Name of Your Organization:

Netcraft Ltd

Web Site:

www.netcraft.com

Compatible Capability:

Audited by Netcraft

Capability home page:

https://audited.netcraft.com/audited
General Capability Questions

Product Accessibility <CR_2.4>

Provide a short description of how and where your capability is made available to your customers and the public (required):

Mappings are made between vulnerability issues detected by the Audited by Netcraft service and CVE dictionary names. The mappings are in the form of a CVE link in an HTML (or PDF) report.

Mapping Questions

Map Currency Indication <CR_5.1>

Describe how and where your capability indicates the most recent CVE version used to create or update its mappings (required):

The version of the CVE database used is printed at the bottom of the report. Reference to this is made in the documentation.

"* CVE names refer to the CVE database dated 2009-10-04."

Map Currency Update Approach <CR_5.2>

Indicate how often you plan on updating the mappings to reflect new CVE versions and describe your approach to keeping reasonably current with CVE versions when mapping them to your repository (required):

Updates to the CVE database are downloaded on a daily basis from the National Vulnerability Database feeds at http://nvd.nist.gov/download.cfm. The full database is fetched every 7 days. Our software automatically updates its own database of vulnerability information using the downloaded CVE database.

Map Currency Update Time <CR_5.3>

Describe how and where you explain to your customers the timeframe they should expect an update of your capability's mappings to reflect newly available CVE content (required):

This is described in the CVE link (a link in the document Navigation Bar)

https://audited.netcraft.com/netexam/cve

Map Content Selection Criteria <CR_5.4>

Describe the criteria used for determining the relevance of a given CVE Identifier to your Capability (required):

New vulnerability tests are added to the Audited by Netcraft service on a regular basis. Each new vulnerability will include a CVE Identifier (if one has been assigned to the vulnerabilty in question). The references for the given CVE Identifier will be checked to ensure that the CVE Identifier is correct.

Map Currency Update Mechanism <CR_5.4>

Describe the mechanism used for reviewing CVE for content changes (required):

Updates to the CVE database are downloaded on a daily basis from the National Vulnerability Database feeds at http://nvd.nist.gov/download.cfm.

"nvdcve-2.0-modified.xml includes all recently published and recently updated vulnerabilities"

Map Content Source <CR_5.5>

Describe the source of your CVE content (required):

New vulnerabilities (together with their corresponding CVE Identifiers) are sourced from security-related mailing lists and feeds, security-focused web-sites, discussion groups, vendor announcements, advisories and bulletins, and our own security research.

Documentation Questions

CVE and Compatibility Documentation<CR_4.1>

Provide a copy, or directions to its location, of where your documentation describes CVE and CVE compatibility for your customers (required):

A link is provided in the Navigation Bar at the top of the page:

https://audited.netcraft.com/netexam/cve

The user of the service gets an HTML or PDF report with a link to the appropriate CVE definition at MITRE. The only documentation that is required is a small entry in our Help file and a link to this page:

Documentation of Finding Elements Using CVE Names

Fig 1. Screen shot of CVE Name mapping example (note link to MITRE cvename.cgi in browser status bar)

Documentation of Finding Elements Using CVE Names <CR_4.2>

Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CVE names to find the individual security elements within your capability's repository (required):

https://audited.netcraft.com/netexam/cve

Any vulnerabilities which are discovered and for which a CVE entry exists are highlighted in the vulnerability table of the report, together with a link to the appropriate CVE entry. See fig1 above.

Documentation of Finding CVE Names Using Elements <CR_4.3>

Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CVE names associated with individual security elements within your capability's repository (required):

As you can see in fig 1. The user simply has to click on the CVE name.

Documentation Indexing of CVE-Related Material <CR_4.4>

If your documentation includes an index, provide a copy of the items and resources that you have listed under "CVE" in your index. Alternately, provide directions to where these "CVE" items are posted on your web site (recommended):

No index is provided in the service.

Service Questions

Service Coverage Determination Using CVE Names <CR_A.3.1>

Give detailed examples and explanations of the different ways that a user can use CVE names to find out which security elements are tested or detected by the service (i.e. by asking, by providing a list, by examining a coverage map, or by some other mechanism) (required):

A user may ask (by email, phone, fax etc.) if a CVE name is detected by the service.

Finding CVE Names in Service Reports Using Elements <CR_A.3.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the user can determine the associated CVE names for the individual security elements in the report (required):

A link is provided in the report that maps a detected vulnerability to a CVE name. See fig 1.

Service's Product Utilization Details <CR_A.3.4>

Please provide the name and version number of any product that the service allows users to have direct access to if that product identifies security elements (recommended):

The service does not allow clients to have direct access to the underlying vulnerability scanner.

Online Capability Questions

Finding Online Capability Tasks Using CVE Names <CR_A.4.1>

Give detailed examples and explanations of how a "find" or "search" function is available to the user to locate tasks in the online capability by looking for their associated CVE name or through an online mapping that links each element of the capability with its associated CVE name(s) (required):

The find function of the browser can be used. See fig 1. for report layout of CVE mapping.

Online Capability Interface Template Usage <CR_A.4.1.1>

Provide a detailed description of how someone can use your "URL template" to interface to your capability's search function (recommended):

By design we do not include input forms in the report. The find function is sufficient.

Finding CVE Names Using Online Capability Elements <CR_A.4.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the online capability allows the user to determine the associated CVE names for the individual security elements in the report. (required):

The CVE name is used as the link to MITRE (see fig 1.) attachment

Media Questions

Electronic Document Format Info <CR_B.3.1>

Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CVE-related text (required):

HTML - Use find function of browser
PDF - Use find function of PDF viewer
Spreadsheet downloadable - Use search function of spreadsheet tool
Printable format - Use word processor word search

Electronic Document Listing of CVE Names <CR_B.3.2>

If one of the capability's standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CVE names are listed for each individual security element (required):

See fig 1. example

Electronic Document Element to CVE Name Mapping <CR_B.3.3>

Provide example documents that demonstrate the mapping from the capability's individual elements to the respective CVE name(s) (recommended):

See fig 1. example

Graphical User Interface (GUI)

Finding Elements Using CVE Names Through the GUI <CR_B.4.1>

Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability's elements by looking for their associated CVE name(s) (required):

Simply by using the find function of the browser.

GUI Element to CVE Name Mapping <CR_B.4.2>

Briefly describe how the associated CVE names are listed for the individual security elements or discuss how the user can use the mapping between CVE entries and the capability's elements, also describe the format of the mapping (required):

They are listed as a links. See fig 1.

GUI Export Electronic Document Format Info <CR_B.4.3>

Provide details about the different electronic document formats that you provide for exporting or accessing CVE-related data and describe how they can be searched for specific CVE-related text (recommended):

Exported in CSV format for spreadsheet analysis. Use of spreadsheet search function can be used for searching.

Similarly a printable version is provided

Questions for Signature

Statement of Compatibility <CR_2.7>

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CVE Compatibility Requirements as well as all of the additional mandatory CVE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Colin Phipps

Title: Internet Services Manager

Statement of Accuracy <CR_3.4>

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability's Repository and the CVE entries our capability identifies."

Name: Colin Phipps

Title: Internet Services Manager

Page Last Updated or Reviewed: April 28, 2016