|
|
News & EventsJanuary 15, 2010
CVE List Surpasses 40,000 CVE Identifiers The CVE Web site now contains 40,022 unique information security issues with publicly known names. CVE, which began in 1999 with just 321 common names on the CVE List, is considered the international standard for public software vulnerability names. Information security professionals and product vendors from around the world use CVE Identifiers (CVE-IDs) as a standard method for identifying vulnerabilities, and for cross-linking among products, services, and other repositories that use the identifiers. The widespread adoption of CVE in enterprise security is illustrated by the numerous CVE-Compatible Products and Services in use throughout industry, government, and academia for vulnerability management, vulnerability alerting, intrusion detection, and patch management. Major OS vendors and other organizations from around the world also include CVE-IDs in their security alerts to ensure that the international community benefits by having the identifiers as soon as a problem is announced. CVE-IDs are also used to uniquely identify vulnerabilities in public watch lists such as the SANS Top 20 Most Critical Internet Security Vulnerabilities and OWASP Top 10 Web Application Security Issues. CVE has also inspired new efforts. MITRE’s Common Weakness Enumeration (CWE) dictionary of software weakness types is based in part on the CVE List, and its Open Vulnerability and Assessment Language (OVAL) effort uses CVE-IDs for its standardized OVAL Vulnerability Definitions that test systems for the presence of CVEs. In addition, the U.S. National Vulnerability Database (NVD) of CVE fix information that is synchronized with and based on the CVE List also includes Security Content Automation Protocol (SCAP) content. SCAP employs community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and CVE is one of the six existing open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. Each of the 40,000+ identifiers on the CVE List includes the following: CVE Identifier number (i.e., "CVE-1999-0067"); indication of "entry" or "candidate" status; brief description of the security vulnerability; and pertinent references such as vulnerability reports and advisories or OVAL-ID. Visit the CVE List page to download the complete list in various formats or to look-up an individual identifier. Fix information and enhanced searching of CVE is available from NVD. January 8, 2010
Three Products and Services from Two Organizations Now Registered as Officially "CVE-Compatible"
The following products are now registered as officially "CVE-Compatible": Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems. For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services. DBAPPSecurity Limited Makes Five Declarations of CVE Compatibility DBAPPSecurity Limited declared that its Web application vulnerabilities scanner, MatriXay; Database Vulnerability Scanner; Web Application Firewall; intrusion monitoring and response service, Database Auditor; and intrusion monitoring and response service, Web Monitor, are CVE-Compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products and Services section. Security Automation Is Main Focus of DoD’s IAnewsletter "Security Automation: A New Approach to Managing and Protecting Critical Information" is the main topic of the Winter 2010 issue of the Department of Defense’s (DoD) Information Assurance Technology Analysis Center’s (IATAC) IAnewsletter. According to the newsletter, a security automation strategy will enable automation of "many security and configuration management, compliance, and network defense functions and give our [DoD] system administrators and network defenders a chance to succeed." Specific articles topics include: An Introduction to Security Automation; Security Automation: A New Approach Managing and Protecting Critical Information; Security Content Automation Protocol; Secure Configuration Management (SCM); DoD Activities Underway to Mature SCAP Standards; Why Industry Needs Federal Government Leadership to Gain the Benefits of Security Automation; and Practicing Standards-Based Security Assessment and Management. In addition, MITRE’s CVE, CCE, CPE, and OVAL information assurance data standards are mentioned throughout the issue, especially with regard to how they are utilized by the National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP) to help enable automated, standards-based security assessment and management. The newsletter is free to download from the IATAC Web site. MITRE Announces Initial "Making Security Measurable" Calendar of Events for 2010 MITRE has announced its initial Making Security Measurable calendar of events for 2010. Details regarding MITRE’s scheduled participation at these events are noted on the CVE Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.
Other events may be added throughout the year. Visit the CVE Calendar for information or contact cve@mitre.org to have MITRE present a briefing or participate in a panel discussion about CVE, CCE, CPE, CAPEC, CWE, MAEC, CEE, OVAL, and/or Making Security Measurable at your event. |
||||
Three additional information security products and services have achieved the final stage of MITRE’s formal 