CVE - 2011 News & Events (Archive)

2011 News & Events (Archive)

December 29, 2011

CVE Mentioned in Department of Homeland Security’s "Blueprint for a Secure Cyber Future"

CVE is mentioned in the December 12, 2011 release of the U.S. Department of Homeland Security’s "Blueprint for a Secure Cyber Future: The Cybersecurity Strategy for the Homeland Security Enterprise" on the DHS Web site.

The blueprint, as described on the DHS blog, "outlines an integrated approach to enable the homeland security community to leverage existing capabilities and promote technological advances that make government, the private sector and the public safer, more secure, and more resilient online. Specific actions outlined in the strategy range from hardening critical networks and prosecuting cybercrime to raising public awareness and training a national cybersecurity workforce. Cybersecurity is a shared responsibility, and each of us has a role to play. In today’s interconnected world, emerging cyber threats require the engagement of our entire society including government and law enforcement, the private sector, and members of the public. In preparing this strategy, the Department benefited from the constructive engagement of representatives from state and local governments, industry, academia, non-governmental organizations, and many dedicated individuals from across the country. As we implement this strategy, DHS will continue to work with partners across the homeland security enterprise to implement the goals outlined in the Blueprint."

CVE is mentioned in the blueprint itself as one of two "Core capabilities for the homeland security enterprise in the "Increase Technical and Policy Interoperability Across Devices" subsection of the "Build Collaborative Communities" section of the blueprint, as follows: "On a device-to-device level, strengthen collaboration, create new intelligence, hasten learning, and improve situational awareness … A proven ability to communicate about cyber incidents through standardized dictionaries of key informational elements, including software vulnerabilities, weaknesses, patterns of attack, and malware classification as well as security content that is structured for automated sharing where appropriate. Resources include the National Vulnerability Database, Common Vulnerabilities and Exposures (CVE), and the Information Assurance Checklists housed on the National Checklist Program."

The blueprint is available for free download at http://www.dhs.gov/files/publications/blueprint-for-a-secure-cyber-future.shtm.

Beijing Venustech Security Inc. Makes Declaration of CVE Compatibility

Beijing Venustech Security Inc. declared that its unified threats management firewall, Venusense Unified Security Gateway, is CVE-Compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services section.

TrustSign Makes Declaration of CVE Compatibility

TrustSign declared that its vulnerability assessment and remediation service, Selos de Segurança, is CVE-Compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services section.

December 12, 2011

CVE IDs Now Mapped to DISA’s Information Assurance Vulnerability Alerts

CVE IDs are now mapped to the U.S. Defense Information System Agency’s (DISA) Information Assurance Vulnerability Management (IAVM) alerts, free downloads of which are available in Microsoft Excel (XLS) and Extensible Markup Language (XML) format on DISA’s public Security Technical Implementation Guides (STIG) Web site.

CVE Included in Article about Tool that Automatically Detects Vulnerabilities in Embedded Linux Libraries in SC Magazine

CVE was included in a November 22, 2011 article entitled "Tool kills hidden Linux bugs, vulnerabilities" on SCMagazine.com. The tool, which "automatically detecting bugs and vulnerabilities in embedded Linux libraries," uses CVE IDs to perform the analysis. The tool "correlates vulnerability advisory CVEs for third party libraries to determine if holes have carried over to Linux platforms or have not been patched" and is meant to replace what was previously a manual process. The tool was created by Australian researcher Silvio Cesare as part of his PhD at Deakin University Australia. The author concludes the article by stating that the researcher intends to "publish an academic paper on the subject and plans to [similarly] conduct binary analysis for Windows platforms."

November 9, 2011

CVE/Making Security Measurable Booth and SCAP/SwA Briefings at IT Security Automation Conference 2011

MITRE hosted a CVE/Making Security Measurable booth and participated in workshops about the Making Security Measurable, CVE, CCE, CPE, OVAL, XCCDF, ARF, CWE, CAPEC, CEE,and MAEC efforts at the U.S. National Institute of Standards and Technology’s (NIST) 7th Annual IT Security Automation Conference on October 31 – November 2, 2011 in Arlington, Virginia, USA.

NIST’s Security Content Automation Protocol (SCAP) employs existing and emerging community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and CVE is one of the eight open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. The other seven standards are Common Configuration Enumeration (CCE), standard identifiers and a dictionary for system security configuration issues; Common Platform Enumeration (CPE), standard identifiers and a dictionary for platform and product naming; Open Vulnerability and Assessment Language (OVAL), a standard XML for security testing procedures and reporting; Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; Open Checklist Interactive Language (OCIL), a standard language for expressing and evaluating non-automated security checks; Common Vulnerability Scoring System (CVSS), a standard for conveying and scoring the impact of vulnerabilities; and Common Configuration Scoring System (CCSS), a standard for conveying and scoring the impact of software security configuration issues.

Visit the CVE Calendar for information on this and other events.

October 28, 2011

1 Product from Packet Storm Corporation Now Registered as Officially "CVE-Compatible"

One additional information security product has achieved the final stage of MITRE’s formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 124 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

Packet Storm

Packet Storm Security Web site

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

October 20, 2011

Packet Storm Security Makes Declaration of CVE Compatibility

Packet Storm Security declared that its Packet Storm Security Web site is CVE-Compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services section.

October 6, 2011

CVE/Making Security Measurable Booth and SCAP/SwA Briefings at IT Security Automation Conference 2011, October 31 – November 2

MITRE will host a CVE/Making Security Measurable booth and present briefings and/or participate on discussion panels about the Making Security Measurable, CVE, CCE, CPE, OVAL, XCCDF, ARF, CWE, CAPEC, and MAEC efforts at the U.S. National Institute of Standards and Technology’s (NIST) 7th Annual IT Security Automation Conference on October 31 – November 2, 2011 in Arlington, Virginia, USA.

Visit the CVE Calendar for information on this and other events.

CVE/Making Security Measurable Briefing and CWE/CAPEC/MAEC Briefing at Software Assurance Enabling Reliability, Resilience, Robustness, and Security Workshop

CVE Compatibility Lead and CWE/CAPEC Program Manager Robert A. Martin presented a CVE/Making Security Measurable briefing and a CWE/CAPEC/MAEC briefing at Software Assurance Enabling Reliability, Resilience, Robustness, and Security Workshop on September 26, 2011 in Linthicum Heights, Maryland, USA.

In addition, Director for Software Assurance at U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Joe Jarzombek presented a Software Assurance briefing.

Visit the CVE Calendar for information on this and other events.

September 7, 2011

1 Product from SECUI.COM Corporation Now Registered as Officially "CVE-Compatible"

One additional information security product has achieved the final stage of MITRE’s formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 123 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

SECUI.COM Corporation

SECUI SCAN

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

CVE/Making Security Measurable Briefing and CWE/CAPEC/MAEC Briefing at Software Assurance Enabling Reliability, Resilience, Robustness, and Security Workshop, September 26

CVE Compatibility Lead and CWE/CAPEC Program Manager Robert A. Martin will present a CVE/Making Security Measurable briefing and a CWE/CAPEC/MAEC briefing at Software Assurance Enabling Reliability, Resilience, Robustness, and Security Workshop on September 26, 2011 in Linthicum Heights, Maryland, USA.

In addition, Director for Software Assurance at U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Joe Jarzombek will present a Software Assurance briefing.

Visit the CVE Calendar for information on this and other events.

August 18, 2011

1 Product from Application Security, Inc. Now Registered as Officially "CVE-Compatible"

One additional information security product has achieved the final stage of MITRE’s formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 122 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

Application Security, Inc.

TeamSHATTER

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

CVE/Making Security Measurable Briefing at GFIRST 2011

CVE Compatibility Lead and CWE/CAPEC Program Manager Robert A. Martin, CWE/CAPEC Co-Founder and Architect Sean Barnum and MAEC Program Manager Penny Chase presented a CWE/CAPEC/MAEC briefing and a Making Security Measurable at GFIRST National Conference 2011 on August 8-12, 2011 at the Gaylord Opryland Hotel & Convention Center in Nashville, Tennessee, USA.

Visit the CVE Calendar for information on this and other events.

August 4, 2011

CVE/Making Security Measurable Briefing at GFIRST 2011, August 8-12

CVE Compatibility Lead and CWE/CAPEC Program Manager Robert A. Martin, CWE/CAPEC Co-Founder and Architect Sean Barnum and MAEC Program Manager Penny Chase will present a CWE/CAPEC/MAEC briefing and a Making Security Measurable at GFIRST National Conference 2011 on August 8-12, 2011 at the Gaylord Opryland Hotel & Convention Center in Nashville, Tennessee, USA.

Visit the CVE Calendar for information on this and other events.

CVE/Making Security Measurable Booth at Black Hat Briefings 2011

MITRE hosted a CVE/Making Security Measurable booth at Black Hat Briefings 2011 on August 3-4, 2011 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA. Attendees learned how the CVE, CCE, CPE, CAPEC, CWE, CEE, MAEC, OVAL, etc., information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the CVE Calendar for information on this and other events.

July 19, 2011

CVE/Making Security Measurable Booth at Black Hat Briefings 2011

MITRE will host a CVE/Making Security Measurable booth at Black Hat Briefings 2011 on August 3-4, 2011 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA. Please visit us at Booth 307 and say hello!

Visit the CVE Calendar for information on this and other events.

July 1, 2011

SECUI.COM Corporation Makes Declaration of CVE Compatibility

SECUI.COM Corporation declared that its vulnerability assessment tool, SECUI SCAN, is CVE-Compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services section.

Briefing Slides from Security Automation Developer Days 2011 Now Available

21 briefing presentations from the sessions at the Security Automation Developer Days 2011 conference on June 14-17, 2011 at MITRE in Bedford, Massachusetts, USA are now available for download on the Events & Participation page on the Making Security Measurable Web site.

June 10, 2011

1 Product from Fortinet, Inc. Now Registered as Officially "CVE-Compatible"

One additional information security product has achieved the final stage of MITRE’s formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 121 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

Fortinet, Inc.

FortiGuard

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

CVE Included as Reporting Requirement in 2011 FISMA Continuous Monitoring Compliance Document

CVE was included in the 2011 Chief Information Officer Federal Information Security Management Act Reporting Metrics document issued on June 1, 2011 by the U.S. Department of Homeland Security and National Institute of Standards and Technology. The document provides cybersecurity status reporting metrics for government agencies under the Federal Information Security Management Act (FISMA) that focus on the ability to automate system monitoring and security controls.

CVE is included as a reporting requirement in Section 4, Vulnerability Management: "Provide the number of Agency information technology assets where an automated capability provides visibility at the Agency level into detailed vulnerability information (Common Vulnerabilities and Exposures — CVE)."

CVE is included again as a reporting requirement in Section 12, Software Assurance, subsection 12.1b., which states: "Provide the number of the information systems above (12.1a) where the tools generated output compliant with: 12.1b (1). Common Vulnerabilities and Exposures (CVE) 12.1b (2). Common Weakness Enumeration (CWE) 12.1b (3). Common Vulnerability Scoring System (CVSS) 12.1b (4). Open Vulnerability and Assessment Language (OVAL)."

CVE Mentioned in Government Computer News Article about Security Reporting Metrics

CVE was mentioned in a June 6, 2011 article entitled "Agencies get a tool for measuring their security: Reporting metrics assess automation, real-time monitoring" in Government Computer News. The main topic of the article is the June 1st release of the 2011 Chief Information Officer Federal Information Security Management Act Reporting Metrics document regarding cybersecurity status reporting metrics for government agencies focusing on the ability to automate system monitoring and security controls. CVE is mentioned when the author discusses some of the reporting requirements: "Agencies also are to report on their ability to remotely detect and block unauthorized software on the network, including their capability to use the Common Vulnerabilities and Exposures database."

Registration Now Closed for MITRE’s Security Automation Developer Days 2011 on June 14-17

Registration is now closed for MITRE’s free Security Automation Developer Days 2011 conference scheduled for June 14-17, 2011 at MITRE in Bedford, Massachusetts, USA. For the event agenda, lodging, and other conference details please visit the conference details page.

June 3, 2011

Agenda Now Available for MITRE’s Security Automation Developer Days 2011 on June 14-17

The agenda for MITRE’s free Security Automation Developer Days 2011 conference scheduled for June 14-17, 2011 at MITRE in Bedford, Massachusetts, USA is now available at https://makingsecuritymeasurable.mitre.org/participation/devdays.html#2011.

May 5, 2011

MITRE to Host Security Automation Developer Days 2011 on June 14-17

MITRE Corporation will host the third Security Automation Developer Days conference on June 14-17, 2011, at MITRE in Bedford, Massachusetts, USA. This four-day conference is technical in nature and will focus on the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP).

The purpose of the event is for the community to discuss SCAP — and those existing standards upon which it is based including CVE, Open Vulnerability and Assessment Language (OVAL®), Common Configuration Enumeration (CCE™), Common Platform Enumeration (CPE™), Extensible Configuration Checklist Description Format (XCCDF) — in technical detail and to derive solutions that benefit all concerned parties. All current and emerging SCAP standards are addressed at this workshop. MITRE first hosted Developer Days in 2005 and has been running them annually ever since. The model for these technical exchanges has since been adopted as the format used by the Security Automation community.

An agenda will be available soon. For registration, lodging, and other conference details, please visit: https://register.mitre.org/devdays/.

CVE Mentioned in Article about Cybersecurity Collaboration in InformationWeek

CVE was mentioned in an article entitled "Why Cybersecurity Partnerships Matter" in InformationWeek on March 26, 2011. The main topic of the article is why the "public and private sectors must collaborate in new ways to ward off dangerous threats to critical systems and IT infrastructure."

The author describes three ways such partnerships can improve cybersecurity: "First, the public and private sectors need to share more information — more parties must be included and new platforms used. Second, they must pay more attention to defending against attacks that threaten critical IT infrastructure and even damage physical facilities. Third, their collaboration must be ratcheted up to the next level — real-time identification and response as threats occur" [and so security practices are proactive and preemptive rather than reactionary]."

CVE is mentioned when the author states: "The opportunity is in harnessing a wider array of perspectives and ideas than happens now with a closed loop of participants. We know it’s possible because we do it already with software and hardware vulnerabilities in the form of the Common Vulnerability and Exposures, or CVE. With MITRE as the editor and numbering authority for CVE identifiers, data gets collected and used across the industry."

April 21, 2011

2 Products from Hangzhou DPtech Technologies Now Registered as Officially "CVE-Compatible"

Two additional information security products and services have achieved the final stage of MITRE’s formal CVE Compatibility Process and are now officially "CVE-Compatible." The products and services are now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for each product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 120 products to-date have been recognized as officially compatible.

The following products are now registered as officially "CVE-Compatible":

Hangzhou DPtech Technologies Co., Ltd.	-	DPtech IPS2000
		DPtech Scanner1000

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

MITRE Hosts CVE/Making Security Measurable Booth at InfoSec World 2011

MITRE hosted a CVE/Making Security Measurable booth at InfoSec World Conference & Expo 2011 at Disney’s Contemporary Resort in Orlando, Florida, USA, on April 19-21, 2011. Attendees learned how the CVE, CCE, CPE, CAPEC, CWE, CEE, MAEC, OVAL, etc. information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the CVE Calendar for information on this and other events.

April 8, 2011

CVE Included in Department of Homeland Security’s Enabling Distributed Security in Cyberspace White Paper

CVE was included in the U.S. Department of Homeland Security (DHS) Enabling Distributed Security in Cyberspace white paper published on March 23, 2011 on the DHS Web site Blog. The main topic of the white paper is "how prevention and defense can be enhanced through three security building blocks: automation, interoperability, and authentication. If these building blocks were incorporated into cyber devices and processes, cyber stakeholders would have significantly stronger means to identify and respond to threats — creating and exchanging trusted information and coordinating courses of action in near real time."

The paper defines Interoperability as already being "enabled through an approach that has been refined over the past decade by many in industry, academia, and government. It is an information-oriented approach, generally referred to as [cyber] security content automation …" and is comprised of (1) Enumerations "of the fundamental entities of cybersecurity" and lists CVE, CCE, CPE, CWE, and CAPEC; (2) Languages and Formats that "incorporate enumerations and support the creation of machine-readable security state assertions, assessment results, audit logs, messages, and reports" and lists OVAL, CEE, and MAEC; and (3) Knowledge Repositories that "contain a broad collection of best practices, benchmarks, profiles, standards, templates, checklists, tools, guidelines, rules, and principles, among others" that are based upon or incorporate data from these standards.

The paper also states that these eight established community enumeration and language standards that have been in use within the community for years can be further leveraged moving forward because they are "standards [that] build upon themselves to expand functionality over time", and projections of that expanding utility are provided through 2014.

The white paper is available to view or download at http://www.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white-paper-03-23-2011.pdf.

Hangzhou DPtech Technologies Co., Ltd. Makes Two Declarations of CVE Compatibility

Hangzhou DPtech Technologies Co., Ltd. declared that its network-based intrusion prevention system, DPtech IPS2000, and its network and application vulnerability scanner, DPtech Scanner1000, are CVE-Compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services section.

Fortinet, Inc. Makes Declaration of CVE Compatibility

Fortinet, Inc. declared that its FortiGuard security advisories archive and vulnerability and compliance management service is CVE-Compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services section.

MITRE to Host CVE/Making Security Measurable Booth at InfoSec World 2011, April 19-21

MITRE will host a CVE/Making Security Measurable booth at InfoSec World Conference & Expo 2011 at Disney’s Contemporary Resort in Orlando, Florida, USA, on April 19-21, 2011.

Members of the CVE Team will be in attendance. Please stop by Booth 307 and say hello!

Visit the CVE Calendar for information on this and other events.

March 23, 2011

1 Product from Application Security, Inc. Now Registered as Officially "CVE-Compatible"

One additional information security product has achieved the final stage of MITRE’s formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 118 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

Application Security, Inc.

AppDetectivePro

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

MITRE Hosts CVE/Making Security Measurable Booth at 2011 Information Assurance Symposium

MITRE hosted a CVE/Making Security Measurable booth at the 2011 Information Assurance Symposium in Nashville, Tennessee, USA, on March 8-10, 2011. The symposium is designed to bring together industry, government, and military information assurance (IA) professionals with the latest available IA products and solutions. Attendees learned how information security data standards CVE, CCE, CPE, CAPEC, CWE, CEE, MAEC, OVAL, etc. facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the CVE Calendar for information on this and other events.

March 4, 2011

3 Products from 2 Organizations Now Registered as Officially "CVE-Compatible"

Three additional information security products and services have achieved the final stage of MITRE’s formal CVE Compatibility Process and are now officially "CVE-Compatible." The products and services are now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for each product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 117 products to-date have been recognized as officially compatible.

The following products are now registered as officially "CVE-Compatible":

Rsam	-	Rsam Enterprise Governance, Risk and Compliance Platform
NSFocus Information Technology (Beijing) Co., Ltd.	-	NSFOCUS Network Intrusion Prevention System (NIPS)
NSFocus Information Technology (Beijing) Co., Ltd.	-	NSFOCUS Security Gate (SG)

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

MITRE to Host CVE/Making Security Measurable Booth at 2011 Information Assurance Symposium, March 8-10

MITRE will host a CVE/Making Security Measurable booth at the 2011 Information Assurance Symposium in Nashville, Tennessee, USA, on March 8-10, 2011. The symposium is designed to bring together industry, government, and military information assurance (IA) professionals with the latest available IA products and solutions.

Members of the CVE Team will be in attendance. Please stop by Booth 217 and say hello!

Visit the CVE Calendar for information on this and other events.

MITRE Hosts CVE/Making Security Measurable Booth at RSA 2011

MITRE hosted a Making Security Measurable booth at RSA 2011 at the Moscone Center in San Francisco, California, USA, on February 14-18, 2011. Attendees learned how information security data standards CVE, CCE, CPE, CAPEC, CWE, CEE, MAEC, OVAL, etc. facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

CVE Adopter photos:

Making Security Measurable booth photos:

Visit the CVE Calendar for information on this and other events.

February 14, 2011

CVE List Surpasses 45,000 CVE Identifiers

The CVE Web site now contains 45,069 unique information security issues with publicly known names. CVE, which began in 1999 with just 321 common names on the CVE List, is considered the international standard for public software vulnerability names. Information security professionals and product vendors from around the world use CVE Identifiers (CVE IDs) as a standard method for identifying vulnerabilities, and for cross-linking among products, services, and other repositories that use the identifiers.

The widespread adoption of CVE in enterprise security is illustrated by the numerous CVE-Compatible Products and Services in use throughout industry, government, and academia for vulnerability management, vulnerability alerting, intrusion detection, and patch management. Major OS vendors and other organizations from around the world also include CVE IDs in their security alerts to ensure that the international community benefits by having the identifiers as soon as a problem is announced. CVE IDs are also used to uniquely identify vulnerabilities in public watch lists such as the SANS Top Cyber Security Risks and OWASP Top 10 Web Application Security Issues.

CVE has also inspired new efforts. MITRE’s Common Weakness Enumeration (CWE) dictionary of software weakness types is based in part on the CVE List, and its Open Vulnerability and Assessment Language (OVAL) effort uses CVE IDs for its standardized OVAL Vulnerability Definitions that test systems for the presence of CVEs. In addition, the U.S. National Vulnerability Database (NVD) of CVE fix information that is synchronized with and based on the CVE List also includes Security Content Automation Protocol (SCAP) content. SCAP employs community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and CVE is one of the six existing open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results.

Each of the 45,000+ identifiers on the CVE List includes the following: CVE Identifier number (i.e., "CVE-1999-0067"); brief description of the security vulnerability; and pertinent references such as vulnerability reports and advisories or OVAL-ID. Visit the CVE List page to download the complete list in various formats or to look-up an individual identifier. Fix information and enhanced searching of CVE is available from NVD.

February 4, 2011

1 Product from Neusoft Corporation Now Registered as Officially "CVE-Compatible"

One additional information security product has achieved the final stage of MITRE’s formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 114 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

Neusoft Corporation

NISG-IPS

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

MITRE to Host CVE/Making Security Measurable Booth at RSA 2011, February 14-18

MITRE is scheduled to host a Making Security Measurable booth at RSA 2011 at the Moscone Center in San Francisco, California, USA, on February 14-18, 2011. Members of the CVE Team will be in attendance. Please stop by Booth 2617 and say hello!

Visit the CVE Calendar for information on this and other events.

MITRE Hosts CVE/Making Security Measurable Booth at Black Hat DC 2011

MITRE hosted a CVE/Making Security Measurable booth at Black Hat DC 2011, on January 18-19, 2011 in Arlington, Virginia, USA. Attendees learned how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the CVE Calendar for information on this and other events.

January 3, 2011

2 Products from Secunia Now Registered as Officially "CVE-Compatible"

Two additional information security products and services have achieved the final stage of MITRE’s formal CVE Compatibility Process and are now officially "CVE-Compatible." The products and services are now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for each product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 113 products to-date have been recognized as officially compatible.

The following products are now registered as officially "CVE-Compatible":

Secunia	-	Secunia Vulnerability Intelligence Manager (VIM)
		Secunia Vulnerability Database Website

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

Radware Ltd. Makes Declaration of CVE Compatibility

Radware Ltd. declared that its network intrusion prevention and attack mitigation system, DefensePro, will be CVE-Compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services section.

MITRE Announces Initial "Making Security Measurable" Calendar of Events for 2011

MITRE has announced its initial Making Security Measurable calendar of events for 2011. Details regarding MITRE’s scheduled participation at these events are noted on the CVE Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.

Black Hat DC 2011, January 18-19, 2011
RSA Conference 2011, February 14-18, 2011
2011 Information Assurance Symposium, March 8-10, 2011
InfoSec World Conference & Expo 2011, April 19-21, 2011

Other events may be added throughout the year. Visit the CVE Calendar for information or contact cve@mitre.org to have MITRE present a briefing or participate in a panel discussion about CVE, CCE, CPE, CAPEC, CWE, MAEC, CEE, OVAL, Software Assurance, and/or Making Security Measurable at your event.