approach <CR_5.2>

Indicate how often you plan on updating the mappings to reflect new CVE versions and describe your approach to keeping reasonably current with CVE versions when mapping them to your repository (recommended):

The STAT Scanner security engineering team updates vulnerabilities, including CVE numbers, multiple times during the month. An email is sent to all STAT Scanner users to notify them of a new update. Also, if the latest update is not installed on their machine, users are prompted upon starting STAT Scanner to get the latest update from the Harris Customer Premier web site.

6) Map Currency Update Time <CR_5.3>

Describe how and where you explain to your customers the timeframe they should expect an update of your capability's mappings to reflect a newly released CVE version (recommended):

STAT Scanner is updated frequently during the month to include product enhancements and vulnerability updates (including CVE updates). An email is sent to all STAT Scanner users to notify them of a new update. Also, if the latest update is not installed on their machine, users are prompted upon starting STAT Scanner to get the latest update from the Harris Customer Premier web site.
Documentation Questions

7) CVE and Compatibility Documentation<CR_4.1>

Provide a copy, or directions to its location, of where your documentation describes CVE and CVE compatibility for your customers (required):

The CVE description is located at the bottom of the CVE Lookup dialog. See Figure 1.0 above. Also page 70 of the STAT Scanner Users Guide (included in the Help portion of the product) and a pdf on the Harris Customer Premier site https://premier.harris.com/stat/downloads.asp?cat=82 describe the CVE lookup function.

8) Documentation of Finding Elements Using CVE Names <CR_4.2>

Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CVE names to find the individual security elements within your capability's repository (required):

The user can sort on the CVE column on the STAT Scanner main display. See Figure 2.0 below. To see more information pertaining to the CVE vulnerability, the user can click on the vulnerability and detailed information will appear. This includes a link to the MITRE web site. See Figure 3.0 below. The STAT Scanner Users Guide, page 32 and page 34, explain the CVE column displaying and sorting. The STAT Scanner Users Guide is included in the product as online Help and is located on the web site for download at https://premier.harris.com/stat/downloads.asp?cat=82.

Figure 2.0  STAT Scanner — CVE Column Sorting

Figure 3.0 STAT Scanner — More Info (link to cve.mitre.org)

9) Documentation of Finding CVE Names Using Elements <CR_4.3>

Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CVE names associated with individual security elements within your capability's repository (required):

The user can sort on the CVE column on the STAT Scanner main display. See Figure 2.0 above. To see more information pertaining to the CVE vulnerability, the user can click on the vulnerability and detailed information will appear. This includes a link to the MITRE web site. See Figure 3.0 above. The STAT Scanner Users Guide, page 32 and page 34 explain the CVE column displaying and sorting. The STAT Scanner Users Guide is included in the product as online Help and is located on the web site for download at https://premier.harris.com/stat/downloads.asp?cat=82.

10) Documentation Indexing of CVE-Related Material <CR_4.4>

If your documentation includes an index, provide a copy of the items and resources that you have listed under "CVE" in your index. Alternately, provide directions to where these "CVE" items are posted on your web site (recommended):

STAT Scanner provides a CVE Lookup function. The CVE Lookup can be invoked by clicking on the CVE icon or by selecting "CVE Lookup..." in the Help menu. See Figure 1.0 above. CVE items are not posted on our web site.
Candidate Support Questions

11) Candidates Versus Entries Indication <CR_6.1>

If CVE candidates are supported or used, explain how you indicate that candidates are not accepted CVE entries (required):

The CVE candidates are indicated by the prefix "CAN"

12) Candidates Versus Entries Explanation <CR_6.2>

If CVE candidates are supported or used, explain where and how the difference between candidates and entries is explained to your customers (recommended):

The following explanation is located at the bottom of the CVE Lookup dialog window.

"CVE 'candidates' are those vulnerabilities under consideration for acceptance into CVE. The candidate number is converted into a CVE name by replacing the 'CAN' with CVE, e.g., CAN-1999-0067 is converted to CVE-1999-0067. The assignment of a candidate number is not a guarantee that it will become an official CVE entry."

See Figure 1.0 above.

13) Candidate to Entry Promotion <CR_6.3>

If CVE candidates are supported or used, explain your policy for changing candidates into entries within your capability and describe where and how this is communicated to your customers (recommended):

The updating of candidates to CVE are just part of the normal vulnerability update process.

14) Candidate and Entry Search Support <CR_6.4>

If CVE candidates are supported or used, explain where and how a customer can find the explanation of your search function's ability to look for candidates and entries by using just the YYYY-NNNN portion of the CVE names (recommended):

The user can invoke the CVE Lookup function and search for "CAN-yyyy-nnnn" or "CVE-yyyy-nnnn" or just the number "yyyy-nnnn". See Figure 1.0 above.

15) Search Support for Promoted Candidates <CR_6.5>

If CVE candidates are supported or used, explain where and how a customer can find the explanation of your search function's support for retrieving the CVE entry for a candidate that is no longer a candidate (recommended):

There is no indication that a CVE candidate has changed to an official CVE other than the "CAN" notation changes to "CVE."

16) Candidate Mapping Currency Indication <CR_6.6>

If CVE candidates are supported or used, explain where and how you tell your users how up-to-date your candidate information is (recommended):

No special CVE update is needed. The CVE's are updated as part of the STAT Scanner vulnerability update which occurs frequently during the month.

Type-Specific Capability Questions

Tool Questions

17) Finding Tasks Using CVE Names <CR_A.2.1>

Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CVE name (required):

The user can sort on the CVE column on the STAT Scanner main display. See Figure 2.0 above. To see more information pertaining to the CVE vulnerability, the user can click on the vulnerability and detailed information will appear. This includes a link to the MITRE web site. See Figure 3.0 above.

18) Finding CVE Names Using Elements in Reports <CR_A.2.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CVE names for the individual security elements in the report (required):

STAT Scanner provides the CVE number in the Executive Summary Report (see Figure 4.0 below), the Vulnerability Summary Report (see Figure 5.0 below), the Detail Vulnerability report (see Figure 6.0 below) and the Screen Shot report (see Figure 7.0 below).

Figure 4.0  STAT Scanner — Executive Summary Report

Figure 5.0  STAT Scanner — Vulnerability Summary Report

Figure 6.0  STAT Scanner — Detailed Vulnerability Report

Figure 7.0  STAT Scanner — Screen Shot Report

19) Getting a List of CVE Names Associated with Tasks <CR_A.2.4>

Give detailed examples and explanations of how a user can obtain a listing of all of the CVE names that are associated with the tool's tasks (recommended):

The STAT Scanner Screen Shot report (see Figure 7.0 above) and the Executive Summary Report (see Figure 4.0 above) provides a list of all CVE numbers and associated vulnerabilities.

20) Selecting Tasks with a List of CVE Names <CR_A.2.5>

Describe the steps and format that a user would use to select a set of tasks by providing a file with a list of CVE names (recommended):

The user can select the "Configurations" drop down menu, then "Edit Configuration File ...". When the configuration file dialog box appears, the user should select "CVE.dat" as seen in the Figure 8.0 below to just select a configuration file that contains CVE vulnerabilities. The user can choose to run the scan with all the CVE vulnerabilities or edit this file to create a subset of CVE vulnerabilities. Simply use the bottom scroll bar of the Selected Checks and scroll to the right to sort and view the CVE vulnerabilities as show in the figure below.

21) Selecting Tasks Using Individual CVE Names <CR_A.2.6>

Describe the steps that a user would follow to browse, select, and deselect a set of tasks for the tool by using individual CVE names (recommended):

The user can select the "Configurations" drop down menu, then "Edit Configuration File ...". When the configuration file dialog box appears, the user should select "CVE.dat" as seen in the Figure 8.0 below to just select a configuration file that contains CVE vulnerabilities. The user can choose to run the scan with all the CVE vulnerabilities or edit this file to create a subset of CVE vulnerabilities. Simply use the bottom scroll bar of the Selected Checks and scroll to the right to sort and view the CVE vulnerabilities as show in the figure below.

Service Questions

23) Service Coverage Determination Using CVE Names <CR_A.3.1>

Give detailed examples and explanations of the different ways that a user can use CVE names to find out which security elements are tested or detected by the service (i.e. by asking, by providing a list, by examining a coverage map, or by some other mechanism) (required):

STAT Scanner allows the user to select a configuration file (or coverage map) before running the scan. A configuration file that just tests CVE's is included in the product. It is named "CVE.dat". See Figure 8.0 and Figure 9.0 below to view the vulnerabilities in this file.

Figure 8.0  STAT Scanner — CVE Configuration file

Figure 9.0  STAT Scanner — CVE Vulnerabilities (CVE.dat)

24) Finding CVE Names in Service Reports Using Elements <CR_A.3.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the user can determine the associated CVE names for the individual security elements in the report (required):

STAT Scanner provides the CVE number in the Executive Summary Report (see Figure 4.0 above), the Vulnerability Summary Report (see Figure 5.0 above), the Detail Vulnerability report (see Figure 6.0 above) and the Screen Shot report (see Figure 7.0 above).
Online Capability Questions

26) Finding Online Capability Tasks Using CVE Names <CR_A.4.1>

Give detailed examples and explanations of how a "find" or "search" function is available to the user to locate tasks in the online capability by looking for their associated CVE name or through an online mapping that links each element of the capability with its associated CVE name(s) (required):

The CVE Lookup can be invoked by clicking on the CVE icon or by selecting "CVE Lookup..." in the Help menu. The user can invoke the CVE Lookup function and search for "CAN-yyyy-nnnn" or "CVE-yyyy-nnnn" or just the number "yyyy-nnnn". See Figure 1.0 above.

28) Online Capability CGI Get Method Support <CR_A.4.1.2>

If the URL template is for a CGI program, does it support the HTTP "GET" method? (recommended):

NO
Graphical User Interface (GUI)

34) Finding Elements Using CVE Names Through the GUI <CR_B.4.1>

Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability's elements by looking for their associated CVE name(s) (required):

The CVE Lookup can be invoked by clicking on the CVE icon or by selecting "CVE Lookup..." in the Help menu. The user can invoke the CVE Lookup function and search for "CAN-yyyy-nnnn" or "CVE-yyyy-nnnn" or just the number "yyyy-nnnn". See Figure 1.0 above.

35) GUI Element to CVE Name Mapping <CR_B.4.2>

Briefly describe how the associated CVE names are listed for the individual security elements or discuss how the user can use the mapping between CVE entries and the capability's elements, also describe the format of the mapping (required):

The user can sort on the CVE column on the STAT Scanner main display by simply clicking on the column header. See Figure 2.0 above. To see more information pertaining to the CVE vulnerability, the user can click on the vulnerability and detailed information will appear. This includes a link to the MITRE web site. See Figure 3.0 above.

36) GUI Export Electronic Document Format Info <CR_B.4.3>

Provide details about the different electronic document formats that you provide for exporting or accessing CVE-related data and describe how they can be searched for specific CVE-related text (recommended):

STAT Scanner uses Crystal Reports Version 8.5 to create vulnerability reports. The reports which contain CVE-related data, can be exported to pdf, HTML, XML, Excel, Word, and any other format that Crystal Reports support.
Questions for Signature

37) Statement of Compatibility <CR_2.7>

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CVE Compatibility Requirements as well as all of the additional mandatory CVE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Sandra P. Terry

Title: STAT Scanner Product Manager

38) Statement of Accuracy <CR_3.4>

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability's Repository and the CVE entries our capability identifies."

Name: William (Bill) Wall

Title: STAT Security Engineer

39) Statement on False-Positives and False-Negatives <CR_A.2.8 and/or CR_A.3.5>

FOR TOOLS ONLY - Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):

"As an authorized representative of my organization and to the best of my knowledge, normally when our capability reports a specific security element, it is generally correct and normally when an event occurs that is related to a specific security element our capability generally reports it."

Name: William (Bill) Wall

Title: STAT Security Engineer

Page Last Updated or Reviewed: April 28, 2016