|
|
Industry News CoverageBelow is a comprehensive monthly review of the news and other media’s coverage of CVE. A brief summary of each news item is listed with its title, author (if identified), date, and media source. March 2008
Government Computer News, March 3, 2008 CVE was mentioned in a March 3, 2008 article entitled "SCAP narrows security gap" in Government Computer News. The main topic of the article is the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP) program, which is "a suite of tools to help automate vulnerability management and evaluate compliance with federal information technology security requirements." CVE is mentioned as one of the "more mature standards" of the six SCAP includes: "The Common Vulnerabilities and Exposures Standard from Mitre, which provides standard identifiers and a dictionary for security vulnerabilities related to software flaws." Three of the other standards the author references as mature are Open Vulnerability and Assessment Language (OVAL), a standard XML for security testing procedures and reporting; Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; and Common Vulnerability Scoring System (CVSS), a standard for conveying and scoring the impact of vulnerabilities. The author also notes the two "less mature" standards SCAP uses: Common Configuration Enumeration (CCE), standard identifiers and a dictionary for system security configuration issues; and Common Platform Enumeration (CPE), standard identifiers and a dictionary for platform and product naming. SCAP is an expansion of NIST’s U.S. National Vulnerability Database (NVD) that is based upon the CVE List. NVD, CVE, and OVAL are all sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. The article was written by William Jackson. February 2008
SC Magazine, February 1, 2008 CVE was mentioned in an article entitled "Vulnerability management: weathering the storm" in the February 1, 2008 issue of SC Magazine. CVE is mentioned in a section entitled "Vulnerabilities on the rise" when the author states: "Last year gave rise to about 7,000 unique vulnerabilities, says Steve Christey, principal information security engineer at MITRE, which maintains the Common Vulnerabilities and Exposure (CVE) list, a dictionary that provides the common names for publicly known security vulnerabilities. Since 1999, MITRE has tracked some 28,000 vulnerabilities in packaged software. While the sheer number of bugs is certainly cause for concern, flaws do have one positive attribute: they provide a tangible way to assess risk, say experts." CVE is mentioned again when the author explains that "Each CVE listing in the National Vulnerability Database, the U.S. government repository of standards based vulnerability management data, supports the Common Vulnerability Scoring System (CVSS), an open framework that standardizes the severity of vulnerabilities across heterogeneous platforms." Also included is a quote about CVSS who states that "CVSS is a way to provide a consistent risk metric. All of the vulnerability scanning tools and all of the alerts will use their own definition of risk, so a consumer of this information, if they’re not using CVSS, might get multiple interpretations of how significant a single vulnerability is." The article also mentions MITRE’s Common Weakness Enumeration (CWE), which is based in part on CVE. The article was written by Dan Kaplan. October 2007
Processor Magazine, October 5, 2007 CVE was mentioned in the "Product Releases" article in Processor Magazine on October 5, 2007. CVE is mentioned in the "Security" section of the article regarding Secure Elements’ C5 Compliance Platform 3.3, which "…is the first product to work with NIST SCAP content to help federal government agencies meet the OMB Mandate. It also helps with compliance with NIST ISAP/SCAP initiative for auditing security configurations using OVAL, XCCDF, CPE, CVSS, CCE, and CVE." September 2007
Secure Elements Web Site, September 18, 2007 CVE was mentioned in a September 18, 2007 news release from Secure Elements, Inc. entitled "Secure Elements Announces New Version of IT Audit and Compliance Platform." CVE is mentioned in the portion of the release that describes how Secure Elements’ C5 Compliance Platform Version 3.3 adds enhanced NIST SCAP FISMA reporting: "For federal government agencies, C5 is the first enterprise solution that works directly with the NIST SCAP content to help them meet the OMB Mandate for secure desktop configurations as well as incorporating all of the latest standards as defined by the NIST ISAP/SCAP initiative for auditing security configurations utilizing OVAL, XCCDF, CPE, CVSS, CCE and CVE." Secure Elements,
Inc.’s automated vulnerability remediation product, C5 Enterprise
Vulnerability Management (EVM) Suite, is listed on the CVE Web site as "Officially
CVE-Compatible." NetworkWorld, September 25, 2007 CVE was mentioned in an article entitled "Service-oriented security" in NetworkWorld on September 25, 2007. CVE is mentioned when the author discusses Security Content Automation Protocol (SCAP). The author states: "The basic premise is that the only way we’ll ever get a handle on the operational challenges of security management is to automate as many of the processes as possible. SCAP pulls information from a number of standardized information sources, including (warning: acronym soup ahead): the eXtensible Configuration Checklist Description Format (XCCDF), the Open Vulnerability Assessment Language (OVAL), Common Vulnerability Scoring System, (CVSS) and Common Vulnerabilities and Exposures (CVE) database." The article was written by Andreas M. Antonopoulos. |
||||
