|
|||||
Below is a comprehensive monthly review of the news and other media's coverage of CVE. A brief summary of each news item is listed with its title, author (if identified), date, and media source.
Date: 12/2/2005
Publication: SecurityFocus.com
Byline: Robert Lemos
Title: "Federal flaw database commits to grading system"
Excerpt or Summary:
CVE was mentioned as follows in an article about the U.S.
National Vulnerability Database (NVD): "NVD piggybacks on the Common Vulnerability and Exposures (CVE) [Initiative] ... The CVE, a listing of serious vulnerabilities maintained by the MITRE Corporation, expands on the Internet Catalog (ICAT)a previous NIST projectthat archived the vulnerabilities defined by the Common Vulnerability and Exposures list. The NVD team scored the vulnerabilities using an automated process. The CVE [List] only had about 80 percent of the information needed to give an exact score ... so the group has generated the scores based on the information at hand and labeled each one "approximate." The CVE definitions are one of the standards that the National Vulnerability Database depends on. The database also uses the Open Vulnerability and Assessment Language (OVAL) to describe the security issues in a standard language ... "
CVE is also mentioned in the article in a discussion of NVD's adoption of the Common Vulnerability Scoring System (CVSS) by Gerhard Eschelbeck, chief technology officer for Qualys, Inc. and "one of the founding members" of the CVSS team, who states: "The grading of the previous vulnerabilities on the CVE List solves a problem that hampered adoption of the Common Vulnerability Scoring System. With the introduction of CVSS as a standardized vulnerability scoring system, the question appeared, how do we go back and score all the historical vulnerabilities released? It is very encouraging to see NVD has taken on this big task, providing comprehensive CVSS scoring for even historical vulnerabilities."
NVD, CVE, and OVAL are sponsored by the U.S. Department of Homeland Security.
Date: 11/21/2005
Publication: BusinessWire.com
Excerpt or Summary:
CVE was included in a press release by NetClarity about the latest upgrade to their Auditor product line. CVE is first mentioned at the beginning of the release in a description of how the Auditor upgrade product works: " ... Auditor now has the capability of scanning VoIP network equipment, such as servers, switches, routers and handsets, for Common Vulnerabilities and Exposures (CVE) [names], the systemic cause of over 95 percent of all network security breaches."
CVE is also mentioned in a quote by Gary Miliefsky, NetClarity's chief technology officer, who states: "If you are considering deploying VoIP on the same network as your desktop computers and servers, you are at high risk of poor call quality, denial of service, breaches of privacy, integrity and availability. By removing your CVEs, you can quickly mitigate much of this risk. Because these packet-based networks are not very secure by default they are extremely susceptible to attacks such as Man in the Middle (eavesdropping and alerting) and Denial of Service (DoS). Auditor now enables customers to quickly find and remediate CVE that may lead to these types of attacks."
Finally, CVE is highlighted in a list of the new features of the latest release of Auditor: "Integration with the National Vulnerability Database [NVD], which is based on and synchronized with the MITRE CVE naming standard: this comprehensive cyber security vulnerability database enables customers to better understand how vulnerabilities impact their business and how to fix them as well as the latest threats against their [CVE names]."
Four NetClarity (formerly PredatorWatch, Inc.) products are listed on the CVE-Compatible Products and Services page, three of whichNetClarity Auditor Enterprise and Update Service, NetClarity Auditor 128 and Update Service, and NetClarity Auditor XL and Update Serviceare "Officially CVE-Compatible." NVD and CVE are sponsored by the U.S. Department of Homeland Security.
Date: 11/10/2005
Publication: ZATAZ News
Byline: D.B.
Title: "Common
Malware Enumeration"
Excerpt or Summary:
CVE was mentioned briefly in this article, which was written in French, announcing that McAfee, Inc. has joined the CME
Editorial Board and that McAfee said it would reference CME identifier information on its virus information library on the McAfee Web site. CVE is mentioned in the article when the author states that CME is similar to the Common Vulnerabilities and Exposures Initiative.
Common Malware Enumeration (CME) initiativeheaded by US-CERT and MITRE along with numerous members of the anti-virus communitythat aims to provide single, common identifiers to new virus threats (i.e., malware) to reduce public confusion during malware outbreaks. CME is "not an attempt to solve the challenges involved with naming schemes for viruses and other forms of malware, but instead aims to facilitate the adoption of a shared, neutral indexing capability for malware." CME, US-CERT, and CVE are sponsored by the U.S Department of Homeland Security.
Date: 11/3/2005
Publication: DAWN Sci-Tech World
Byline: Nizar Diamond Ali
Title: "Tips
and tricks: Worming it out."
Excerpt or Summary:
CVE was mentioned briefly in this article about the Common
Malware Enumeration (CME) initiativeheaded by US-CERT and MITRE along with numerous members of the anti-virus communitythat aims to provide single, common identifiers to new virus threats (i.e., malware) to reduce public confusion during malware outbreaks.
CVE is mentioned when the author states: "Why CME has become so popular within a couple of weeks of its launch has much to do with its backers US-CERT (Computer Emergency Readiness Team), and US Department of Homeland Security. MITRE Corporation manages CME under funding from US-CERT and DHS which also fund two similar projects, CVE (Common Vulnerabilities and Exposures), and OVAL (Open Vulnerability and Assessment Language)."
CVE, CME, OVAL, and US-CERT are sponsored by the U.S Department of Homeland Security.
Date: 11/1/2005
Publication: SC Magazine
Title: "Auditor Enterprise"
Excerpt or Summary:
CVE was mentioned in the first sentence of this product review article for NetClarity, Inc.'s Auditor Enterprise product. CVE is mentioned as follows: "Netclarity's distinctive green 1U rack mount Auditor Enterprise device is described as a CVE (Common Vulnerabilities and Exposures)-compliant network security system. It offers vulnerability assessment functions to help firms comply with corporate governance legislation by conducting an audit against pre-defined CVE vulnerabilities. This helps endpoint security by quarantining infected systems until they are remediated."
Four NetClarity, Inc. (formerly PredatorWatch, Inc.) products are listed on the CVE-Compatible Products and Services page, three of whichNetClarity Auditor Enterprise and Update Service, NetClarity Auditor 128 and Update Service, and NetClarity Auditor XL and Update Serviceare "Officially CVE-Compatible."
Date: 10/6/2005
Publication: NewsFactor Magazine
Title: "CERT Pushes for Standard Malware Names"
Excerpt or Summary:
CVE was mentioned briefly in this article about the Common
Malware Enumeration (CME) initiativeheaded by US-CERT and MITRE along with numerous members of the anti-virus communitythat aims to provide single, common identifiers to new virus threats (i.e., malware) to reduce public confusion during malware outbreaks. CVE is mentioned as follows: "A similar naming system already exists for vulnerabilities in software, which uses a Common Vulnerability and Exposure (CVE) identifier that includes the year in which it was identified and a sequential number." CME, US-CERT, and CVE are sponsored by the U.S
Department of Homeland Security.
Date: 10/6/2005
Publication:
Security Depot Online
Excerpt or Summary:
CVE was mentioned briefly in this article announcing that McAfee,
Inc. has joined the CME
Editorial Board and that McAfee said it would reference CME identifier
information on its virus information library on the McAfee Web
site" so
that users could search for a threat by its identifying number
as well as the virus name". Common
Malware Enumeration (CME) initiativeheaded by US-CERT and MITRE along
with numerous members of the anti-virus communitythat aims to provide
single, common identifiers to new virus threats (i.e., malware)
to reduce public confusion during malware outbreaks.
CVE is mentioned when the author states: "The effort is fashioned similarly to the Common Vulnerabilities and Exposures (CVE) initiative, which is also operated by MITRE in support of US-CERT for standard naming around all publicly known vulnerabilities."
CME, US-CERT, and CVE are sponsored by the U.S Department of Homeland Security.
Date: 10/6/2005
Publication:
vnunet.com
Byline: Tom Sanders
Title: "Security
industry adopts uniform virus names"
Excerpt or Summary:
CVE was mentioned briefly in this article about the Common
Malware Enumeration (CME) initiativeheaded by US-CERT and MITRE along
with numerous members of the anti-virus communitythat aims to provide
single, common identifiers to new virus threats (i.e., malware)
to reduce public confusion during malware outbreaks. CVE is mentioned
as follows: "A
similar naming system already exists for security vulnerabilities
in software, which uses a Common Vulnerability
and Exposure identifier that includes a sequential number and the
year in which it was identified."
CME, US-CERT, and CVE are sponsored by the U.S Department of Homeland Security.
Date: 10/5/2005
Publication: MITRE Web Site
Title: "Common Malware Enumeration Initiative Now Available"
Excerpt or Summary:
CVE was mentioned briefly in this press release by US-CERT and MITRE
Corporation formally announcing the launch of the Common
Malware Enumeration (CME) . The release describes what CME is and isn't,
discusses the CME Editorial Board, and mentions the address of the CME
Web site. CVE is mentioned as follows: " Use of the CME identifier
is completely voluntary, but it is hoped that the public will encourage anti-virus
vendors to adopt CME identifiers. CME is similar to the Common Vulnerabilities
and Exposures (CVE) initiative, which is also operated by MITRE in support
of US-CERT. Experience with CVE shows that by adopting a neutral, shared identification
method, effective information sharing can happen faster and with more accuracy. "
CME , US -CERT, and CVE are sponsored by the U.S Department of Homeland Security.
Date: 10/1/2005
Publication:
ADTmag.com
Byline: Kathleen Ohlson
Title: "Online Treasure
Chest for Security Pros"
Excerpt or Summary:
CVE was mentioned briefly in this Q&A article about the U.S. National
Vulnerability Database (NVD) with Peter
Mell, senior computer scientist at the National Institute of Standards
and Technology (NIST) and creator of NVD. CVE is mentioned by Mell
in response to a question about the source used by NVD for its
vulnerability names and descriptions : "[NVD is] completely synchronized... with
the people that run [CVE]."
NVD and CVE are sponsored by the U.S Department of Homeland Security. In addition, NIST is a member of the CVE Editorial Board and NVD is listed on the CVE-Compatible Products and Services page.
Date: 9/2005
Publication: Virus Bulletin
Byline: Jimmy Kuo (McAfee, Inc.) and Desiree Beck (MITRE Corporation)
Title: "The Common Malware Enumeration Initiative"
Excerpt or Summary:
CVE was mentioned briefly in this article
announcing the formation of the Common Malware
Enumeration (CME) initiativeheaded
by US-CERT and MITRE along
with numerous members of the anti-virus communitythat aims to provide
single, common identifiers to new virus threats (i.e., malware)
to reduce public confusion during malware outbreaks. CME is " not an
attempt to solve the challenges involved with naming schemes for
viruses and other forms of malware, but instead aims to facilitate the adoption
of a shared, neutral indexing capability for malware. "
CVE is mentioned by the authors of the article as follows: "CME is fashioned similarly to the Common Vulnerabilities and Exposures (CVE) initiative (https://cve.mitre.org), which is also operated by MITRE in support of US-CERT. As experience with CVE shows, once all parties have adopted a neutral, shared identification method, effective information sharing can happen faster and with more accuracy." CME, US-CERT, and CVE are sponsored by the U.S Department of Homeland Security.
Date: 9/2005
Publication: Software Development Magazine
Byline: Laurie O'Connell
Title: "False Protection: We count on firewalls and antivirus tools to keep our industry afloat. What if the cure is worse than the disease?"
Excerpt or Summary:
CVE names were used by the author of this article to illustrate the number and
scope of threats that must be addressed by firewalls and anti-virus tools.
Date: 9/29/2005
Publication: SearchSecurity.com
Byline: Bill Brenner
Title: "Will
US-CERT bring sanity to virus naming?"
Excerpt or Summary:
CVE was mentioned briefly in this article
announcing the formation of the Common
Malware Enumeration (CME) initiativeheaded by US-CERT and MITRE along
with numerous members of the anti-virus communitythat aims to provide
single, common identifiers to new virus threats (i.e., malware) to reduce
public confusion during malware outbreaks. CME is " not an attempt to
solve the challenges involved with naming schemes for viruses and other forms
of malware, but instead aims to facilitate the adoption of a shared, neutral
indexing capability for malware."
CVE is mentioned in the article in a quote by Donald Hauser, information security engineer for The National Academy of Sciences (NAS) in Washington, D.C. , who states: "It would be nice to see viruses being given a uniform number or convention similar to what [The United States Computer Emergency Readiness Team (US-CERT)] uses for vulnerabilities -- the CVE [Common Vulnerabilities and Exposures] designation. That would be very helpful. Then the major players could give it any name they want but there would still be a common code. " CME, US-CERT, and CVE are sponsored by the U.S Department of Homeland Security.
Date: 9/22/2005
Publication: eWeek
Byline: Paul F. Roberts
Title: "US-CERT
Malware Naming Plan Faces Obstacles"
Excerpt or Summary:
CVE was mentioned briefly in this article
announcing the formation of the Common
Malware Enumeration (CME) initiativeheaded by US-CERT and MITRE along
with numerous members of the anti-virus communitythat aims to provide
single, common identifiers to new virus threats (i.e., malware) to reduce
public confusion during malware outbreaks. CME is " not an attempt to
solve the challenges involved with naming schemes for viruses and other forms
of malware, but instead aims to facilitate the adoption of a shared, neutral
indexing capability for malware."
CVE is mentioned in the article as follows: " The CME number and links to a description of the threat will appear on a MITRE Web site akin to the CVE (Common Vulnerabilities and Exposures) Web site. " CME, US-CERT, and CVE are sponsored by the U.S Department of Homeland Security.
Date: 8/22/2005
Publication:
Government Computer News
Byline:
William Jackson
Title: "NIST
relaunches database of IT vulnerabilities"
Excerpt or Summary:
CVE was included in this article about the U.S. National Vulnerability
Database (NVD). "CVE
is mentioned as follows: "[NVD] incorporates the Common Vulnerabilities
and Exposures search engine, a standardized naming scheme for IT
vulnerabilities developed by MITRE Corp. of Bedford, Mass., and
supported by DHS. NVD also integrates other government resources,
such as alerts and advisories from US-CERT." The
article also describes what CVE is and isn't, provides the history
of CVE, mentions that there are 200+ CVE-compatible products and
services, and notes that "NVD synchronizes with CVE every four or
five minutes."
The article also includes a quote from Steven M. Christey, Editor of the CVE List and information security engineer at MITRE, who states: "[NVD is] an excellent extension of CVE. It addresses a lot of needs people have been looking to CVE for, but that CVE was not intended to serve."
NVD and CVE are sponsored by the U.S Department of Homeland Security. In addition, NIST is a member of the CVE Editorial Board and NVD is listed on the CVE-Compatible Products and Services page.
Date: 8/17/2005
Publication: ComputerWorld
Byline: Linda Rosencrance
Title: "Brief:
NIST launches new vulnerability database"
Excerpt or Summary:
CVE was included in this article about the U.S. National Vulnerability Database (NVD), which "integrates all publicly available U.S. government resources on vulnerabilities and provides links to industry resources, according to NIST." CVE is mentioned as follows: "It is built on a dictionary of standardized vulnerability names and descriptions called Common Vulnerabilities And Exposures."
NVD and CVE are sponsored by the U.S Department of Homeland Security. In addition, NIST is a member of the CVE Editorial Board and NVD is listed on the CVE-Compatible Products and Services page.
Date: 8/16/2005
Publication: The Engineer Online
Title: "Vulnerabilities Database"
Excerpt or Summary:
CVE was included in this article about the U.S. National Vulnerability Database (NVD). CVE is mentioned as follows: "NVD is built upon a dictionary of standardised vulnerability names and descriptions called Common Vulnerabilities and Exposures."
NVD and CVE are sponsored by the U.S Department of Homeland Security. In addition, NIST is a member of the CVE Editorial Board and NVD is listed on the CVE-Compatible Products and Services page.
Date: 8/15/2005
Publication: Federal Computer Weekly
Byline: Rutrell Yasin
Title: "NIST creates
online treasure trove of security woes"
Excerpt or Summary:
CVE was included in this article about the U.S. National Vulnerability Database (NVD)." CVE is mentioned as follows: "The database is built completely on the Common Vulnerabilities and Exposures (CVE) naming standard developed by representatives from academia, government and industry. Maintained by MITRE, CVE is a dictionary, not a database. It is designed to make it easier to share data among vulnerability databases and security tools. About 300 security products use CVE to identify vulnerabilities and facilitate interoperability among those products. NVD will aid that interoperability by enhancing the CVE name standard with detailed vulnerability information."
NVD and CVE are sponsored by the U.S Department of Homeland Security. In addition, NIST is a member of the CVE Editorial Board and NVD is listed on the CVE-Compatible Products and Services page.
Date: 8/15/2005
Publication: eWeek
Byline: Caron Carlson
Title: "NIST
Unveils National Vulnerability Database"
Excerpt or Summary:
CVE was included in this article about the U.S. National Vulnerability Database (NVD), "a database of network vulnerabilities last week to give IT security professionals a clearinghouse to keep up with newly discovered weaknesses and learn ways to remediate them."
CVE is mentioned as follows: "Users can search the database for information on any vulnerability and are able to search by keyword or CVE (Common Vulnerabilities and Exposures) number. The system also contains information on all the technical alerts and vulnerability notes that the US-CERT publishes."
NVD, US-CERT, and CVE are sponsored by the U.S Department of Homeland Security. In addition, NIST is a member of the CVE Editorial Board and NVD is listed on the CVE-Compatible Products and Services page.
Date: 8/12/2005
Publication: Computer Business Review Online
Title: "Homeland Security launches vulnerability database"
Excerpt or Summary:
CVE was included in this article about the U.S. National Vulnerability Database (NVD). CVE is mentioned as follows: "Unlike the longstanding CVE list, maintained by The MITRE Corp, which is keyword searchable, the NVD is a database that allows users to slice and dice the data to more quickly look up specific types of vulnerabilities or specific vulnerable products."
NVD and CVE are sponsored by the U.S Department of Homeland Security. In addition, NIST is a member of the CVE Editorial Board and NVD is listed on the CVE-Compatible Products and Services page.
Date: 8/12/2005
Publication: SecurityFocus.com
Byline: Robert Lemos
Title: "NIST, DHS add national
vulnerability database to mix"
Excerpt or Summary:
CVE was included in this article about the U.S. National Vulnerability Database (NVD), which according to the article is "the latest U.S. Department of Homeland Security initiative to boost the preparedness of the nation's Internet and computer infrastructure, as called for by the Bush Administration's National
Strategy to Secure Cyberspace."
CVE is mentioned when the author states: "[NVD only includes] public information in its collection... The project scans the Common Vulnerability and Exposures (CVE), a listing of serious vulnerabilities maintained by the MITRE Corporation. The NVD expands on the Internet Catalog (ICAT), a previous NIST project, that archived the vulnerabilities defined by the Common Vulnerabilities and Exposures list."
CVE is also mentioned in a quote by Peter Mell, a senior computer scientist at NIST and the creator of the NVD, who states: "The CVE [names] are one of the standards that the National Vulnerability Database depends on. The database also uses the Open Vulnerability and Assessment Language (OVAL) to describe the security issues in a standard language." According to the article, "this reliance on standards gained the effort some plaudits from representatives of security companies that rely on such databases," including Gerhard Eschelbeck, chief technology officer of vulnerability assessment service for Qualys, Inc., who states: "We believe there is a need in the market for an aggregator to bring together all the information from all the different sources. But we want the organizations to use all the open standards."
NVD, US-CERT, OVAL, and CVE are sponsored by the U.S Department of Homeland Security. In addition, NIST is a member of the CVE Editorial Board and NVD is listed on the CVE-Compatible Products and Services page.
Date: 8/12/2005
Publication: GovTech.Net
Title: "NIST Launches National Database of Computer Vulnerabilities"
Excerpt or Summary:
CVE was included in this article about the U.S. National Vulnerability Database (NVD). CVE is mentioned as follows: "NVD is built upon a dictionary of standardised vulnerability names and descriptions called Common Vulnerabilities and Exposures."
NVD and CVE are sponsored by the U.S Department of Homeland Security. In addition, NIST is a member of the CVE Editorial Board and NVD is listed on the CVE-Compatible Products and Services page.
Date: 8/10/2005
Publication: Federal Computer Weekly
Byline: Rutrell Yasin
Title: "NIST releases
vulnerability database"
Excerpt or Summary:
CVE was mentioned in this article about the U.S. National Vulnerability Database (NVD), which "integrates all publicly available U.S. government vulnerability resources and provides references to industry resources. The Web site, nvd.nist.gov, contains about 12,000 vulnerability entries with around 10 being added per day."
CVE is mentioned as follows: "[NVD] is built completely on the Common Vulnerabilities and Exposures (CVE) naming standard, which was developed by representatives from academia, government and industry. Maintained by MITRE Corp., CVE is a dictionary, not a database. It is designed to make it easier to share data across separate vulnerability databases and security tools. About 300 security products use CVE to identify vulnerabilities and facilitate interoperability between those products. NVD will aid that interoperability effort by enhancing the CVE name standard with detailed vulnerability information."
NVD and CVE are sponsored by the U.S Department of Homeland Security. In addition, NIST is a member of the CVE Editorial Board and NVD is listed on the CVE-Compatible Products and Services page.
Date: 8/10/2005
Publication: ZDNet Government
Title: "National Vulnerabilities Database launched"
Excerpt or Summary:
CVE was included in this article about the U.S. National Vulnerability Database (NVD), "comprehensive collection of computer security weaknesses. NVD collates cybersecurity warnings from various US government sources, including the Computer Emergency Readiness Team (CERT). The database contains about 12,000 listings, with 10 a day being added." CVE is mentioned as follows: "The database is built on the Common Vulnerabilities and Exposures dictionary, a standard naming convention for computer vulnerabilities."
NVD and CVE are sponsored by the U.S Department of Homeland Security. In addition, NIST is a member of the CVE Editorial Board and NVD is listed on the CVE-Compatible Products and Services page.
Date: 8/8/2005
Publication: Infoworld.com
Byline: Victor R. Garza , Joseph L. Roth, Charles D. Herring
Title: "TippingPoint
leans into network threats"
Excerpt or Summary:
CVE was used by the authors as a method for testing the product in this review of the TippingPoint 400 IPS. CVE names are mentioned when the authors state: "During manual testing with Core Impact, the TippingPoint 400 missed our exploits of the several-year-old IIS ASN.1 Bit String SPNEGO vulnerability (CVE-2003-0818) and the MS RPC DCOM vulnerability (CVE CAN-2003-0352) that Blaster made famous."
Date: 5/2005
Publication: CrossTalk, The Journal of Defense Engineering
Byline: Robert A. Martin
Title: "Transformational Vulnerability Management Through Standards"
Excerpt or Summary:
CVE was a main topic in this article by CVE Compatibility Lead Robert A. Martin that discusses the U.S Department of Defense's (DOD) new enterprise licenses for vulnerability assessment and remediation tools that require using capabilities that conform to the CVE and OVAL standards efforts. The author states: "In combination with procedural changes, the adoption of these and other standards such as the National Security Agency's Extensible Markup Language Configuration Checklist Data Format, are making it possible to radically improve the accuracy and timeliness of the DOD's remediation and measurement activities, which are critical to ensuring the network and systems integrity of their network-centric warfare capabilities."
The author concludes the article as follows: "DoD is moving to its new process by requiring the inclusion of CVE names and standardized OVAL XML vulnerability and configuration tests in software supplier's alerts and advisories, and by acquiring tools that can import new and future OVAL XML test definitions and export their findings as standardized OVAL XML results. By also obtaining capabilities that can import the OVAL XML results for remediation, organizational status reporting, and generating certification and accreditation reports, the DoD will have created a focused, efficient, timely, and effective enterprise incident management and remediation process by adopting information security products, services, and methodologies that support the CVE naming standard and use OVAL test definitions and results schemas." "Collectively these changes will dramatically improve the insight and oversight of the security and integrity of the systems and networks underlying tomorrow's network- centric warfare capabilities."
Date: 5/15/2005
Publication: SD Times, The Industry Newspaper for Software Development Managers
Byline: Jennifer DeJong
Title: "Top Ten, Other Lists Catalog Security Threats"
Excerpt or Summary:
CVE was mentioned in this article as one of the "Internet resources [that aim] to identify application flaws developers may do battle with." The author mentions CVE as follows: "Another entry, the Common Vulnerabilities and Exposures (CVE) List (cve.mitre.org/cve), is not a database, per se. It aims to standardize the names for all publicly known vulnerabilities and security exposures. Maintained by the not-for-profit MITRE Corp., the listing is designed to make it easier to search for information in security databases, such as the one maintained by CERT/CC [www.kb.cert.org/vuln]."
In addition to the CERT/CC database, the article also mentions the Open Web Security Project Top Ten list, both of which are listed on the CVE-Compatible Products and Services page.
Date: 4/25/2005
Publication: Computerworld
Byline: Jaikumar Vijayan
Title: "Sidebar:
Security Forum's Demise Doesn't End Call for Help"
Excerpt or Summary:
CVE is mentioned in this article in a quote by Amit Yoran, former director of the National Cyber Security Division at the U.S. Department of Homeland Security, advocating the idea behind the CISO Exchange. The author of the article reports the quote as follows: "One example in which such [industry] participation has yielded substantial benefits is the widely used Common Vulnerabilities and Exposures [List], which is maintained by The MITRE Corp. in partnership with the government and various vendors, Yoran said."
CVE is sponsored by US-CERT at the U.S. Department of Homeland Security. MITRE Corporation maintains CVE and provides impartial technical guidance to the CVE Editorial Board on all matters related to ongoing development of CVE.
Date: 4/7/2005
Publication: NX Security Web Site
Title: "NX Security conquista certificação CVE"
Excerpt or Summary:
CVE compatibility was the main topic of this media notification
by NX Security. In the notification, which is written in Portuguese, NX
Security announces: "Em continuidade à trajetória de
sucesso e excelência no que diz respeito aos serviços oferecidos
na área de Segurança da Informação, a NX Security
dá mais um passo importante e é a primeira empresa da América
Latina a conquistar a certificação CVE. A certificação
foi entregue no dia 05 de abril, no InfoSec World Conference, em Orlando,
Flórida, EUA. Durante o evento, no qual a US-CERT (Divisão
Nacional de Segurança na Internet) representou a NX Security. Foram
declarados com compatibilidade CVE o NX-Entreprise e o NX-Express, serviços
de detecção e reação de forma contínua
contra as ameaças aos sistemas de informação."
The release further states: "Com isso, as soluções apresentadas pela NX Security para proteger e garantir uma maior cobertura nas atividades e aplicações das redes externas e internas possuem eficiência e exatidão ao determinar as vulnerabilidades e exposições detectadas. Isso acontece porque sendo compatível com os nomes CVE haverá uma padronização na avaliação feita pelas ferramentas e pela base de dados, permitindo, inclusive que estes possam comunicar-se entre si."
NX Security and its NX Enterprise and NX Express products are listed on the CVE-Compatible Products and Services page.
Date: 4/6/2005
Publication: ArcSight, Inc. Web Site
Title: "ArcSight ESM Awarded CVE Compatibility Certificate"
Excerpt or Summary:
CVE compatibility was the main topic of this press release by ArcSight, Inc.
announcing that "The CVE Initiative, in a ceremony today, awarded the
CVE Compatibility Certificate to ArcSight ESM." The release also includes
a quote from Pravin Kothari, Vice President of Software Development at ArcSight,
who states: "As the clear, independent standard for identification of
vulnerabilities and information security exposures, CVE certification is
critical for enterprise security management solutions. As the first enterprise
class security management solution to receive CVE certification, ArcSight
has empirical proof of its leadership in integrating vulnerability data into
real-time and historic security management technology."
ArcSight, Inc. and ArcSight Enterprise Security Manager (ArcSight ESM) are listed on the CVE-Compatible Products and Services page.
Date: 4/6/2005
Publication: Yahoo Financial News
Title: "ArcSight ESM Awarded CVE Compatibility Certificate"
Excerpt or Summary:
This is a reprint of the ArcSight, Inc. press release above announcing
that ArcSight Enterprise Security Manager (ArcSight ESM)
is now officially CVE-Compatible.
ArcSight, Inc. and ArcSight ESM are listed on the CVE-Compatible
Products and Services page.
Date: 4/6/2005
Publication: MarketWire.com
Title: "ArcSight ESM Awarded CVE Compatibility Certificate"
Excerpt or Summary:
This is a reprint of the ArcSight, Inc. press release above announcing that
ArcSight Enterprise Security Manager (ArcSight ESM) is now officially CVE-Compatible.
ArcSight, Inc. and ArcSight ESM are listed on the CVE-Compatible
Products and Services page.
Date: 4/6/2005
Publication: ArriveNet.com
Title: "ArcSight ESM Awarded CVE Compatibility Certificate"
Excerpt or Summary:
This is a reprint of the ArcSight, Inc. press release above announcing that
ArcSight Enterprise Security Manager (ArcSight ESM) is now officially CVE-Compatible.
ArcSight, Inc. and ArcSight ESM are listed on the CVE-Compatible
Products and Services page.
Date: 4/6/2005
Publication: Skybox Security, Inc. Web Site
Title: "Skybox Security Recognized for CVE Compatibility"
Excerpt or Summary:
CVE compatibility was the main topic this press release by Skybox Security,
Inc. announcing that it "has been formally recognized for Common Vulnerabilities
and Exposures (CVE®) compatibility for its enterprise software solution,
Skybox View. The award, presented to Skybox at the MIS Technology Institute's
InfoSec World Conference and Exposition, recognizes products that have incorporated
MITRE Corporation's CVE standard names for security vulnerabilities and exposures
to foster information sharing across security solutions. Skybox was one of
ten companies receiving certification [at the event]."
The release also includes a quote from Gidi Cohen, Chief Strategy Officer for Skybox Security, who states: "Skybox Security is proud to be the first security risk management solution to be awarded CVE compatibility, as well as one the select few who have achieved the final phase of MITRE's formal CVE Compatibility Process. Skybox is actively committed to industry standards. With over 200 products and services declared CVE-compatible, the CVE Initiative is an important and influential community working toward the common purpose of better security."
Skybox Security, Inc. and Skybox View are listed on the CVE-Compatible Products and Services page.
Date: 4/5/2005
Publication: DesktopStandard Corporation Web Site
Title: "DesktopStandard's PolicyMaker Software Update Receives CVE Compatibility Award"
Excerpt or Summary:
CVE compatibility was the main topic of this press release announcing that
DesktopStandard Corporation's "Group Policy-based patch management product,
PolicyMaker Software Update, received the prestigious CVE Compatibility Award
today from MITRE Corporation at the MIS Training Institute's InfoSec
World Conference & Expo in Orlando, FL."
The release also includes a quote by Kevin Sullivan, product manager for PolicyMaker products, who states: "DesktopStandard builds solutions that comply with industry standards, and the accepted standard for vulnerability definitions is critical for us to support. We see CVE support as an essential step to protect our customers from security threats and provide them with the optimum solution for deploying software update policy across their networks. We build software to support entire networks, so we had better be compliant be with standards."
DesktopStandard Corporation and PolicyMaker Software Update are listed on the CVE-Compatible Products and Services page.
Date: 3/2005
Publication: MITRE Corporation Web Site
Byline: Robert A. Martin
Title: "White
Paper: Transformational Vulnerability Management Through Standards"
Excerpt or Summary:
CVE is a main topic of this MITRE white paper by CVE Compatibility
Lead Robert A. Martin. The paper discusses the DOD's new
enterprise licenses for vulnerability assessment and remediation
tools that require using capabilities that conform to the CVE
and OVAL standards efforts. A version of the paper was also published
in the May 2005 issue of CrossTalk,
The Journal of Defense Engineering.
Date: 3/2005
Publication: Security Innovation,
Inc. Web Site
Byline: Richard Ford, Herbert H. Thompson, Fabien
Casteran
Headline: "Role
Comparison Report – Web Server Role"
Excerpt or Summary:
CVE was the underpinning for this study by Security Innovation, Inc.
that compared Linux versus Windows in terms of security vulnerabilities.
The authors state: "In our analysis, we refer to a vulnerability
as distinct if it has its own CVE or CAN identifier." In a
section entitled "MITRE CVE List" the study describes
what CVE is, mentions the CVE Editorial Board, explains the difference
between CVE names with official entry status and CVE names with
candidate status, and includes links to the CVE Web site.
In addition, the authors used the National Institute of Standards and Technology's (NIST) ICAT database—which NIST describes as a "CVE Vulnerability Search Engine"—to determine the severity of each vulnerability identified in the study. NIST is a member of the CVE Editorial Board and ICAT is listed on the CVE-Compatible Products and Services page.
Date: 3/2005
Publication: Communication News
Byline: Gary Miliefsky
Headline: "Shore
up your network"
Excerpt or Summary:
CVE is mentioned in this article when the author uses CVE names as
synonyms when referring to vulnerabilities: "Once the appliance
detects a new system or device, it should scan or audit that system
as soon as possible for CVEs that a hacker could exploit."
Date: 3/2005
Publication: Online Glossary of Security Terms
Byline: WatchGuard Technologies, Inc.
Headline: "CVE-compatible"
Excerpt or Summary:
"CVE-compatible" is included as an entry in this online
encyclopedia, along with the following description: "Common
Vulnerabilities and Exposures (CVE) is a list of standardized names
for vulnerabilities and other information security exposures, whose
aim is to standardize the names for all publicly known vulnerabilities
and security exposures. "CVE-compatible" means that a tool,
Web site, database, or service uses CVE names in a way that allows
it to cross-link with other repositories that use CVE names."
Date: 3/27/2005
Publication: Beyond
Security Ltd. Web Site
Title: "Beyond Security Now CVE Compatible"
Excerpt or Summary:
CVE compatibility was the main topic of this press release by Beyond
Security Ltd. announcing that its "Security Assessment Service
is now [fully] CVE-compatible." The release also includes
a quote by Aviram Jenik, CEO of Beyond Security, who states: "CVE
compatibility may seem awfully techy to some, but we feel it
is important to embrace the evolving standards necessary to better
audit networks security vulnerabilities."
Beyond Security Ltd. and its Automated Scanning Appliance; Automated Scanning Service-External Scanning; Automated Scanning Service-Service Provider Platform; and Automated Scanning Service-Product Audits are listed on the CVE-Compatible Products and Services page.
Date: 3/27/2005
Publication: PRWeb.com
Title: "Beyond Security Now CVE Compatible"
Excerpt or Summary:
This is a reprint of the Beyond Security Ltd. press release above
announcing that its Security Assessment Services are now officially
CVE-Compatible. Beyond Security Ltd. and its Automated Scanning
Appliance; Automated Scanning Service-External Scanning; Automated
Scanning Service-Service Provider Platform; and Automated Scanning
Service-Product Audits, are listed on the CVE-Compatible
Products and Services page.
Date: 3/27/2005
Publication: Newspad.com
Title: "Beyond Security Now CVE Compatible"
Excerpt or Summary:
This is a reprint of the Beyond Security Ltd. press release above
announcing that its Security Assessment Services are now officially
CVE-Compatible. Beyond Security Ltd. and its Automated Scanning
Appliance; Automated Scanning Service-External Scanning; Automated
Scanning Service-Service Provider Platform; and Automated Scanning
Service-Product Audits, are listed on the CVE-Compatible
Products and Services page.
Date: 3/2/2005
Publication: Webopedia
Headline: "CVE"
Excerpt or Summary:
CVE is included as an entry in this online encyclopedia, along with
the following description: "CVE is a dictionary-type list
of standardized names for vulnerabilities and other information
related to security exposures. CVE aims to standardize the names
for all publicly known vulnerabilities and security exposures.
The goal of CVE is to make it easier to share data across separate
vulnerable databases and security tools." The entry also includes
a link to the CVE Web site.
Date: 3/1/2005
Publication: MarketWire.com
Headline: "Configuresoft CTO Dennis Moreau Tapped for OVAL Board"
Excerpt or Summary:
CVE was mentioned in this press release from Configuresoft,
Inc. regarding the appointment of Dr. Dennis Moreau, chief technology officer for Configuresoft to the OVAL
Board of industry representatives for the Open Vulnerability and Assessment Language (OVAL) project. The release mentions CVE when it states that OVAL vulnerability definitions are based upon CVE
names: "OVAL builds upon Common Vulnerabilities and Exposures (CVE), a dictionary of standardized names and descriptions for publicly known information security vulnerabilities and exposures, developed by MITRE in cooperation with the international security community."
Date: 2/22/2005
Publication: SmallBusinessComputing.com
Byline: Joseph Moran
Headline: "BUYER'S GUIDE: Is Your Network in Compliance? Call in Auditor 16"
Excerpt or Summary:
CVE was mentioned in this product review of PredatorWatch, Inc.'s PredatorWatch Auditor 16 product. CVE is mentioned when the author describes how the product works: "Auditor 16 checks the audits it conducts against the CVE List, which is funded by the U.S. Department of Homeland Security and maintained by The
MITRE Corporation. CVE is an abbreviation for Common Vulnerabilities and Exposures, and the CVE List is a standardized dictionary of thousands of publicly known security problems affecting a host of products. These include Windows and Linux-based servers like Web, mail, FTP and database applications, as well as operating systems, client applications, routers, firewalls and so forth." The author also refers to vulnerabilities as CVEs as he describes how he tested the product.
PredatorWatch, Inc. is listed on the CVE-Compatible Products and Services page and its PredatorWatch Auditor 16 and Update Service, PredatorWatch Auditor 128 and Update Service, and PredatorWatch Auditor Enterprise and Update Service were each awarded official "Certificates of CVE Compatibility" in November 2004.
Date: 2/22/2005
Publication: PCWorld.com
Byline: Paul Roberts
Headline: "How
Serious Is That Security Flaw? Microsoft and Symantec are backing
a plan to create a severity scoring system
for software holes."
Excerpt or Summary:
This article discusses the creation of the Common Vulnerability Scoring
System (CVSS) and is a reprint of the article that appeared in
Computerworld as described below.
Date: 2/18/2005
Publication: Computerworld.com
Byline: Paul Roberts
Headline: "RSA:
Major companies tout new vulnerability rating system; The Common
Vulnerability Scoring System was unveiled yesterday"
Excerpt or Summary:
This article discusses the creation of the Common Vulnerability Scoring
System (CVSS), which if adopted "would provide a common language
for describing the seriousness of computer security vulnerabilities
and replace vendor-specific rating systems."
CVE is mentioned in a statement by Gerard Eschelbeck of Qualys, Inc.: "The new rating system will be akin to the Common Vulnerabilities and Exposures (CVE) database maintained by MITRE, which provides standard identifiers and information about software holes. As with CVE, vendors will most likely use CVSS ratings as a common base of reference but continue to offer their own analysis or threat assessments."
The article describes the CVSS proposal in detail and states that it is "part of a project by the National Infrastructure Advisory Council [NIAC] to create a global framework for disclosing information about security vulnerabilities." The article also notes that the new rating system was created by NIAC, which part of the U.S. Department of Homeland Security, and members of the IT industry including "eBay Inc., Qualys Inc., Internet Security Systems Inc. and MITRE Corp." Also mentioned in the article as supporting CVSS are "Cisco Systems Inc., Microsoft Corp. and Symantec Corp."
Of the organizations mentioned above, Cisco Systems Inc.; Internet Security Systems, Inc.; Qualys, Inc.; Microsoft Corporation; and Symantec Corporation are members of the CVE Editorial Board, and Cisco Systems Inc.; Internet Security Systems, Inc.; Qualys, Inc.; and Symantec Corporation are listed on the CVE-Compatible Products and Services page. In addition, MITRE Corporation maintains CVE, which is sponsored by US-CERT at the U.S. Department of Homeland Security, and provides impartial technical guidance to the Editorial Board on all matters related to ongoing development of CVE.
Date: 2/18/2005
Publication: Infoworld.com
Byline: Paul Roberts
Headline: "Major
companies team on vulnerability rating system: Cisco, Microsoft,
and Symantec are among the vendors promoting
a standard for assessing software vulnerabilities"
Excerpt or Summary:
This article discusses the creation of the Common Vulnerability Scoring
System (CVSS) and is a reprint of the article that appeared in
Computerworld as described above.
Date: 2/8/2005
Publication: InternetNews.com
Byline: Sean Michael Kerner
Headline: "Microsoft Issues Major Patch Release in Feb. Cycle"
Excerpt or Summary:
CVE was mentioned throughout this article discussing the contents of eleven recent security bulletins from Microsoft Corporation. In addition to describing the issues covered by each bulletin, the article also includes the CVE candidate for each issue.
Microsoft Corporation is a member of the CVE Editorial Board and is listed on the Organizations with CVE Names in Vulnerability Advisories page.
Date: 2/2/2005
Publication: GRIDtoday
Headline: "ArcSight's Raffael Marty Appointed to MITRE OVAL Board"
Excerpt or Summary:
This article is based upon the ArcSight, Inc. news release announcing
Raffael Marty's appointment to the OVAL
Board of industry representatives
for the Open Vulnerability and Assessment Language (OVAL) project.
The release mentions CVE when it states that OVAL vulnerability
definitions are based upon CVE names: "OVAL is based on Common
Vulnerabilities and Exposures, a dictionary of standardized names
and descriptions for publicly known information security vulnerabilities
and exposures developed by The MITRE Corporation in cooperation
with the international security community."
Date: 1/2005
Publication: Answers.com
Headline: "CVE"
Excerpt or Summary:
CVE is included as an entry in this online encyclopedia, along with
the following description: "CVE (Common Vulnerabilities and
Exposures) - A list of information security exposures and vulnerabilities
sponsored by US-CERT and maintained by the MITRE Corporation. The
CVE mission is to provide standard names for all publicly known
security exposures as well as standard definitions for security
terms. The CVE can be searched online using the ICAT Metabase at
www.icat.nist.cog/icat.cfm or downloaded in several formats from
MITRE Corporation at www.cve.mitre.org/cve. See ICAT
Metabase."
National Institute
of Standards and Technology's (NIST) ICAT
database is listed on the CVE-Compatible
Products and Services page, and
NIST is a member of the CVE Editorial Board.
Date: 1/2005
Publication: AuditMyPC.com
Headline: "CVE"
Excerpt or Summary:
CVE is included as an entry in this online encyclopedia, along with
the following description: "CVE is an acronym for Common Vulnerabilities
and Exposures."
Date: 1/2005
Publication: InternetAdSales.com
Headline: "Common Vulnerabilities and Exposures (CVE)"
Excerpt or Summary:
CVE is included as a listing in the Resource Center section of
this Web site under the "Internet Security & Firewalls" category.
The listing includes the CVE name, a link to the CVE Web site,
and a brief explanation that CVE is a "A searchable [list]
of internet security problems."
Date: 1/26/2005
Publication: TechNewsWorld
Byline: Jennifer LeClaire
Headline: "Apple Issues Patch To Fix Security Hole in OS X"
Excerpt or Summary:
CVE is mentioned in this article about a security advisory from Apple Computer,
Inc. when it refers to text on the Apple Web site that states: "Where
possible, CVE (Common Vulnerabilities and Exposures) IDs are used to reference
the vulnerabilities for further information."
Apple Computer, Inc. is listed on the Organizations
with CVE Names in Vulnerability Advisories page.
Date: 1/20/2005
Publication: ITSecurity.com
Headline: "Secure Elements Enters Compatibility Phase of the Common Vulnerabilities and Exposures Evaluation Process"
Excerpt or Summary:
CVE compatibility was the main topic of this article about Secure Elements,
Inc. making a declaration of its intent to make its Class 5 AVR automated
vulnerability remediation product CVE-compatible. The article describes what
CVE is and isn't, explains the CVE compatibility process, mentions the CVE
Editorial Board, and includes a link to the CVE Web site.
The article states: "Secure Elements has completed the declaration phase of the two-step CVE certification process. In approximately three months the certification is expected to be complete and Secure Elements CLASS 5 AVR will be deemed "CVE compatible," a distinction certifying that the solution uses vulnerability names in a manner that allows them to be cross-referenced with other products that employ CVE names, ensuring enhanced interoperability and security for enterprises."
The article also includes a quote from Chief Technology Officer of Secure Elements Dan Bezilla, who states: "CLASS 5 AVR combines vulnerability information from a myriad of sources to provide the most complete vulnerability coverage possible for our customers. In working toward a CVE compatibility certification Secure Elements is demonstrating its dedication to better network security, as well as its commitment to providing zero-day exploit remediation to our customers when new vulnerabilities occur."
Secure Elements, Inc. and Class 5 AVR are listed on the CVE-Compatible Products and Services page.
Date: 1/18/2005
Publication: InternetNews.com
Byline: Sean Michael Kerner
Headline: "PredatorWatch
Prowling For CVEs"
Excerpt or Summary:
CVE was mentioned throughout this article about PredatorWatch, Inc.'s
PredatorWatch Auditor 16 product. The author states: "Buried
inside the vast majority of security advisories and patches issued
by vendors and the security community is a standardized naming convention
called CVE (Common
Vulnerabilities and Exposures)." The author continues:
"A new tool from security vendor PredatorWatch aims to take
advantage of the CVE "dictionary" in order to provide
a greater level of security than either a firewall or anti-virus
solution alone can provide. The product does that by striking at
the heart of the issue, vulnerability (in the form of CVE's) assessment
itself."
The article describes what CVE is, mentions that it was launched in 1999, notes that the initiative is sponsored by US-CERT at the Department of Homeland Security, includes a link to the CVE Web site, and that "According to PredatorWatch, 95 percent of all network security breaches are the result of [CVE names]." The author further notes: "In PredatorWatch's opinion, [the vulnerabilities listed by CVE names] are at the root of most malware, Trojans and viruses." The article also includes a quote from Gary Miliefsky, PredatorWatch CEO, who states: "So if you have a common vulnerability and exposure/CVE on your computer that malware/Trojan/virus can take advantage of that and compromise you."
The article also includes a quote by CVE Compatibility Lead Robert A. Martin, who mentions that CVE names would be especially effective to help the media and IT managers to demystify viruses, worms, and malware: "They're not some magical creatures that can go through a solid surface. They have to take advantage of a flaw in your process or a flaw. If people were aware that these are open windows and doors maybe they would appreciate that closing those windows and locking those doors is a good idea."
PredatorWatch, Inc. is listed on the CVE-Compatible Products and Services page and its PredatorWatch Auditor 16 and Update Service, PredatorWatch Auditor 128 and Update Service, and PredatorWatch Auditor Enterprise and Update Service were each awarded an official "Certificate of CVE Compatibility" on November 18, 2004.
Date: 1/16/2005
Publication: ArcSight Web Site
Headline: "ArcSight's Raffael Marty Appointed to MITRE OVAL (Open Vulnerability [and] Assessment Language) Board"
Excerpt or Summary:
CVE was mentioned in this press release from ArcSight,
Inc. regarding the appointment
of Raffael Marty of ArcSight to the OVAL
Board of industry representatives
for the Open Vulnerability and Assessment Language (OVAL) project. The release
mentions CVE when it states that OVAL vulnerability definitions are based
upon CVE names: "OVAL is based on Common Vulnerabilities and Exposures
(CVE®), a dictionary of standardized names and descriptions for publicly
known information security vulnerabilities and exposures developed by The
MITRE Corporation in cooperation with the international security community."
Date: 1/4/2005
Publication: MarketWire.com
Excerpt or Summary:
CVE was mentioned in this press release by Govplace regarding their
arrangement with PredatorWatch, Inc. as a reseller. CVE is mentioned
in a statement about PredatorWatch's Auditor Enterprise: "The
appliance provides true proactive network security by dynamically
detecting and automatically quarantining Common Vulnerabilities
and Exposures (CVEs) at the port level. CVEs are the weak spots
on a network that are the systemic cause of over 95 percent of
all network security breaches." The release also notes that
CVE is a "federally funded list of CVEs maintained by the
MITRE Corporation."
CVE is also mentioned in a quote by Gary Miliefsky, president and CEO of PredatorWatch, who states: "Auditor Enterprise enables Govplace to help these organizations proactively protect their networks by dynamically detecting, auditing and blocking CVEs, the real network security culprits which go largely undetected and uncorrected especially from unknown and untrusted systems."
PredatorWatch, Inc. is listed on the CVE-Compatible Products and Services page and its PredatorWatch Auditor Enterprise and Update Service, PredatorWatch Auditor 128 and Update Service, and PredatorWatch Auditor 16 and Update Service were each awarded official "Certificates of CVE Compatibility" in November 2004.