2012 News & Events (Archive)

December 19, 2012

2 Products from Huawei Technologies Now Registered as Officially "CVE-Compatible"

CVE-Compatible Product/Service logoTwo additional information security products and services have achieved the final stage of MITRE’s formal CVE Compatibility Process and are now officially "CVE-Compatible." The products and services are now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for each product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 135 products to-date have been recognized as officially compatible.

The following products are now registered as officially "CVE-Compatible":

Huawei Technologies Co., Ltd. - Huawei Network Intelligent Protection System (NIP)
- Huawei Network Intrusion Detection System (NIP D)

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

Opzoon Technology Makes Three Declarations of CVE Compatibility

Opzoon Technology Co., Ltd. declared that its Data Center Firewall, Application Firewall, and Security Gateway are CVE-Compatible. For additional information about these and other CVE-Compatible products, visit the CVE-Compatible Products and Services section.

Mozilla and Symantec Added as CVE Numbering Authorities (CNAs)

Mozilla Corporation and Symantec Corporation now listed as Software Vendors on the CVE Numbering Authority (CNA) page. CNAs are organizations that distribute CVE-ID numbers to researchers and information technology vendors for inclusion in first-time public announcements of new vulnerabilities, without directly involving MITRE in the details of the specific vulnerabilities.

Learn more about CNAs, including an introduction to CVE-ID reservation, role and requirements of CNAs, vendor liaisons, researcher responsibilities, and the process for requesting CVE-ID numbers, on the CVE Numbering Authority (CNA) page in the CVE List section.

December 7, 2012

1 Product from NGS Software Now Registered as Officially "CVE-Compatible"

CVE-Compatible Product/Service logoOne additional information security product has achieved the final stage of MITRE’s formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 133 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

NGS Software - NGS SQuirreL for Oracle

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

Hewlett-Packard Makes Declaration of CVE Compatibility

Hewlett-Packard declared that its business-centric IT risk management product, HP EnterpriseView, is CVE-Compatible. For additional information about this and other CVE-Compatible products, visit the CVE-Compatible Products and Services section.

November 1, 2012

ICS-CERT Added as a CVE Numbering Authority

Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) is now listed as a third-party coordinator on the CVE Numbering Authority (CNA) page. CNAs are organizations that distribute CVE-ID numbers to researchers and information technology vendors for inclusion in first-time public announcements of new vulnerabilities, without directly involving MITRE in the details of the specific vulnerabilities.

Learn more about CNAs, including an introduction to CVE-ID reservation, role and requirements of CNAs, vendor liaisons, researcher responsibilities, and the process for requesting CVE-ID numbers, on the CVE Numbering Authority (CNA) page in the CVE List section.

CVE/Making Security Measurable Booth and SCAP/SwA Briefings at IT Security Automation Conference 2012

MITRE hosted a CVE/Making Security Measurable booth at IT Security Automation Conference 2012 on October 3-5, 2012 at Baltimore Convention Center in Baltimore Inner Harbor, Maryland, USA. Attendees learned how information security data standards such as CVE®, CCE™, CPE™, CWE™, CWSS™, CAPEC™, MAEC™, CybOX™, STIX™, CEE™, OVAL®, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

In addition, Common Weakness Enumeration (CWE™), Structured Threat Information Expression (STIX™), Trusted Automated eXchange of Indicator Information (TAXII™), Malware Attribute Enumeration and Characterization (MAEC™), and Open Vulnerability and Assessment Language (OVAL®) were briefing discussion topics.

Visit the CVE Calendar for information on this and other events.

October 1, 2012

CVE/Making Security Measurable Booth at IT Security Automation Conference 2012

CVE/Making Security Measurable booth at IT Security Automation Conference 2012 on October 3-5, 2012 at Baltimore Convention Center in Baltimore Inner Harbor, Maryland, USA.

Visit the CVE Calendar for information on this and other events.

Meeting Minutes from Security Automation Developer Days 2012 Now Available

Meeting minutes from the Security Automation Developer Days 2012 conference held on July 9-13, 2012 at MITRE Corporation in Bedford, Massachusetts, USA are now available on the Making Security Measurable Web site.

September 6, 2012

MITRE Hosts CVE/Making Security Measurable Booth at 2012 Information Assurance Expo

MITRE hosted a CVE/Making Security Measurable booth at 2012 Information Assurance Expo on August 27-30, 2012 at Gaylord Opryland Resort and Convention Center in Nashville, Tennessee, USA. Attendees learned how information security data standards such as CVE®, CCE™, CPE™, CWE™, CWSS™, CAPEC™, MAEC™, CybOX™, STIX™, CEE™, OVAL®, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the CVE Calendar for information on this and other events.

August 15, 2012

CVE/Making Security Measurable Booth at 2012 Information Assurance Expo, August 27-30

MITRE will host a CVE/Making Security Measurable booth at 2012 Information Assurance Expo on August 27-30, 2012 at Gaylord Opryland Resort and Convention Center in Nashville, Tennessee, USA. Please visit us at Booth 217 and say hello!

Visit the CVE Calendar for information on this and other events.

July 27, 2012

1 Product from Beijing Venustech Now Registered as Officially "CVE-Compatible"

CVE-Compatible Product/Service logoOne additional information security product has achieved the final stage of MITRE’s formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 132 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

Beijing Venustech Cybervision Co., Ltd. - Venusense Web Application Gateway (Venusense WAG)

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

Huawei Technologies Co., Ltd. Makes 2 Declarations of CVE Compatibility

Huawei Technologies Co., Ltd. declared that its intrusion prevention system, Huawei Network Intelligent Protection System (NIP), and its intrusion detection system, Huawei Network Intelligent Protection System (NIP D), are CVE-Compatible.

For additional information about these and other CVE-Compatible products, visit the CVE-Compatible Products and Services section.

BroadWeb Corporation, Ltd. Makes 2 Declarations of CVE Compatibility

BroadWeb Corporation, Ltd. declared that its intrusion and prevention systems, NetKeeper and EnforcerX, will be CVE-Compatible.

For additional information about these and other CVE-Compatible products, visit the CVE-Compatible Products and Services section.

CVE, CWE, and CWE/SANS Top 25 Mentioned in Article about Supply Chain Risk Management in CrossTalk Magazine

CVE, Common Weaknesses Enumeration (CWE™), and the CWE/SANS Top 25 Most Dangerous Programming Errors List are mentioned in an article entitled "Supply Chain Risk Management" in the March/April 2012 issue of CrossTalk Magazine: The Journal of Defense Software Engineering.

CVE, CWE, and the CWE/SANS Top 25 are mentioned in phase 2 of a section entitled "A Three-phase Code Analysis Process": "Look for common vulnerability patterns … analysts [should] make sure that code reviews cover the most common vulnerabilities and weaknesses. Sources for such common vulnerabilities and weaknesses include the Common Vulnerabilities and Exposures (CVE) and Common Weaknesses Enumeration (CWE) databases, maintained by the MITRE Corporation and accessible on the web at: <http://cve.mitre.org/cve/> and <http://cwe.mitre.org/>. MITRE, in cooperation with the SANS Institute, also maintains a list of the "Top 25 Most Dangerous Programming Errors [13]" that can lead to serious vulnerabilities. The top three classes of errors as of December 2010 were cross-site scripting, SQL injection, and buffer overflows. Static code analysis tool and manual techniques should at a minimum, address these Top 25." CWE and the CWE/SANS Top 25 are then cited again and described in more detail at the end of article in a section entitled "Useful Links".

MITRE Hosts CVE/Making Security Measurable Booth at Black Hat Briefings 2012

MITRE hosted a CVE/Making Security Measurable booth at Black Hat Briefings 2012 on July 25-26, 2012 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA. Attendees learned how information security data standards such as CVE®, CCE™, CPE™, CWE™, CWSS™, CAPEC™, MAEC™, CybOX™, CEE™, OVAL®, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the CVE Calendar for information on this and other events.

Briefing Slides from Security Automation Developer Days 2012 Now Available

22 briefing presentations from the Security Automation Developer Days 2012 conference held on July 9-13, 2012 at MITRE in Bedford, Massachusetts, USA are now available for download on the Events and Participation page on the Making Security Measurable Web site.

July 2, 2012

MITRE to Host CVE/Making Security Measurable Booth at Black Hat Briefings 2012

MITRE will host a CVE/Making Security Measurable booth at Black Hat Briefings 2012 on July 25-26, 2012 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA. Please visit us at Booth 216 and say hello!

Visit the CVE Calendar for information on this and other events.

June 21, 2012

1 Product from High-Tech Bridge Now Registered as Officially "CVE-Compatible"

CVE-Compatible Product/Service logoOne additional information security product has achieved the final stage of MITRE’s formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 131 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

High-Tech Bridge SA - High-Tech Bridge Security Advisories

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

Registration Now Closed for MITRE’s Security Automation Developer Days 2012 on July 9-13

Registration is now closed for MITRE’s free Security Automation Developer Days 2012 conference scheduled for July 9-13, 2012 at MITRE in Bedford, Massachusetts, USA. For the event agenda, lodging, and other conference details please visit the conference details page.

June 8, 2012

1 Product from Positive Technologies Now Registered as Officially "CVE-Compatible"

CVE-Compatible Product/Service logoOne additional information security product has achieved the final stage of MITRE’s formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 130 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

Positive Technologies CJSC - MaxPatrol

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

June 4, 2012

Agenda Now Available for MITRE’s Security Automation Developer Days 2012 on July 9-13

The agenda for MITRE’s free Security Automation Developer Days 2012 conference scheduled for July 9-13, 2012 at MITRE in Bedford, Massachusetts, USA is now available at https://register.mitre.org/devdays/agenda.pdf.

For registration, lodging, and other conference details visit the conference registration page. Please note that registration will close on June 15.

May 11, 2012

1 Product from Beijing Venustech Now Registered as Officially "CVE-Compatible"

CVE-Compatible Product/Service logoOne additional information security product has achieved the final stage of MITRE’s formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 129 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

Beijing Venustech Cybervision Co., Ltd. - Venusense Unified Security Gateway (Venusense UTM)

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

New CVE Editorial Board Member

Damir Rajnovic of Cisco Systems, Inc. has joined the CVE Editorial Board. Andy Balinsky of NIST also remains as a Board member.

Registration Now Open for Security Automation Developer Days 2012 on July 9-13

MITRE Corporation will host the fourth Security Automation Developer Days conference on July 9-13, 2012, at MITRE in Bedford, Massachusetts, USA. This five-day conference is technical in nature and will focus on the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP).

The purpose of the event is for the community to discuss SCAP — and those existing standards upon which it is based including Open Vulnerability and Assessment Language (OVAL®), Common Configuration Enumeration (CCE™), Common Platform Enumeration (CPE™), Extensible Configuration Checklist Description Format (XCCDF) — in technical detail and to derive solutions that benefit all concerned parties. All current and emerging SCAP standards are addressed at this workshop.

MITRE first hosted Developer Days in 2005 and has been running them annually ever since. The model for these technical exchanges has since been adopted as the format used by the Security Automation community.

An agenda will be available soon. For registration, lodging, and other conference details, please visit: https://register.mitre.org/devdays/.

May 7, 2012

CVE List Surpasses 50,000 CVE Identifiers

The CVE Web site now contains 50,062 unique information security issues with publicly known names. CVE, which began in 1999 with just 321 common names on the CVE List, is considered the international standard for public software vulnerability names. Information security professionals and product vendors from around the world use CVE Identifiers (CVE-IDs) as a standard method for identifying vulnerabilities, and for cross-linking among products, services, and other repositories that use the identifiers.

The widespread adoption of CVE in enterprise security is illustrated by the numerous CVE-Compatible Products and Services in use throughout industry, government, and academia for vulnerability management, vulnerability alerting, intrusion detection, and patch management. Major OS vendors and other organizations from around the world also include CVE-IDs in their security alerts to ensure that the international community benefits by having the identifiers as soon as a problem is announced. In addition, CVE-IDs have been used to identify vulnerabilities in the SANS Top Cyber Security Risks threat list since its inception in 2000.

CVE has also inspired new efforts. MITRE’s Common Weakness Enumeration (CWE™) dictionary of software weakness types is based in part on the CVE List, and its Open Vulnerability and Assessment Language (OVAL®) effort uses CVE-IDs for its standardized OVAL Vulnerability Definitions that test systems for the presence of CVEs. In addition, the U.S. National Vulnerability Database (NVD) of CVE fix information that is synchronized with and based on the CVE List also includes Security Content Automation Protocol (SCAP) content. SCAP employs community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and CVE is one of the eight existing open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results.

And in 2011, the International Telecommunication Union’s (ITU-T) Cybersecurity Rapporteur Group, which is the telecom/information system standards body within the treaty-based 150-year-old intergovernmental organization, adopted CVE as a part of its new "Global Cybersecurity Information Exchange techniques (X.CYBEX)" by issuing Recommendation ITU-T X.1520 Common Vulnerabilities and Exposures (CVE), that is based upon CVE’s current Compatibility Requirements, and any future changes to the document will be reflected in subsequent updates to X.CVE.

Each of the 50,000+ identifiers on the CVE List includes the following: CVE Identifier number (i.e., "CVE-1999-0067"); brief description of the security vulnerability; and pertinent references such as vulnerability reports and advisories or OVAL-ID. Visit the CVE List page to download the complete list in various formats or to look-up an individual identifier. Fix information and enhanced searching of CVE is available from NVD.

April 13, 2012

1 Product from Sangfor Technologies Co., Ltd. Now Registered as Officially "CVE-Compatible"

CVE-Compatible Product/Service logoOne additional information security product has achieved the final stage of MITRE’s formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 128 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

Sangfor Technologies Co., Ltd. - Next Generation Application Firewall (NGAF)

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

April 5, 2012

MITRE Hosts CVE/Making Security Measurable Booth at InfoSec World 2012

MITRE hosted a CVE/Making Security Measurable booth at InfoSec World Conference & Expo 2012 at Disney’s Contemporary Resort in Orlando, Florida, USA, on April 2-4, 2012. Attendees learned how information security data standards such as CVE, CCE, CPE, CWE, CAPEC, MAEC, CybOX, CEE, OVAL, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the CVE Calendar for information on this and other events.

March 22, 2012

2 Products from 2 Organizations Now Registered as Officially "CVE-Compatible"

CVE-Compatible Product/Service logoTwo additional information security products and services have achieved the final stage of MITRE’s formal CVE Compatibility Process and are now officially "CVE-Compatible." The products and services are now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for each product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 127 products to-date have been recognized as officially compatible.

The following products are now registered as officially "CVE-Compatible":

Cisco Systems, Inc. - Cisco Security IntelliShield Alert Manager Service
Security-Database - Security Database Web site

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

MITRE to Host CVE/Making Security Measurable Booth at InfoSec World 2012, April 2-4

MITRE will host a CVE/Making Security Measurable booth at InfoSec World Conference & Expo 2012 at Disney’s Contemporary Resort in Orlando, Florida, USA, on April 2-4, 2012. Attendees will learn how information security data standards such as CVE, CCE, CPE, CWE, CAPEC, MAEC, CybOX, CEE, OVAL, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Members of the CVE Team will be in attendance. Please stop by Booth 513 and say hello!

Visit the CVE Calendar for information on this and other events.

March 8, 2012

Photos from CVE/Making Security Measurable Booth at RSA 2012

MITRE hosted a CVE/Making Security Measurable booth at RSA Conference 2012 at the Moscone Center in San Francisco, California, USA, on February 27 – March 2, 2012. Attendees learned how information security data standards such as CVE, CCE, CPE, CWE, CAPEC, CWSS, CybOX, MAEC, CEE, OVAL, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Making Security Measurable booth photos:

Photo from RSA 2012 Photo from RSA 2012 Photo from RSA 2012 Photo from RSA 2012 Photo from RSA 2012 Photo from RSA 2012 Photo from RSA 2012 Photo from RSA 2012 Photo from RSA 2012 Photo from RSA 2012 Photo from RSA 2012 Photo from RSA 2012

Visit the CVE Calendar for information on this and other events.

February 27, 2012

1 Product from CXSecurity Now Registered as Officially "CVE-Compatible"

CVE-Compatible Product/Service logoOne additional information security product has achieved the final stage of MITRE’s formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 125 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

CXSecurity - World Laboratory of Bugtraq 2

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

February 13, 2012

1 Product from Application Security Now Registered as Officially "CVE-Compatible"

CVE-Compatible Product/Service logoOne additional information security product has achieved the final stage of MITRE’s formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 124 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

Application Security - DbProtect

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

NGSSecure Makes 10 Declarations of CVE Compatibility

NGSSecure, a Division of NCC Group UK PLC, declared that its enterprise class vulnerability management software product, NGS Auditor, and its standalone vulnerability assessment software products, NGS OraScan, NGS DominoScan II, NGS SQuirreL for DB2, NGS SQuirreL for SQL Server, NGS SQuirreL for Oracle, NGS SQuirreL for Informix, NGS SQuirreL for Sybase ASE, NGS SQuirreL for MySQL, and NGS Typhon III, are CVE-Compatible.

For additional information about these and other CVE-Compatible products, visit the CVE-Compatible Products and Services section.

Sangfor Technologies Makes Declaration of CVE Compatibility

Sangfor Technologies Co., Ltd. declared that its Next-Generation Application Firewall is CVE-Compatible. For additional information about this and other CVE-Compatible products, visit the CVE-Compatible Products and Services section.

CVE/Making Security Measurable Booth at RSA 2012, February 27 – March 2

MITRE is scheduled to host an CVE/Making Security Measurable booth at RSA Conference 2012 at the Moscone Center in San Francisco, California, USA, on February 27 – March 2, 2012. Attendees will learn how information security data standards such as CVE, CCE, CPE, CWE, CAPEC, CWSS, CybOX, MAEC, CEE, OVAL, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Members of the CVE Team will be in attendance. Please stop by Booth 2617 and say hello!

Visit the CVE Calendar for information on this and other events.

CVE Mentioned in Article about Updates to Guidelines for Adopting and Using Security Content Automation Protocol (SCAP) on GCN

CVE is mentioned in a January 9, 2012 article entitled "Getting the most out of automated IT security management" on Government Computer News.com. The main topic of the article is the National Institute of Standards and Technology (NIST) updating its guidelines for using Security Content Automation Protocol (SCAP) "for checking and validating security settings on IT systems" by releasing "Special Publication 800-117, Guide to Adopting and Using the Security Content Automation Protocol Version 1.2, Revision 1."

CVE is mentioned when the author explains how SCAP combines several existing community standards created and maintained by several different organizations "including MITRE Corp., the National Security Agency, and the Forum for Incident Response and Security Teams", and that the "specifications making up SCAP are divided into languages, reporting formats, enumerations, measurement and scoring systems, and integrity protection." The author then lists the 11 SCAP components, with CVE included under Enumerations. The other MITRE initiatives listed are Common Platform Enumeration (CPE) and Common Configuration Enumeration (CCE), also under Enumerations, and under Languages, Open Vulnerability and Assessment Language (OVAL). The article concludes with a summary of the updates to the guidelines.

January 24, 2012

NETpeas, SA Makes Declaration of CVE Compatibility

NETpeas, SA declared that its cloud-based, multi-engines vulnerability management service, COREvidence, will be CVE-Compatible. For additional information about this and other CVE-Compatible products, visit the CVE-Compatible Products and Services section.

January 13, 2012

New CVE Editorial Board Member

Harold Booth of National Institute of Standards and Technology (NIST) has joined the CVE Editorial Board. Peter Mell of NIST also remains as a Board member.

January 4, 2012

1 Product from TrustSign Now Registered as Officially "CVE-Compatible"

CVE-Compatible Product/Service logoOne additional information security product has achieved the final stage of MITRE’s formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 123 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

TrustSign - Selos de Segurança

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

CXSecurity Makes Declaration of CVE Compatibility

CXSecurity declared that its vulnerability database World Laboratory of Bugtraq (WLB), is CVE-Compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services section.

MITRE Announces Initial "Making Security Measurable" Calendar of Events for 2012

MITRE has announced its initial Making Security Measurable calendar of events for 2012. Details regarding MITRE’s scheduled participation at these events are noted on the CVE Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.

Other events may be added throughout the year. Visit the CVE Calendar for information or contact cve@mitre.org to have MITRE present a briefing or participate in a panel discussion about CVE, CCE, CPE, CAPEC, CybOX, CWE, MAEC, CEE, OVAL, Software Assurance, and/or Making Security Measurable at your event.

 
Page Last Updated: March 17, 2014