2002 Industry News Coverage (Archive)

Below is a comprehensive monthly review of the news and other media's coverage of CVE. A brief summary of each news item is listed with its title, author (if identified), date, and media source.

Date: 12/2002
Publication: Information Security Magazine

Byline: Anne Saita
Headline: "PROFILE/STEVEN CHRISTEY, Name That Vulnerability"

Excerpt or Summary:
In this profile of Steve Christey, co-creator and editor of the CVE List, the author describes Christey's background and personal interests. She also describes how Christey came to co-create CVE in 1998 while conducting internal network audits for MITRE and finding that the hundreds of vulnerabilities he was cross-referencing looked the same although they carried different vendor-assigned names. The author explains how CVE solves this problem, details how the CVE Initiative has grown, and quotes Christey when discussing how CVE's standardized names are improving information security: "We have a number of CVE users who come up to us and thank us for producing a useful utility." The author further states that CVE is "becoming a more visible component" for serious security solutions. A link to the CVE Web site is also included.

Date: 12/16/2002
Publication: ServerWatch.com

Byline: Wayne Kawamoto
Headline: "MITRE Issues New Standard for Computer Vulnerability Assessment"

Excerpt or Summary:
In this article the author explains how MITRE's Open Vulnerability Assessment Language (OVAL) works, including the OVAL query development process and the use of CVE names as the basis for OVAL queries.

Date: 12/16/2002
Publication: eWeek

Byline: Dennis Fisher
Headline: "MITRE Standard Eases Vulnerability Research"

Excerpt or Summary:
This article discusses MITRE's Open Vulnerability Assessment Language (OVAL) and notes that it builds upon CVE. In the article the author describes OVAL as "a new language designed to make it easier for researchers to define and explain vulnerabilities found in software," explains how OVAL works, and describes how OVAL uses CVE names as the basis for OVAL queries.

Date: 12/12/2002
Publication: Security Wire Digest, Vol. 4, No. 94

Byline: Carl Weinschenk
Headline: "MITRE Builds on CVE, Launches OVAL"

Excerpt or Summary:
This article discusses the launch of OVAL and how it builds upon the CVE Initiative. The author describes what OVAL is and how it works, mentions the importance of community involvement and participation in the development of queries, and explains the composition of the OVAL Board. The author also quotes Andre Frech, OVAL Board member and Internet Security Systems X-Force research engineer: "There are no conceivable downside potentials to OVAL. The initiative is flexibly defined so that security professionals are free to contribute or use the parts that are relevant to their issues." The article also included a link to the OVAL Web site.

Date: 12/11/2002
Publication: eWeek

Byline: Dennis Fisher
Headline: "New Language Assesses Software Flaws"

Excerpt or Summary:
This article focuses on the launch of OVAL and mentions that it builds upon CVE. The author describes the purpose of OVAL and explains how it works, including the query development process. The author also discusses the problem OVAL addresses, which is how "each software vendor seems to define vulnerabilities differently, which often leads to disputes among researchers and vendor representatives." He concludes the article with a quote by OVAL Editor and MITRE senior information security engineer Matthew N. Wojcik, "OVAL solves the consistency problem. The queries provide a baseline for performing vulnerability assessments . . . The widespread availability of OVAL queries will provide the means for standardized vulnerability assessment and result in consistent and reproducible information assurance metrics from systems."

Date: 12/9/2002
Publication: Security Wire Digest, Vol. 4, No. 91

Byline: Carl Weinschenk
Headline: "ISS Vulnerability Disclosure Guidelines"

Excerpt or Summary:
This article discusses the obtaining of CVE candidate numbers as a major step in this article about Internet Security Systems' (ISS) new security disclosure guidelines (download PDF from ISS), dated November 18, 2002. The author notes: "Once a vulnerability is identified, an advisory and a shorter brief are written, and a vulnerability and exposure candidate number (CAN) is obtained from the [CVE Initiative]." The author also quotes co-creator of the CVE List and CVE Editor Steve Christey: "I think it's a good step forward that [ISS is] publishing their policy. It will allow the community to further focus the discussion." ISS is a member of the CVE Editorial Board, has several products listed on the CVE-Compatible Products/Services page, and includes CANs in its security advisories.

Date: 12/3/2002
Publication: PCWorld.com

Byline: Nancy Weil
Headline: "Security Firm Rewrites Rules on Disclosing Flaws"

Excerpt or Summary:
Obtaining CVE candidate numbers is included as major step in this article about Internet Security Systems' (ISS) new security disclosure guidelines (download PDF from ISS), dated November 18, 2002. The author notes that obtaining CVE candidate numbers (CANs) from the CVE Initiative is included by ISS as major step after vendor notification and prior to customer notification: "X-Force will wait the 30 days and then contact the nonprofit research company MITRE to receive a common vulnerability and exposures candidate number that sets a standard name for the vulnerability." ISS is a member of the CVE Editorial Board, has several products listed on the CVE-Compatible Products/Services page, and includes CANs in its security advisories.

Date: 12/3/2002
Publication: Computerworld

Byline: Nancy Weil
Headline: "ISS revamps disclosure process on security warnings"

Excerpt or Summary:
Obtaining CVE Candidate numbers is included as major step in this article about Internet Security Systems' (ISS) new security disclosure guidelines (download PDF from ISS) that are dated November 18, 2002 and include four phases: discovery, vendor notification, customer notification, and public disclosure. The author notes that obtaining CVE candidate numbers (CANs) from the CVE Initiative is included by ISS as major step after vendor notification and prior to customer notification: " . . . the usual procedure is for X-Force after 30 days to contact The [MITRE Corporation], a nonprofit research company in Bedford, Mass., to receive a common vulnerability and exposures candidate number that sets a standard name for the vulnerability." ISS is a member of the CVE Editorial Board, has several products listed on the CVE-Compatible Products/Services page, and includes CANs in its security advisories.

Date: 11/2002
Publication: Information Assurance Newsletter, Vol. 5, No. 3

Byline: Robert A. Martin
Headline: "Enterprise Security Enabled by CVE"

Excerpt or Summary:
This article, which was written by CVE Compatibility Lead Robert A. Martin, describes how CVE compatibility enables enterprise security through the use of shared CVE names. The article also discusses how using CVE-compatible products/services improves how an organization responds to security advisories. A graphical representation of a CVE-enabled process is also included. IA Newsletter is a publication of the Information Assurance Technology Analysis Center (IATAC), a U.S. Department of Defense Information Analysis Center (IAC) sponsored by the Defense Technical Information Center (DTIC), which is part of the Defense Information Systems Agency (DISA).

Date: 10/2002
Publication: Information Technology Laboratory Bulletin

Byline: Elizabeth B. Lennon
Headline: "Security Patches and the CVE Vulnerability Naming Scheme: Tools to Address Computer System Vulnerabilities"

Excerpt or Summary:
CVE was recommended as a tool to address system vulnerabilities in a bulletin released in October 2002 by the USA National Institute of Standards and Technology (NIST). The bulletin calls CVE an "emerging industry standard that has achieved wide acceptance by the security industry and a number of government organizations."

The author describes what CVE is and isn't, discusses CVE-compatible products and services and the CVE compatibility requirements, and provides multiple links to the CVE Web site. The article also offers and explains NIST's "Guidelines for Use of the CVE Vulnerability Naming Scheme": (1) Federal departments and agencies should give substantial consideration to the acquisition and use of security-related IT products and services that are compatible with the CVE vulnerability naming scheme; (2) Federal departments and agencies should periodically monitor their systems for applicable vulnerabilities listed in the CVE vulnerability naming scheme; and (3) Federal departments and agencies should use the CVE vulnerability naming scheme in their descriptions and communications of vulnerabilities.

Detailed information is available from NIST "Special Publication 800-51, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme" and "Special Publication 800-40, Procedures for Handling Security Patches" on NIST's Computer Security Resource Center (CSRC) Web site. NIST is a member of the CVE Editorial Board, and the NIST ICAT metabase is listed on the CVE-compatible products/services page.

Date: 10/21/2002
Publication: Government Computer News, Vol. 21, No. 31

Byline: William Jackson
Headline: "NIST guidebooks advise agencies to get on the same security page"

Excerpt or Summary:
This article briefly discusses the four new guidelines recently released by the USA National Institute of Standards and Technology (NIST) for securing computer systems. The author states: "NIST ... said agencies need to understand and follow the Common Vulnerabilities and Exposures naming scheme, develop security patch management procedures, and protect connections to remote users and other systems." NIST is a member of the CVE Editorial Board, and the NIST ICAT metabase is listed on the CVE-Compatible Products/Services page.

Date: 10/2002
Publication: Information Security Magazine

Headline: "This Month in INFOSEC HISTORY"

Excerpt or Summary:
The creation of CVE is recognized as a key event in information security history by Information Security Magazine in their "This Month in INFOSEC HISTORY" column for October, which states: "1999, MITRE Corp. created the Common Vulnerabilities and Exposures (CVE) database, in which vulnerabilities are cross-indexed so that security experts have a common lexicon."

Date: 10/10/2002
Publication: Security Wire Digest, VOL. 4, NO. 76

Byline: Keith Regan
Headline: "NIST Guidelines, a Modest Step to Improved Federal Security"

Excerpt or Summary:
This article discusses the release of four new guidelines by the USA National Institute of Standards and Technology (NIST) for securing computer systems, one of which focuses on the use of CVE: "The publications spell out steps for securing interconnecting systems, handling security patches, telecommuting and broadband security and how to use the Common Vulnerability and Exposures (CVE) vulnerability naming scheme." The author states: "While official policy at federal agencies, NIST suggests they be voluntarily implemented by private industry and, in particular, suggests them to companies that work with the federal government regularly." NIST is a member of the CVE Editorial Board, and the NIST ICAT metabase is listed on the CVE-Compatible Products/Services page.

Date: 10/3/2002
Publication: Security Wire Digest, VOL. 4, NO. 74

Byline: Lawrence M. Walsh
Headline: "SANS/FBI Update Top 20 Vulnerabilities List"

Excerpt or Summary:
This article discusses the October 7, 2002 update to the SANS/FBI consensus list of the Twenty Most Critical Internet Security Vulnerabilities and includes a quote from Steve Christey, co-founder of CVE and editor of the CVE List. Christey states: "This [consensus list] should be part of a larger defense-in-depth approach. Vulnerability remediation isn't the end all, be all solution, but it's part of the larger solution."

Date: 8/12/2002
Publication: TechRepublic.com

Byline: Salvatore Salamone
Headline: "Strategies to Prevent and Deal with Network Hacks"

Excerpt or Summary:
CVE is mentioned in this article in a section about reading up on new security threats in which the author states: "Another excellent source of information is the Common, Vulnerabilities and Exposures (CVE) [List] maintained by The MITRE Corporation. It offers a list of standardized names for vulnerabilities and information security exposures. On its site, MITRE cites the list as a sort of dictionary that helps tech professionals understand vulnerabilities and enables data sharing about threats contained in different databases. The CVE List can be downloaded and used as an internal vulnerability reference in the event an attack occurs." The article also provides a link to the CVE Web site.

Date: 7/2002
Publication: SC Online Magazine

Byline: Abishek Chauhan
Headline: "What to Look for in a Web Application Protection System"

Excerpt or Summary:
CVE is mentioned briefly in this article in a section entitled "A Rich Protection Feature Set," which discusses some of the specific threats that should be protected against by all Web application security solutions. The author states: "While these threats are fairly representative of the broad spectrum of web vulnerabilities, its important to note that the non-profit MITRE Corporation (https://cve.mitre.org/cve/) estimates there are currently over 2,000 separate "verified" vulnerabilities today, with another 1,600 being evaluated for classification over the next year."

Date: 4/2002
Title: Securing E-Business Systems: A Guide for Managers and Executives (Book)

Author: Timothy Braithwaite
Publisher: John Wiley & Sons
Headline: "Linux vs. Windows: Which Is More Secure?"

Excerpt or Summary:
This book includes a discussion about CVE in Chapter 4, "Managing E-Business Systems and Security." The author provides a thorough description of what CVE is and isn't, describes CVE compatibility, and mentions the CVE Editorial Board. To conclude the discussion, the author recommends CVE as a best-practice: "Best Practice #12: As a matter of policy, adopt the CVE naming strategy and enforce it's use in all aspects of the e-business security program management."

Date: 4/17/2002
Publication: SANS NewsBites, Vol. 4 No. 16

Headline: "Red Hat to Issue Vulnerability Alerts Using CVE"

Excerpt or Summary:
This issue of the opt-in SANS e-newsletter included the following brief article in its Top of the News section: "Linux supplier, Red Hat, announced that it will begin using the Common Vulnerabilities and Exposures (CVE) standards list for future security alerts and advisories. The US Government-funded CVE project provides standardized definitions for security vulnerabilities and exploits." In an editor's note for this article Alan Paller of SANS stated: "This announcement demonstrates security awareness and leadership. Other system vendors may well follow Red Hat's lead. Security vendors, such as ISS and Symantec, already provide CVE references for the vulnerabilities they report. In addition, the new global site security certification process is being based on a consensus list of highest priority vulnerabilities developed using CVE numbers. [A copy of the CVE List that includes]a valuable additional reference list is searchable at http://icat.nist.gov." SANS is a member of the CVE Editorial Board, and its GIAC Security Training materials are listed on the CVE-Compatible Products/Services page.

Date: 4/11/2002
Publication: LinuxToday

Headline: "Red Hat Unveils CVE Security Compatibility"

Excerpt or Summary:
Red Hat's promotion of its involvement and endorsement of the CVE Initiative CVE was the featured topic in this article on LinuxToday.com, and included a link to the CVE Web site. The article was essentially a reprint of the recent Red Hat news release.

Date: 4/10/2002
Publication: ZDNET News

Byline: Stephen Shankland
Headline: "Red Hat to standardize warnings of security"

Excerpt or Summary:
This brief article noted Red Hat's promotion of its involvement and endorsement of the CVE Initiative. In the article, the author stated: "Red Hat . . . will standardize its warnings of security problems using the MITRE Corporation's Common Vulnerabilities and Exposures (CVE)."

Date: 4/10/2002
Publication: SANS NewsBites, Vol. 4 No. 15

Headline: "CVE Dictionary Expands to More than 2,000 Items"

Excerpt or Summary:
This issue of the opt-in SANS (System Administration, Networking and Security) Institute e-newsletter included the following brief article: "The Common Vulnerabilities and Exposures (CVE) lexicon, which began in 1999 with 321 entries, now contains 2,032 standardized descriptions of security holes. There are nearly 2,000 additional entries currently under review." Also included was a link to the CVE Web site. SANS is a member of the CVE Editorial Board, and its GIAC Security Training materials are listed on the CVE-Compatible Products/Services page.

Date: 4/1/2002
Publication: Government Computer News

Byline: William Jackson
Headline: "CVE dictionary contains more than 2,000 entries"

Excerpt or Summary:
CVE was the featured topic in this article about the CVE 2,000+ entries milestone. The author described what CVE is, quotes CVE Project Leader Margie Zuk about the significance of the milestone, noted the number of organizations with compatible products and services, and mentioned that the list of top 20 Internet security vulnerabilities published by the FBI and SANS Institute includes CVE names. The article also included a link to the CVE Web site. Read the MITRE 2,000+ entries milestone news release.

Date: 2/4/2002
Publication: Network World

Byline: Mandy Andress
Headline: "Network World Fusion Buyer's Guides: Network scanners pinpoint problems"

Excerpt or Summary:
CVE was mentioned briefly in this article in a section regarding vulnerability descriptions and identification in this comparison of network vulnerability assessment tools.

Date: 2/4/2002
Publication: Security Wire Digest

Byline: Anne Saita
Headline: "CVE-Use Recommendations Open for Comment"

Excerpt or Summary:
This article discusses the USA National Institute of Standards and Technology (NIST) draft recommendation " Use of the CVE Vulnerability Naming Scheme Within its Acquired Products and Information Technology Security Procedures," which advises USA agencies about CVE and recommends that agencies give substantial consideration to buying products and services compatible with the CVE naming scheme. The article also includes a link to the CVE Web site, and direct links to the CVE-Compatible Products and Services page and to the recently updated CVE Compatibility Requirements document.

Date: 2/2002
Publication: Information Security Magazine

Byline: Al Berg
Headline: "FEELING VULNERABLE? If you're bedeviled by swarms of vulnerability alerts, you can take control by practicing good management"

Excerpt or Summary:
CVE is mentioned briefly in this article about Vulnerability Management. In a section entitled "Free Resources," the author discusses resources for identifying vulnerabilities in a system and identifies Bugtraq and CVE as "the two major catalogers of security problems."

Date: 1/21/2002
Publication: LinuxWorld

Byline: Mark J. Cox
Headline: "'Chinese Whisper' security advisories--Before panicking about a security advisory, it's best to go to the source"

Excerpt or Summary:
CVE is mentioned in this article about inconsistent descriptions of possible vulnerabilities in the security advisories produced from various Linux vendors. The author states that such inconsistencies can cause confusion, or at worst, result in inaccurate information. He concludes by saying that CVE will help with this problem: "If all vendors started attaching CVE [names] to their advisories, then it would be easy for users to work out which issues were being fixed even if the descriptions in each advisory were widely different. Since November [Red Hat has] been working with MITRE to get these descriptions into the Red Hat advisories." The article also provides a link to the CVE Web site.

Date: 1/4/2002
Publication: Gartner Web site

Byline: Ant Allan
Headline: "Intrusion Detection Systems (IDSs): Perspective, Note Number DPRO-95367"

Excerpt or Summary:
CVE was mentioned in a section on 'Standards' in this market analysis of intrusion detection systems (IDSs). The document describes what CVE is and isn't, discusses the makeup and role of the CVE Editorial Board, and provides a link to the CVE Web site.

Date: 1/2002
Publication: Signal

Byline: James J. Flyzik
Headline: "Security Solutions: Government Faces Information Security Challenges"

Excerpt or Summary:
CVE was referenced as part of a special "Security Solutions" section, in which the author Jim Flyzik, Deputy Assistant Secretary (Information Systems) and CIO for the Department of the Treasury, and a member of the CVE Senior Advisory Council, states: "Several important information assurance efforts have effects across the federal government, and they warrant active attention from the senior executives within the government who are responsible for information assurance. The Common Vulnerabilities and Exposures (CVE) program is one such effort. A constant problem in protecting systems and networks is the proliferation of names for and references to a single vulnerability or attack. The wide range of security products in use can produce a torrent of reports that are incomprehensible without a common lexicon. With the support of the bulk of the commercial product vendors and software companies, CVE provides the necessary "Rosetta Stone." Signal magazine is the Armed Forces Communications and Electronics Association's (AFCEA's) Journal for Communications, Electronics, Intelligence, and Information Systems. The article is not part of the online edition of the magazine.