|
|
News & EventsJune 25, 2008
MITRE Hosts "Making Security Measurable" Booth at 2008 Cyberspace Symposium on June 16-19 MITRE hosted a Making Security Measurable booth at the 2008 Cyberspace Symposium on June 16-19, 2008 at the Best Westin Royal Plaza Hotel and Trade Center in Marlborough, Massachusetts, USA. Visit the CVE Calendar for information on this and other events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, CCE, CPE, CAPEC, CWE, CEE, CRF, OVAL, and/or Making Security Measurable at your event. June 4, 2008
One IBM Internet Security Systems Product Now Registered as Officially "CVE-Compatible"
The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for each product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems. For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services. Xi’an Jiaotong University Jump Network Technology Co., Ltd. Makes Declaration of CVE Compatibility Xi’an Jiaotong University Jump Network Technology Co., Ltd. declared that its intrusion prevention service, JumpIPS, is CVE-Compatible. For additional information about this and other CVE-compatible products, visit CVE-Compatible Products and Services. MITRE Presents "Making Security Measurable" Briefing at 4th Annual GFIRST Conference on June 2-4 CVE Compatibility Lead/CWE Program Manager Robert A. Martin presented a briefing about Making Security Measurable at the 4th Annual GFIRST Conference on June 2-4, 2008 at the Caribe Royale Hotel in Orlando, Florida, USA. Visit the CVE Calendar for information on this and other events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, CCE, CPE, CWE, CAPEC, CEE, CRF, OVAL, and/or Making Security Measurable at your event. MITRE Presents "Making Security Measurable" Briefing and a Half-Day Tutorial at AusCERT 2008 on May 18-23 CVE Compatibility Lead/CWE Program Manager Robert A. Martin and CVE Technical Lead/CWE Technical Lead Steven M. Christey presented a Making Security Measurable briefing and hosted a half-day Making Security Measurable tutorial at AusCERT 2008 on May 18-23, 2008 at Royal Pines Resort in Gold Coast, Australia. Visit the CVE Calendar for information on this and other events. May 15, 2008
XML Schema for CVE List Added to CVE Downloads Page An XML Schema Definition (.xsd) download for the CVE List is now available on the CVE Downloads page. The schema, which was contributed by the U.S. National Institute of Standards and Technology (NIST), will assist those using CVE in XML format. Tenable Network Security Inc. Posts Three CVE Compatibility Questionnaires Tenable Network Security Inc. has achieved the second phase of the CVE Compatibility Process for three products by submitting a CVE Compatibility Questionnaire for Passive Vulnerability Scanner, a CVE Compatibility Questionnaire for Security Center, and a CVE Compatibility Questionnaire for Nessus 3 Security Scanner. In Phase 2 of the compatibility process the organization’s completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible." For additional information and to review the complete list of all products and services participating in the compatibility program, visit the CVE-Compatible Products and Services section. FrSIRT Makes Declaration of CVE Compatibility French Security Incident Response Team (FrSIRT) declared that its FrSIRT Vulnerability Notification Service is CVE-Compatible. For additional information about this and other CVE-compatible products, visit CVE-Compatible Products and Services. MITRE Scheduled to Present "Making Security Measurable" Briefing and a Full-Day Tutorial at AusCERT 2008 on May 18-23 CVE Compatibility Lead/CWE Project Manager Robert A. Martin and CVE Technical Lead/CWE CVE Technical Lead Steven M. Christey are scheduled to present a Making Security Measurable briefing and host a full-day Making Security Measurable tutorial at AusCERT 2008 on May 18-23, 2008 at Royal Pines Resort in Gold Coast, Australia. Visit the CVE Calendar for information on this and other events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, CCE, CPE, CWE, CAPEC, CEE, CRF, OVAL, and/or Making Security Measurable at your event. MITRE Scheduled to Present "Making Security Measurable" Briefing at 4th Annual GFIRST Conference on June 2-4 CVE Compatibility Lead/CWE Project Manager Robert A. Martin is scheduled to present a briefing about Making Security Measurable at the 4th Annual GFIRST Conference on June 2-4, 2008 at the Caribe Royale Hotel in Orlando, Florida, USA. Visit the CVE Calendar for information on this and other events. MITRE Scheduled to Host "Making Security Measurable" Booth at 2008 Cyberspace Symposium on June 16-19 MITRE is scheduled to host a Making Security Measurable booth at the 2008 Cyberspace Symposium on June 16-19, 2008 at the Best Westin Royal Plaza Hotel and Trade Center in Marlborough, Massachusetts, USA. Visit the CVE Calendar for information on this and other events. MITRE Presents "Making Security Measurable" Briefing at 2008 IEEE Conference on Technologies for Homeland on May 12-13 CVE Compatibility Lead/CWE Project Manager Robert A. Martin presented a Making Security Measurable briefing at 2008 IEEE Conference on Technologies for Homeland on May 12-13, 2008 at the Westin Hotel in Waltham, Massachusetts, USA. Visit the CVE Calendar for information on this and other events. May 1, 2008
CVE Identifiers Used throughout Microsoft Security Intelligence Report CVE Identifiers were used to identify the security issues under analyses in Microsoft Corporation’s recently released Microsoft Security Intelligence Report, Volume 4, (July through December 2007). The report provides an "in-depth perspective on the changing threat landscape including software vulnerability disclosures and exploits, malicious software (malware), and potentially unwanted software." CVE Identifiers were used to "normalize the data set" with each exploit "matched with its corresponding vulnerability using Common Vulnerabilities and Exposures (CVE) identifiers and Microsoft security bulletins." "Each Microsoft security bulletin may address multiple vulnerabilities, so the Microsoft security bulletin-to-CVE translation isn’t a one-to-one correlation. Researchers used information provided by the Microsoft Security Response Center (MSRC), the CVE, the NVD, and SecurityPatch.org to create a final MSRC-to-CVE mapping." Results of these mapping are discussed throughout the report, summarized in a chart entitled "Exploits in select Microsoft products by CVE identifier, 2006-2007," and reviewed in detail in "Appendix B: Exploit Counts by Microsoft Security Bulletin and CVE ID." The report also uses the U.S. National Institute of Standards and Technology’s (NIST) U.S. National Vulnerability Database (NVD) and the Forum of Incident Response and Security Teams’ (FIRST) Common Vulnerability Scoring System (CVSS). NVD and CVE are sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. IBM Internet Security Systems Posts CVE Compatibility Questionnaire IBM Internet Security Systems has achieved the second phase of the CVE Compatibility Process by submitting a CVE Compatibility Questionnaire for Proventia Enterprise Scanner. In Phase 2 of the compatibility process the organization’s completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible." For additional information and to review the complete list of all products and services participating in the compatibility program, visit the CVE-Compatible Products and Services section. Trustwave Makes Declaration of CVE Compatibility Trustwave declared that its vulnerability scanning service, TrustKeeper, is CVE-Compatible. For additional information about this and other CVE-compatible products, visit CVE-Compatible Products and Services. MITRE Presents "Making Security Measurable" Briefing at CSI Security Exchange 2008 on April 27 CVE Compatibility Lead/CWE Project Manager Robert A. Martin presented a Making Security Measurable briefing entitled "Architecting Security Measurement and Management for Compliance" at CSI Security Exchange 2008 on April 27, 2008 at Mandalay Bay Convention Center in Las Vegas, Nevada, USA. Visit the CVE Calendar for information on this and other events. MITRE Presents "Making Security Measurable" Briefing at GOVSEC on April 24 CVE Compatibility Lead/CWE Project Manager Robert A. Martin presented a Making Security Measurable briefing entitled "Architecting Your IT Security Standards to Secure your Enterprise" at GOVSEC on April 24, 2008 at Walter E. Washington Convention Center in Washington, D.C., USA. Visit the CVE Calendar for information on this and other events. April 16, 2008
Three Products from Two Organizations Now Registered as Officially "CVE-Compatible"
The following products are now registered as officially "CVE-Compatible":
Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems. For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services. MITRE Hosts "Making Security Measurable" Booth at RSA 2008, April 7-11 MITRE hosted a Making Security Measurable exhibitor booth at RSA 2008 on April 7-11, 2008 at the Moscone Center in San Francisco, California, USA. The conference exposed the CVE, CCE, CME, CPE, CAPEC, CWE, CEE, CRF, OVAL, and Making Security Measurable efforts to information security professionals from government and industry. Visit the CVE Calendar for information on this and other events. April 1, 2008
CVE List Reaches 30,000 CVE Identifiers The CVE Web site now contains 30,000 unique information security issues with publicly known names. CVE, which began in 1999 with just 321 common names on the CVE List, is considered the international standard for public software vulnerability names. Information security professionals and product vendors from around the world use CVE Identifiers (CVE-IDs) as a standard method for identifying vulnerabilities, and for cross-linking among products, services, and other repositories that use the identifiers. The widespread adoption of CVE in enterprise security is illustrated by the numerous CVE-Compatible Products and Services in use throughout industry, government, and academia for vulnerability management, vulnerability alerting, intrusion detection, and patch management. Major OS vendors and other organizations from around the world also include CVE-IDs in their security alerts to ensure that the international community benefits by having the identifiers as soon as a problem is announced. CVE-IDs are also used to uniquely identify vulnerabilities in public watch lists such as the SANS Top 20 Most Critical Internet Security Vulnerabilities and OWASP Top 10 Web Application Security Issues. CVE has also inspired new efforts. MITRE’s Common Weakness Enumeration (CWE) dictionary of software weakness types is based in part on the CVE List, and its Open Vulnerability and Assessment Language (OVAL) effort uses CVE-IDs for its standardized OVAL Vulnerability Definitions that test systems for the presence of CVEs. In addition, the U.S. National Vulnerability Database (NVD) of CVE fix information that is synchronized with and based on the CVE List recently expanded to include Security Content Automation Protocol (SCAP) content. SCAP employs community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and CVE is one of the six open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. Each of the 30,000+ identifiers on the CVE List includes the following: CVE Identifier number (i.e., "CVE-1999-0067"); indication of "entry" or "candidate" status; brief description of the security vulnerability; and pertinent references such as vulnerability reports and advisories or OVAL-ID. Visit the CVE List page to download the complete list in various formats or to look-up an individual identifier. Fix information and enhanced searching of CVE is available from NVD. MITRE Scheduled to Host "Making Security Measurable" Booth at RSA 2008, April 7-11 MITRE is scheduled to host a Making Security Measurable exhibitor booth at RSA 2008 on April 7-11, 2008 at the Moscone Center in San Francisco, California, USA. The conference will expose the CVE, CCE, CME, CPE, CAPEC, CWE, CEE, CRF, OVAL, and Making Security Measurable efforts to information security professionals from government and industry. Visit the CVE Calendar for information on this and other events. MITRE Scheduled to Present "Making Security Measurable" Briefing at GOVSEC on April 24 CVE Compatibility Lead/CWE Project Manager Robert A. Martin is scheduled to present a Making Security Measurable briefing entitled "Architecting Your IT Security Standards to Secure your Enterprise" at GOVSEC on April 24, 2008 at Walter E. Washington Convention Center in Washington, D.C., USA. Visit the CVE Calendar for information on this and other events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, CCE, CME, CPE, CWE, CAPEC, CEE, CRF, OVAL, and/or Making Security Measurable at your event. MITRE Scheduled to Present "Making Security Measurable" Briefing at CSI Security Exchange 2008 on April 27 CVE Compatibility Lead/CWE Project Manager Robert A. Martin is scheduled to present a Making Security Measurable briefing entitled "Architecting Security Measurement and Management for Compliance" at CSI Security Exchange 2008 on April 27, 2008 at Mandalay Bay Convention Center in Las Vegas, Nevada, USA. Visit the CVE Calendar for information on this and other events. MITRE Presents "Making Security Measurable" Briefing at SEPG North America 2008 on March 18 CVE Compatibility Lead/CWE Project Manager Robert A. Martin presented a Making Security Measurable briefing entitled "Architecting Security for Enterprise Process Improvement" at SEPG North America 2008 on March 1, 2008 at the Tampa Convention Center in Tampa, Florida, USA. Visit the CVE Calendar for information on this and other events. March 12, 2008
Two Products from Two Organizations Now Registered as Officially "CVE-Compatible"
The following products are now registered as officially "CVE-Compatible":
Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems. For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services. CVE Mentioned in Government Computer News Article about SCAP CVE was mentioned in a March 3, 2008 article entitled "SCAP narrows security gap" in Government Computer News. The main topic of the article is the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP) program, which is "a suite of tools to help automate vulnerability management and evaluate compliance with federal information technology security requirements." CVE is mentioned as one of the "more mature standards" of the six SCAP includes: "The Common Vulnerabilities and Exposures Standard from Mitre, which provides standard identifiers and a dictionary for security vulnerabilities related to software flaws." Three of the other standards the author references as mature are Open Vulnerability and Assessment Language (OVAL), a standard XML for security testing procedures and reporting; Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; and Common Vulnerability Scoring System (CVSS), a standard for conveying and scoring the impact of vulnerabilities. The author also notes the two "less mature" standards SCAP uses: Common Configuration Enumeration (CCE), standard identifiers and a dictionary for system security configuration issues; and Common Platform Enumeration (CPE), standard identifiers and a dictionary for platform and product naming. SCAP is an expansion of NIST’s U.S. National Vulnerability Database (NVD) that is based upon the CVE List. NVD, CVE, and OVAL are all sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. MITRE Scheduled to Present "Making Security Measurable" Briefing at SEPG North America 2008 on March 18 CVE Compatibility Lead/CWE Project Manager Robert A. Martin is scheduled to present a Making Security Measurable briefing entitled "Architecting Security for Enterprise Process Improvement" at SEPG North America 2008 on March 1, 2008 at the Tampa Convention Center in Tampa, Florida, USA. Visit the CVE Calendar for information on this and other events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, CCE, CME, CPE, CWE, CAPEC, CEE, CRF, OVAL, and/or Making Security Measurable at your event. MITRE Hosts "Making Security Measurable" Booth at InfoSec World 2008, March 10-11 MITRE hosted a Making Security Measurable exhibitor booth at InfoSec World Conference & Expo 2008 on March 10-11, 2008 at the Rosen Shingle Creek Resort in Orlando, Florida, USA. The conference exposed the CVE, CCE, CME, CPE, CWE, CAPEC, CEE, CRF, OVAL, and Making Security Measurable efforts to information security professionals from government and industry. Visit the CVE Calendar for information on this and other events. February 20, 2008
Four Products from Four Organizations Now Registered as Officially "CVE-Compatible"
The following products are now registered as officially "CVE-Compatible": Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems. For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services. Lenovo Security Technologies, Inc. Makes Declaration of CVE Compatibility Lenovo Security Technologies, Inc. declared that its Lenovo Security Intrusion Detection System is CVE-Compatible. For additional information about this and other CVE-compatible products, visit CVE-Compatible Products and Services. CVE Mentioned in SC Magazine Article about Vulnerability Management CVE was mentioned in an article entitled "Vulnerability management: weathering the storm" in the February 1, 2008 issue of SC Magazine. CVE is mentioned in a section entitled "Vulnerabilities on the rise" when the author states: "Last year gave rise to about 7,000 unique vulnerabilities, says Steve Christey, principal information security engineer at MITRE, which maintains the Common Vulnerabilities and Exposure (CVE) list, a dictionary that provides the common names for publicly known security vulnerabilities. Since 1999, MITRE has tracked some 28,000 vulnerabilities in packaged software. While the sheer number of bugs is certainly cause for concern, flaws do have one positive attribute: they provide a tangible way to assess risk, say experts." CVE is mentioned again when the author explains that "Each CVE listing in the National Vulnerability Database, the U.S. government repository of standards based vulnerability management data, supports the Common Vulnerability Scoring System (CVSS), an open framework that standardizes the severity of vulnerabilities across heterogeneous platforms." Also included is a quote about CVSS who states that "CVSS is a way to provide a consistent risk metric. All of the vulnerability scanning tools and all of the alerts will use their own definition of risk, so a consumer of this information, if they’re not using CVSS, might get multiple interpretations of how significant a single vulnerability is." The article also mentions MITRE’s Common Weakness Enumeration (CWE), which is based in part on CVE. MITRE to Host "Making Security Measurable" Booth at InfoSec World 2008, March 10-11 MITRE is scheduled to host a Making Security Measurable exhibitor booth at InfoSec World Conference & Expo 2008 on March 10-11, 2008 at the Rosen Shingle Creek Resort in Orlando, Florida, USA. The conference will expose the CVE, CCE, CME, CPE, CWE, CAPEC, CEE, CRF, OVAL, and Making Security Measurable efforts to information security professionals from government and industry. Visit the CVE Calendar for information on this and other events. February 6, 2008
MITRE Hosts "Making Security Measurable" Booth at 2008 Information Assurance Workshop, January 28 - February 1 MITRE hosted a Making Security Measurable exhibitor booth at the 2008 Information Assurance Workshop on January 28 - February 1, 2008 at the Philadelphia Marriott Downtown in Philadelphia, Pennsylvania, USA. The conference exposed the CVE, CCE, CME, CEE, CPE, CWE, CAPEC, CRF, OVAL, and Making Security Measurable efforts to information security professionals from government and industry. Visit the CVE Calendar for information on this and other events January 3, 2008
MITRE Announces Initial "Making Security Measurable" Calendar of Events for 2008 MITRE has announced its initial Making Security Measurable calendar of events for the first half of 2008. Details regarding MITRE’s scheduled participation at these events are noted on the CVE Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.
Other events will be added throughout the year. Visit the CVE Calendar for information or contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, CCE, CME, CEE, CPE, CWE, CAPEC, CRF, OVAL, and/or Making Security Measurable at your event. INFOSEC Technology Co., Ltd. Makes Declaration of CVE Compatibility INFOSEC Technology Co., Ltd. declared that its TESS TMS (Threats Management System) is CVE-Compatible. For additional information about this and other CVE-compatible products, visit CVE-Compatible Products and Services. December 19, 2007
CVE Identifiers Included in Annual Update of "SANS Top Twenty" List of Internet Security Threats The 2007 Annual Update to the Twenty Most Critical Internet Security Vulnerabilities, a SANS/FBI consensus list of the most critical problem areas in Internet security, was released on November 28, 2007 and now includes 275 CVE Identifiers. The list uses CVE Identifiers to uniquely identify the vulnerabilities it describes. This will help system administrators use CVE-Compatible Products and Services to help make their systems and networks more secure. The annual update includes six major categories: (1) Client-Side Vulnerabilities in Web Browsers, Office Software, Email Clients, Media Players; (2) Server-Side Vulnerabilities in Web Applications, Windows Services, Unix and Mac OS Services, Backup Software, Anti-virus Software, Management Servers, Database Software; (3) Security Policy and Personnel - Excessive User Rights and Unauthorized Devices, Phishing/Spear Phishing, Unencrypted Laptops and Removable Media; (4) Application Abuse in Instant Messaging and Peer-to-Peer Programs; (5) Network Devices - VoIP Servers and Phones; and (6) Zero Day Attacks. SANS is a member of the CVE Editorial Board and its education and training materials are listed in the CVE-Compatible Products and Services section. December 5, 2007
CVE Compatibility Requirements Document Updated The "Requirements and Recommendations for CVE Compatibility" document has been updated to add information aggregators as a new category of tool/service, separate the advisory repositories and vulnerability databases from one category of tool/service into two separate categories, and to update the candidate- and version-related requirements. Comments or questions on these changes are welcome at cve@mitre.org. MITRE to Host "Making Security Measurable" Booth at 2008 Information Assurance Workshop, January 28 - February 1 MITRE is scheduled to host a Making Security Measurable exhibitor booth at the 2008 Information Assurance Workshop on January 28 - February 1, 2008 at the Philadelphia Marriott Downtown in Philadelphia, Pennsylvania, USA. The conference will expose the CVE, CCE, CPE, CME, CAPEC, CWE, OVAL, and Making Security Measurable efforts to information security professionals from government and industry. Visit the CVE Calendar for information on this and other events. |
||||||||||||||||||
