Industry News Coverage (Archive)
Below is a comprehensive monthly review of the news and other media’s coverage of CVE. A brief summary of each news item is listed with its title, author (if identified), date, and media source.
Department of Homeland Security Web Site, December 12, 2011
CVE is mentioned in the December 12, 2011 release of the U.S. Department of Homeland Security’s "Blueprint for a Secure Cyber Future: The Cybersecurity Strategy for the Homeland Security Enterprise" on the DHS Web site.
The blueprint, as described on the DHS blog, "outlines an integrated approach to enable the homeland security community to leverage existing capabilities and promote technological advances that make government, the private sector and the public safer, more secure, and more resilient online. Specific actions outlined in the strategy range from hardening critical networks and prosecuting cybercrime to raising public awareness and training a national cybersecurity workforce. Cybersecurity is a shared responsibility, and each of us has a role to play. In today’s interconnected world, emerging cyber threats require the engagement of our entire society including government and law enforcement, the private sector, and members of the public. In preparing this strategy, the Department benefited from the constructive engagement of representatives from state and local governments, industry, academia, non-governmental organizations, and many dedicated individuals from across the country. As we implement this strategy, DHS will continue to work with partners across the homeland security enterprise to implement the goals outlined in the Blueprint."
CVE is mentioned in the blueprint itself as one of two "Core capabilities for the homeland security enterprise in the "Increase Technical and Policy Interoperability Across Devices" subsection of the "Build Collaborative Communities" section of the blueprint, as follows: "On a device-to-device level, strengthen collaboration, create new intelligence, hasten learning, and improve situational awareness … A proven ability to communicate about cyber incidents through standardized dictionaries of key informational elements, including software vulnerabilities, weaknesses, patterns of attack, and malware classification as well as security content that is structured for automated sharing where appropriate. Resources include the National Vulnerability Database, Common Vulnerabilities and Exposures (CVE), and the Information Assurance Checklists housed on the National Checklist Program."
The blueprint is available for free download at http://www.dhs.gov/files/publications/blueprint-for-a-secure-cyber-future.shtm.
SC Magazine, November 22, 2011
CVE was included in a November 22, 2011 article entitled "Tool kills hidden Linux bugs, vulnerabilities" on SCMagazine.com. The tool, which "automatically detecting bugs and vulnerabilities in embedded Linux libraries," uses CVE-IDs to perform the analysis. The tool "correlates vulnerability advisory CVEs for third party libraries to determine if holes have carried over to Linux platforms or have not been patched" and is meant to replace what was previously a manual process. The tool was created by Australian researcher Silvio Cesare as part of his PhD at Deakin University Australia. The author concludes the article by stating that the researcher intends to "publish an academic paper on the subject and plans to [similarly] conduct binary analysis for Windows platforms."
The article was written by Darren Pauli.
SC Magazine, February 1, 2011
CVE was mentioned in an article entitled "Vulnerability Assessment" in SC Magazine in February 2011. CVE is mentioned when the author states: "In a VA of a large distributed enterprise, there are numerous challenges. Some of those include accessing the network, selecting device candidates and maintaining currency with exploits. Today’s pure-play VA tools focus on ease of use, VA functionality and certainty that they have the latest vulnerabilities covered. Almost all serious VA tools have references for common vulnerabilities and exposures (CVE), Bugtraq and other vulnerability sources. This allows a closer inspection of potential remediation beyond the short suggestions given by the tool." The author also recommends that organization use of Common Vulnerability Scoring System (CVSS) for CVEs as it is "vastly superior to the vendor-specific scoring systems that are inconsistent from vendor to vendor."
The article was written by Peter Stephenson.
Government Computer News, June 6, 2011
CVE was mentioned in a June 6, 2011 article entitled "Agencies get a tool for measuring their security: Reporting metrics assess automation, real-time monitoring" in Government Computer News. The main topic of the article is the June 1st release of the 2011 Chief Information Officer Federal Information Security Management Act Reporting Metrics document regarding cybersecurity status reporting metrics for government agencies focusing on the ability to automate system monitoring and security controls for Federal Information Security Management Act (FISMA) compliance. CVE is mentioned when the author discusses some of the reporting requirements: "Agencies also are to report on their ability to remotely detect and block unauthorized software on the network, including their capability to use the Common Vulnerabilities and Exposures database."
The article was written by William Jackson.
SANS Website, June 1, 2011
CVE was included in the 2011 Chief Information Officer Federal Information Security Management Act Reporting Metrics document issued on June 1, 2011 by the U.S. Department of Homeland Security and National Institute of Standards and Technology. The document provides cybersecurity status reporting metrics for government agencies under the Federal Information Security Management Act (FISMA) that focus on the ability to automate system monitoring and security controls. CVE is included as a reporting requirement in Section 4, Vulnerability Management: "Provide the number of Agency information technology assets where an automated capability provides visibility at the Agency level into detailed vulnerability information (Common Vulnerabilities and Exposures — CVE)." CVE is included again as a reporting requirement in Section 12, Software Assurance, subsection 12.1b., which states: "Provide the number of the information systems above (12.1a) where the tools generated output compliant with: 12.1b (1). Common Vulnerabilities and Exposures (CVE) 12.1b (2). Common Weakness Enumeration (CWE) 12.1b (3). Common Vulnerability Scoring System (CVSS) 12.1b (4). Open Vulnerability and Assessment Language (OVAL)."
InformationWeek, March 26, 2011
CVE was mentioned in an article entitled "Why Cybersecurity Partnerships Matter" in InformationWeek on March 26, 2011. The main topic of the article is why the "public and private sectors must collaborate in new ways to ward off dangerous threats to critical systems and IT infrastructure."
The author describes three ways such partnerships can improve cybersecurity: "First, the public and private sectors need to share more information — more parties must be included and new platforms used. Second, they must pay more attention to defending against attacks that threaten critical IT infrastructure and even damage physical facilities. Third, their collaboration must be ratcheted up to the next level — real-time identification and response as threats occur" [and so security practices are proactive and preemptive rather than reactionary]."
CVE is mentioned when the author states: "The opportunity is in harnessing a wider array of perspectives and ideas than happens now with a closed loop of participants. We know it’s possible because we do it already with software and hardware vulnerabilities in the form of the Common Vulnerability and Exposures, or CVE. With MITRE as the editor and numbering authority for CVE identifiers, data gets collected and used across the industry."
DHS Web Site, March 2011
CVE was included in the U.S. Department of Homeland Security (DHS) Enabling Distributed Security in Cyberspace white paper published on March 23, 2011 on the DHS Web site Blog. The main topic of the white paper is "how prevention and defense can be enhanced through three security building blocks: automation, interoperability, and authentication. If these building blocks were incorporated into cyber devices and processes, cyber stakeholders would have significantly stronger means to identify and respond to threats — creating and exchanging trusted information and coordinating courses of action in near real time."
The paper defines Interoperability as already being "enabled through an approach that has been refined over the past decade by many in industry, academia, and government. It is an information-oriented approach, generally referred to as [cyber] security content automation …" and is comprised of (1) Enumerations "of the fundamental entities of cybersecurity" and lists CVE, CCE, CPE, CWE, and CAPEC; (2) Languages and Formats that "incorporate enumerations and support the creation of machine-readable security state assertions, assessment results, audit logs, messages, and reports" and lists OVAL, CEE, and MAEC; and (3) Knowledge Repositories that "contain a broad collection of best practices, benchmarks, profiles, standards, templates, checklists, tools, guidelines, rules, and principles, among others" that are based upon or incorporate data from these standards.
The paper also states that these eight established community enumeration and language standards that have been in use within the community for years can be further leveraged moving forward because they are "standards [that] build upon themselves to expand functionality over time", and projections of that expanding utility are provided through 2014.
The white paper is available to view or download at http://www.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white-paper-03-23-2011.pdf.