Name of Your Organization:

IBM Internet Security Systems

Web Site:

www-935.ibm.com/services/us/index.wss/offerfamily/igs/a1025846

Compatible Capability:

Proventia Enterprise Scanner

Capability home page:

http://www-935.ibm.com/services/us/index.wss/offering/iss/a1027216
General Capability Questions

1) Product Accessibility <CR_2.4>

Provide a short description of how and where your capability is made available to your customers and the public (required):

Proventia Network Enterprise Scanner support CVE mapping through out the product. All areas where check information is provided, CVE id's can be used.
Mapping Questions

4) Map Currency Indication <CR_5.1>

Describe how and where your capability indicates the most recent CVE version used to create or update its mappings (required):

SiteProtector accesses CVE information from the X-Force Database. The X-Force Database updates its mappings as follows:

The X-Force database uses the latest CVE version available. X-Force performs reconciliation between CVE and the X-Force database using daily updates as reported from the CERIAS/Purdue University CVE-diff mailing list (CVE_diff@cerias.purdue.edu). X-Force maintains an X-Force FAQ Web page (http://xforce.iss.net/xforce/xfaq) describing the X-Force database, the current CVE version information, in addition to details of how ISS X-Force represents and updates CVE information in the X-Force Database. The CVE version is located at specifically at http://xforce.iss.net/xforce/xfaq/index.html#6.6.

5) Map Currency Update Approach <CR_5.2>

Indicate how often you plan on updating the mappings to reflect new CVE versions and describe your approach to keeping reasonably current with CVE versions when mapping them to your repository (recommended):

SiteProtector's CVE mappings are based on integration with the X-Force Database.

The X-Force database uses the daily mappings as reported from the CERIAS/Purdue University CVE-diff mailing list (CVE_diff@cerias.purdue.edu). When new CVE versions are available, ISS X-Force automatically receives daily discrepancy and change reports generated by scripts to report differences between the MITRE CVE and X-Force databases, and then X-Force researchers make appropriate adjustments to reconcile the differences.

6) Map Currency Update Time <CR_5.3>

Describe how and where you explain to your customers the timeframe they should expect an update of your capability's mappings to reflect a newly released CVE version (recommended):

SiteProtector CVE mappings are based on integration with X-Force Database.

The X-Force database team updates new CVE candidates daily, and upon notification of a new CVE version, X-Force updates the X-Force database days after a list of CVE names is available. A statement of these methods are posted on the X-Force FAQ page at http://xforce.iss.net/xforce/xfaq, specifically at http://xforce.iss.net/xforce/xfaq/index.html#6.5. New content is typically delivered for the scan engines from this data on a monthly schedule.

Documentation Questions

7) CVE and Compatibility Documentation<CR_4.1>

Provide a copy, or directions to its location, of where your documentation describes CVE and CVE compatibility for your customers (required):

SiteProtector describes CVE with respect to the X-Force Database in the X-Force FAQ document. The section describing MITRE CVE is available at http://xforce.iss.net/xforce/xfaq/index.html#6. Also in the SiteProtector Product help files the CVE numbers associated with the signatures detail the associated CVE and a mitre.org link to the CVE.

8) Documentation of Finding Elements Using CVE Names <CR_4.2>

Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CVE names to find the individual security elements within your capability's repository (required):

http://www.iss.net/support/documentation/docs.php?product=16&family=8

http://www.iss.net/support/documentation/docs.php?product=45&family=15

9) Documentation of Finding CVE Names Using Elements <CR_4.3>

Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CVE names associated with individual security elements within your capability's repository (required):

http://www.iss.net/support/documentation/docs.php?product=16&family=8

http://www.iss.net/support/documentation/docs.php?product=45&family=15

10) Documentation Indexing of CVE-Related Material <CR_4.4>

If your documentation includes an index, provide a copy of the items and resources that you have listed under "CVE" in your index. Alternately, provide directions to where these "CVE" items are posted on your web site (recommended):

http://www.iss.net/support/documentation/docs.php?product=16&family=8

http://www.iss.net/support/documentation/docs.php?product=45&family=15

Type-Specific Capability Questions

Tool Questions

11) Finding Tasks Using CVE Names <CR_A.2.1>

Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CVE name (required):

The assessment policy in Enterprise Scanner is a list of all the checks a user wants to run against target systems. This list includes a CVE column that lists the CVE(s) each check is associated with. This column can either be used as a pivot for grouping or as a filter. See GUI section for examples.

12) Finding CVE Names Using Elements in Reports <CR_A.2.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CVE names for the individual security elements in the report (required):

Vulnerability reports containing the help information list the CVE related numbers in the report.

13) Getting a List of CVE Names Associated with Tasks <CR_A.2.4>

Give detailed examples and explanations of how a user can obtain a listing of all of the CVE names that are associated with the tool's tasks (recommended):

This information can be found through the Assessment Policy. All assessment checks have a column for their associated CVE's. If the check maps to more than one CVE then all of the CVE's are listed for that check.

14) Selecting Tasks with a List of CVE Names <CR_A.2.5>

Describe the steps and format that a user would use to select a set of tasks by providing a file with a list of CVE names (recommended):

If a customer wants to set a policy to be a list of checks based on CVE they would need to go through the following steps. First clear the policy so no checks are enabled. Then sort the checks by CVE number. Finally enable the checks under each CVE that they would like to look for. See GUI section for examples.

15) Selecting Tasks Using Individual CVE Names <CR_A.2.6>

Describe the steps that a user would follow to browse, select, and deselect a set of tasks for the tool by using individual CVE names (recommended):

If a customer wants to set a policy to be a list of checks based on CVE they would need to go through the following steps. First clear the policy so no checks are enabled. Then sort the checks by CVE number. Finally enable the checks under each CVE that they would like to look for. See GUI section for examples.

Media Questions

30) Electronic Document Format Info <CR_B.3.1>

Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CVE-related text (required):

All public-facing documents on the X-Force database are in HTML and PHP. Because the documents are plaintext with markup elements included, they may be searched by a variety of conventional methods (web browser's Find command, grep, etc.) and search engines (Google, htDig, etc.).

31) Electronic Document Listing of CVE Names <CR_B.3.2>

If one of the capability's standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CVE names are listed for each individual security element (required):

From http://xforce.iss.net/xforce/xfdb/6141:

Standards associated with this entry:

CVE-2000-0314: traceroute in NetBSD 1.3.3 and Linux systems allows local users to flood other systems by providing traceroute with a large waittime (-w) option, which is not parsed properly and sets the time delay for sending packets to zero.

32) Electronic Document Element to CVE Name Mapping <CR_B.3.3>

Provide example documents that demonstrate the mapping from the capability's individual elements to the respective CVE name(s) (recommended):

See above example in section 32. A link to the MITRE CVE name in the form http://cve.mitre.org/cgi-bin/cvename.cgi?name=C??-YYYY-NNNN is embedded in each individual element.

Graphical User Interface (GUI)

33) Finding Elements Using CVE Names Through the GUI <CR_B.4.1>

Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability's elements by looking for their associated CVE name(s) (required):

Customer's can use the build in filtering mechanism of our policy editor to search for specific CVE entries. This system allows for both the selection of single or groups of CVE's or a Regular Expression search of the entire system.

Figure 1 Figure 2

34) GUI Element to CVE Name Mapping <CR_B.4.2>

Briefly describe how the associated CVE names are listed for the individual security elements or discuss how the user can use the mapping between CVE entries and the capability's elements, also describe the format of the mapping (required):

Each security check in the product as a column or field associated with it for the CVE entries it maps to. This information is viewable through adding the additional columns or viewing the vulnerability details when it is not displayed by default.

Questions for Signature

36) Statement of Compatibility <CR_2.7>

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CVE Compatibility Requirements as well as all of the additional mandatory CVE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Thomas Stitt

Title: Business Line Manager – Vulnerability Assessment

37) Statement of Accuracy <CR_3.4>

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability's Repository and the CVE entries our capability identifies."

Name: Thomas Stitt

Title: Business Line Manager – Vulnerability Assessment

38) Statement on False-Positives and False-Negatives <CR_A.2.8 and/or CR_A.3.5>

FOR TOOLS ONLY - Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):

"As an authorized representative of my organization and to the best of my knowledge, normally when our capability reports a specific security element, it is generally correct and normally when an event occurs that is related to a specific security element our capability generally reports it."

Name: Thomas Stitt

Title: Business Line Manager – Vulnerability Assessment

Page Last Updated or Reviewed: April 28, 2016