CVE - Security Patches Got You Running in Circles?
DISCLAIMER: This article was originally distributed in Security Wire Perspectives, an e-newsletter from Information Security Magazine. It is reprinted with permission. Copyright © 2004, Information Security Magazine and TechTarget.
Security Wire Perspectives, Vol. 6, No. 39, May 17, 2004
Security Patches Got You Running in Circles?
By Robert A. Martin
Your information security systems administrator has just told you there's a new vulnerability in a key commercial application. It's serious and could let an intruder take over your company's systems. The vendor has just released a patch, but you don't yet know what side effects the patch may cause. Advising your systems administrator to apply the patch immediately could cause as much mayhem as an intruder. And, adding yet another option to the mix, he says there's a workaround.
What to do? To know how big your problem is and, later, to know if you've completely addressed it, you need to identify which of your machines is vulnerable. Typically, your administrator would run a vulnerability scanner to identify the culprits. Then, he'd need to decide whether to patch, to apply the workaround or simply leave it alone until your applications people have given the patch the green light.
If the vendor's security advisory had included an OVAL definition for the vulnerability, your system administrator's problems would have been much easier to address. The Open Vulnerability Assessment Language is an international cybersecurity community effort to standardize vulnerability testing. OVAL defines the tests your systems administrator's security tools can use to determine if your systems are vulnerable. These tests are publicly available from MITRE's OVAL Web site: http://oval.mitre.org and include ways of testing for vulnerable software, patches and workarounds.
Why recommend OVAL? It will save your system and security administrators time, and that translates to lower overhead for you. They can also secure your systems more quickly because they can apply the workarounds and won't have to wait to deploy a patch. Scanning tools will immediately report on successful mitigation, showing the success of any workarounds your system and security administrators have implemented whether or not they applied the patches.
It's free. MITRE, a not-for-profit company chartered to work in the public interest, has developed this initiative to follow the Common Vulnerabilities and Exposures (http://cve.mitre.org) model. Where CVE assigns standard names to vulnerabilities, OVAL takes the next step. It's designed to collect and document the latest vulnerability testing ideas, and make them publicly available so that your tool vendors and service providers can incorporate them into the information security products and services you use.
How do you bring OVAL on board? Ask your software vendors to send security advisories with OVAL definitions in them. Ask your scanner vendors to standardize their vulnerability tests to conform to OVAL. And encourage your security team to participate in the OVAL community process, which can be found on the OVAL Web site.
ROBERT A. MARTIN is an OVAL team member and principal engineer at The MITRE Corporation. For more information, send e-mail to the OVAL team [at firstname.lastname@example.org].