|
|
New Editorial Board Member
Alfred Huger of SecurityFocus has joined the Editorial Board. Elias Levy of SecurityFocus also remains as a Board member.
New Editorial Board Member
Stu Green of Tiger Testing has joined the Editorial Board.
Inzen Makes CVE Compatibility Declaration
Inzen has declared that its network-based intrusion detection system, NeoWatcher@ESM; host-based intrusion detection system, NeoGuard@ESM; and vulnerability assessment tool, NeoScanner@ESM; are CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
CVE Mentioned in a New Book on Intrusion Detection by Editorial Board Member Paul Proctor
CVE is mentioned in a new book entitled The Practical Intrusion Detection Handbook, by CVE Editorial Board member Paul E. Proctor of CyberSafe. In a chapter entitled "Organizations, Standards, and Government Initiatives," he mentions CVE co-founder Steve Christey and references the origins of CVE, describes what CVE is and isn't, and states "One of the best things about CVE is its purity. It fills a vital niche..."
CVE Hosts Booth at LISA 2001
MITRE hosted a CVE exhibitor booth at the Advanced Computing Systems Association's (USENIX) LISA 2001: 15th Systems Administration Conference in San Diego, California, USA on December 5th and 6th. The conference was successful and exposed CVE to a new audience of system and network administrators with major responsibility and purchasing authority for their organization's systems and networks.
CVE was also mentioned in two technical presentations at LISA 2001. John Flowers of nCircle and Marcus Ranum of NFR, both members of the CVE Editorial Board, discussed CVE as part of their respective presentations/panel discussions. The conference was held December 2-7.
Red Hat References CVE Candidate Number in Security Bulletin
Red Hat recently released a security advisory that included a CVE candidate number. The advisory "Red Hat Linux Errata Advisory RHSA-2001:150-06: Updated Cyrus SASL packages available," identified CAN-2001-0869.
Including candidate numbers in security advisories benefits the community by having CVE names as early as possible for an important issue. To date, CVE candidate numbers have been included in advisories from the following organizations: @stake, BindView, CERT/CC, Compaq Computer Corporation, Hewlett-Packard, IBM Emergency Response Service (ERS), Internet Security Systems (ISS), Microsoft Corporation, Network Associates (NAI), Rain Forest Puppy, SGI, and Symantec, among others.
CVE Mentioned in eWeek Magazine
CVE was mentioned in the November 26, 2001 issue of eWeek magazine in an article entitled "5 Steps to Enterprise Security-Step 3: Detection." CVE is referenced in a section discussing resources, in which the author states: "There are myriad resources to help guide IT managers' detection efforts. Books...and online sources, such as www.cve.mitre.org (the Common Vulnerabilities and Exposures site), provide examples that should get the creative juices flowing in terms of how to track down crackers." CVE is also referenced in the print issue of eWeek as a sidebar to the "5 Steps to Enterprise Security-Step 3: Detection" article. In the sidebar entitled "Heads Up," the author states: "Watch for CVE (Common Vulnerabilities and Exposures) hosted by MITRE Corp. to play a role in regularizing how attacks are reported, thereby making it easier to detect and prevent intrusions." The sidebar is not part of the online version of the article.
CVE to Host Booth at LISA 2001, December 5-6
MITRE is scheduled to host a CVE exhibitor booth at the Advanced Computing Systems Association's (USENIX) LISA 2001: 15th Systems Administration Conference, at the Town & Country Hotel in San Diego, California, USA on December 5th and 6th. The conference will expose CVE to a new audience of more than 2,000 system and network administrators with major responsibility and purchasing authority for their organization's systems and networks. The exhibition is scheduled for December 5-6, and the conference runs December 2-7.
CERT/CC Makes CVE Compatibility Declaration
CERT Coordination Center (CERT/CC) has declared that its Vulnerability Notes Database is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products page. CERT/CC is also a member of the CVE Editorial Board.
CVE Senior Advisory Council Holds Meeting
The CVE Senior Advisory Council held a meeting on Tuesday, October 23, 2001. Topics included CVE FY02 policy and funding issues, and status reports on the recently created legacy candidates, CVE-compatible products/services processes and growth, CVE Editorial Board roles and composition, and CVE usage statistics.
CVE Exhibits at SANS Network Security 2001
MITRE hosted a CVE exhibitor booth at SANS Network Security 2001, October 15-22, at the Town & Country Hotel and Convention Center in San Diego, CA, USA. The conference was successful and introduced CVE and CVE-compatible products/services to a diverse audience of security and audit professionals and system and network administrators.
CVE Team Member's Article on CVE Published in IEEE Computer Magazine
An article entitled "Managing Vulnerabilities in Networked Systems" was published in the November 2001 issue of the IEEE Computer Society magazine, Computer. The article, which discusses correcting vulnerabilities and exposures in the commercial software that are used to develop an organization's infrastructure, was written by CVE Team member Robert A. Martin, who also serves as co-lead for MITRE's Cyber Resource Center and is a principal engineer in MITRE's Information Technologies Division. You may read the article by downloading a PDF.
CVE Presents Briefing at NDIA's 4th Annual Systems Engineering Conference
CVE Team Member Robert A. Martin presented a briefing on CVE, entitled "Managing Vulnerabilities in Networked Systems," at the National Defense Industrial Association's (NDIA) 4th Annual Systems Engineering Conference in Dallas, Texas, USA on October 25th. The presentation was well received and introduced CVE to a variety of government and military professionals specializing in communications, electronics, intelligence, and information systems.
CVE Featured Topic in MITRE "Project Showcase" Article
CVE was the featured topic in an article on the MITRE Web site entitled, "Project Showcase: Enabling Enterprise Security with CVE." The article describes how CVE compatibility enables enterprise security though the use of shared CVE names and discusses how using CVE-compatible products and services improves how an organization responds to security advisories. A graphical representation of a CVE-enabled process is also included.
CVE Editorial Board Holds Teleconference
The CVE Editorial Board held a teleconference on Thursday, September 27, 2001, with 15 Board members participating. Seven members of MITRE's CVE Team also participated, including two who are also Board members. Topics included CVE content status, issues, and goals; Board roles and issues; CVE compatibility; and MITRE technology transfer activities.
CVE Names Included in Consensus List of "Top Twenty" Internet Security Threats
The recently updated Twenty Most Critical Internet Security Vulnerabilities, a SANS/FBI consensus list of the most critical problem areas in Internet security, was released on October 2, 2001. The list includes CVE names and CVE candidates to uniquely identify the vulnerabilities it describes, which will help system administrators use CVE-compatible products and services to help make their networks more secure. SANS is a member of the CVE Editorial Board.
CVE Mentioned as a Product Feature in Network World Magazine Review of Intrusion Detection Products
CVE was mentioned in an article entitled, "Review: Intrusion-detection products grow up" in the October 8th issue of Network World magazine. CVE is included in the "Features" section in a discussion about the various features of the intrusion detection (IDS) products being reviewed, in which the authors state: "All the products supported a detailed explanation of attacks, including the Common Vulnerability and Exposures [List] of known vulnerabilities..."
Tsinghua UnisNet Technology, Ltd. Makes CVE Compatibility Declaration
Tsinghua UnisNet Technology, Ltd. has declared that its firewall product, UnisFirewall, and its intrusion detection system (IDS), UnisIDS, will be CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products page.
Tiger Testing Makes CVE Compatibility Declaration
Tiger Testing has declared that its Internet and Web site security assessment service, Tiger Testing Independent Computer Security Testing Reports, meet the CVE-compatible requirements. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products page.
New CVE Version Released; 563 "Legacy Candidates" Proposed
CVE version 20010918 has just been released. It has 96 new entries for a total of 1,604 official CVE entries. In addition, 563 "legacy candidates" and 20 candidates from 2000 and 2001 were proposed, bringing the total to 1,796 candidates currently being reviewed by the CVE Editorial Board. There is a separate report which lists only these 563 legacy candidates. These candidates are also available as part of the full candidate list.
Legacy candidates identify publicly known security issues that were announced in 1999 and earlier. In Summer 2000, ten different data sources provided MITRE with lists of vulnerabilities and exposures (referred to as "submissions"). MITRE received approximately 8,400 submissions from these data sources. Of these, approximately 2,500 submissions have been eliminated because of duplication with existing issues or not meeting the definition of a vulnerability or exposure; 3,900 were delayed because they were incomplete or vague; 900 were used to create the 563 recently added legacy candidates; and 1,100 have an unknown status and need to be looked at more closely. We will continue to work on the remaining legacy submissions currently identified as delayed or unknown.
With the release of the new CVE version, there are now 3,400 unique issues with publicly known names available on the CVE Web site. A report is available to identify the differences between this version and the previous version, 20010507.
Cisco References CVE Candidate Number in Security Bulletin
Cisco Systems, Inc. recently released a security advisory that included a CVE candidate number. The advisory "Cisco Security Advisory: Cisco Secure Intrusion Detection System Signature Obfuscation Vulnerability," identified CAN-2001-0669.
Including candidate numbers in security advisories ensures that the community benefits by having CVE names as early as possible for an important issue. To date, CVE candidate numbers have been included in advisories from the following organizations: @stake, BindView, CERT/CC, Compaq Computer Corporation, Hewlett-Packard, IBM Emergency Response Service (ERS), Internet Security Systems (ISS), Microsoft Corporation, Network Associates (NAI), Rain Forest Puppy, SGI, and Symantec, among others.
CVE Mentioned in a New Book on Cyber Security by Editorial Board Member Eric Cole
CVE is mentioned in a new book entitled Hackers Beware, by CVE Editorial Board member Eric Cole of SANS. In the book he describes what CVE is and isn't, provides the URL to the CVE Web site, and mentions CVE names and candidate numbers when describing specific issues.
Hewlett-Packard References CVE Candidate Number in Security Bulletin
Hewlett-Packard (HP) recently released a security advisory that included a CVE candidate number. The advisory "Hewlett-Packard Company Security Bulletin: #00163," regarding a buffer overflow in rlpdaemon, identified CAN-2001-0668.
Including candidate numbers in security advisories ensures that the candidates are inserted into the community as early as possible, which makes it easier for people to obtain the CVE name for an important issue. To date, CVE candidate numbers have been included in advisories from the following organizations: @stake, BindView, CERT/CC, Compaq Computer Corporation, IBM Emergency Response Service (ERS), Internet Security Systems (ISS), Microsoft Corporation, Network Associates (NAI), Rain Forest Puppy, SGI, and Symantec, among others.
CVE Used as Evaluation Criteria for IDS Comparison in Network Computing Magazine
CVE was included as evaluation criteria in a comparison of intrusion detection systems (IDSs) in an article entitled "Dragon Claws its Way to the Top" in the August 20, 2001 issue of Network Computing magazine. CVE names were used as the basis of evaluation in a table entitled "Network IDS Signature Results," and CVE cross-references were used as a feature for evaluating the IDSs in a table entitled "Network IDS Features."
CVE Cited in NIST Special Publication on Intrusion Detections Systems
CVE was cited in "Special Publication 800-31: Intrusion Detections Systems" published August 16, 2001 on the NIST Computer Security Division Web site. CVE was included in section 7.2.6.1, "Attack Naming Conventions," in which the authors state: "Fortunately, there are efforts underway within the network security community to devise a common nomenclature for computer vulnerabilities and attacks. The most popular of these is the Common Vulnerabilities and Exposures List (CVE) and is maintained by MITRE with input from a variety of security professionals worldwide. Many network security product vendors have agreed to make their products CVE-compatible." The authors also provide a link to the NIST ICAT metabase which is enabled by CVE, and a link to the CVE Web site. ICAT is listed on the CVE-compatible products page, and NIST is a member of the CVE Editorial Board.
Foundstone, Inc. Makes CVE Compatibility Declaration
Foundstone, Inc. has declared that its Managed Security Assessment Service, FoundScan 2.0, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products page.
Venus Information Technology Inc. Makes CVE Compatibility Declaration
Venus Information Technology, Inc. has declared that its Intrusion Detection System, Tiantian IDS System 5.3, and its Vulnerability Scanner, Tianjin Scanner System 4.5, are CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products page.
CVE Presents Paper at AFCEA Federal Database Colloquium & Exposition
CVE Team Member Robert A. Martin presented his paper on CVE, entitled "Developing on the Net, Dealing with Software Vulnerabilities," at the AFCEA Federal Database Colloquium & Exposition in San Diego, California, on August 28th. The presentation was well received and introduced CVE to a variety of government and military professionals specializing in communications, electronics, intelligence, and information systems. A copy of the paper is available on the CVE Documents page.
Announcing the CVE Senior Advisory Council
The MITRE Corporation has established a CVE Senior Advisory Council to help guide CVE and ensure the initiative receives appropriate funding. The advisory council is composed of 19 senior executives from offices across the Federal government who are responsible for information assurance on government networks and systems. You may view a list of the CVE Senior Advisory Council members, read a copy of the council charter, or view a list of the organizations that sponsor CVE.
New "CVE Senior Advisory Council" and "Sponsors" Pages Added to CVE Web Site
A new section has been added to the CVE Web site that lists the members of the CVE Senior Advisory Council and the Sponsors who provide funding for CVE. This new section also includes a copy of the council charter.
CVE Referenced in Cover Story of Signal Magazine
CVE was referenced in a cover article entitled "A Powerful Vision" in the August 8, 2001 issue of Signal magazine. In the article the author quotes Colonel Larry Huffman, Director of the Global Network Operation & Security Center (GNOSC) for the Defense Information Systems Agency (DISA) and a member of the CVE Senior Advisory Council, who refers to CVE as "an important information assurance initiative" and then goes on to describe CVE. The author of the article then states: "CVE...helps prevent redundancy and inundating system administrators with vulnerabilities, many of which may be duplications labeled with different names by each of the services." Signal magazine is the Armed Forces Communications and Electronics Association's (AFCEA's) Journal for Communications, Electronics, Intelligence, and Information Systems.
CVE Recommended to IT Professionals in eWeek Magazine
CVE was included on a list of twelve Web sites that the authors recommend as "tried-and-true security destinations that every IT pro should bookmark and visit often" in an article entitled "eWEEK Labs recommends: Key security resources" in the June 11th issue of eWeek magazine. The authors describe CVE as "the authoritative list of vulnerability definitions," and provide a link to the CVE Web site.
CVE-Compatibility Noted in Network Magazine Review of Vulnerability Analysis Tool
CVE was mentioned in a product review entitled "News & Products: STAT Scanner Tests for New Patches" in the June issue of Network Magazine. In this brief review of Harris Corporation's STAT Scanner Professional Edition 4.0, the author states: "All STAT Scanner vulnerability checks are mapped to MITRE's Common Vulnerabilities and Exposures (CVE) dictionary." STAT (Security Test and Analysis Tool) is listed on the CVE-Compatible Products page and Harris Corporation is a member of the CVE Editorial Board.
Article Profiles CVE Project Leader Margie Zuk
CVE Project Leader Margie Zuk was profiled in a recent Technology Spotlight article on the MITRE Web site. In the article entitled "Bringing all the pieces together, One manager's perspective of CVE," Margie discusses her role on the CVE Team and the challenges she faces working on CVE.
CVE Referenced in SC Online Information Security News Article
CVE was referenced in an article entitled "Web Defacements - An Alarming Trend" in the July 2001 issue of SC Online Information Security News. CVE is mentioned in this article in a section about defacements to Web server software. The author refers to CVE in a discussion about vulnerabilities exploited in the Apache/UNIX, Linux, Microsoft IIS, and Microsoft NT "sites and web server implementations." He also provides a link to the CVE Web site.
MITRE Paper on CVE Published in Software Research Inc.'s Quality Techniques Newsletter
A paper entitled "The Vulnerabilities of Developing on the Net" was published in two parts in the June 2001 and July 2001 issues of Software Research Inc.'s monthly Quality Techniques Newsletter. The paper, which discusses correcting vulnerabilities and exposures in the commercial software that are used to develop an organization's systems and infrastructure, was written by CVE Team member Robert A. Martin, who also serves as co-lead for MITRE's Cyber Resource Center and is a principal engineer in MITRE's Information Technologies Division. You may also read the entire paper online on the CVE Documents page. (Note: A version of this paper was published in the April 2001 issue of Crosstalk magazine, a publication of the U.S. Air Force's Software Technology Support Center.)
CVE to Present Paper at AFCEA Federal Database Colloquium & Exposition
CVE Team Member Robert A. Martin will present his paper on CVE, entitled "Developing on the Net, Dealing with Software Vulnerabilities," at the AFCEA Federal Database Colloquium & Exposition in San Diego, California, USA, August 28-30. Armed Forces Communications and Electronics Association (AFCEA) is a national and international association for communications, electronics, intelligence, and information system professionals.
CVE Featured Topic in Security Wire Digest Article
CVE was the main topic of an article in the July 16th issue of Security Wire Digest. In the article entitled "Lack of Common Meanings Slows CVE Progress," the author describes the process of creating CVE names and then explains how CVE has developed an automated engine that sifts through various vulnerability alerts to form a single reference to expedite the distillation process. He further states: "evaluating and recording vulnerabilities is a time-consuming and laborious process ... the real problem is devising criteria that the security community can agree upon for what constitutes a vulnerability." The author quotes CVE co-founder and editor of the CVE List, Steve Christey: "This is the bottleneck we face," Christey says, "Even getting to a point of assigning just a candidate name is difficult." The author then states that while progress in developing CVE is a slow process, "sysadmins say it's already having a positive effect."
CVE Briefs at Black Hat Briefings
On July 11, Steve Christey, the co-creator of CVE and editor of the CVE List, discussed CVE at the Black Hat Briefings in Las Vegas, Nevada, USA. The briefing, entitled "CVE Behind the Scenes: The Complexity of Being Simple," was well received and focused on the various technical issues encountered in CVE. A summary of the briefing is available on the conference Web site, or you may read or download the briefing from the CVE Documents page.
CVE Editorial Board Holds Teleconference
The CVE Editorial Board held a teleconference on Thursday, June 21, 2001, with 19 Board members participating. Topics included CVE content status and new goals; Board roles, tasks, and issues; and candidate reservation and the role of Candidate Numbering Authorities (CNAs), including MITRE's role as the primary CNA.
Entercept Security Technologies Makes CVE Compatibility Declaration
Entercept Security Technologies has declared that its Host Protection System, Entercept, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products page.
Qualys Makes CVE Compatibility Declaration
Qualys has declared that its Network and Application Vulnerability Assessment Platform, QualysGuard, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products page.
CVE Featured Topic in Network World Fusion Security Newsletter
CVE was the featured topic in the June 20th Network World Fusion Security Newsletter in part two of a four part series. In the article entitled "Alerts and Vulnerabilities, Part 2" the author discusses what CVE is and is not, provides the CVE definition of a 'universal vulnerability,' notes that CVE is free to download or review, and gives a link to the CVE Web site. The article also mentions that CVE enables the National Institute of Standards and Technology's (NIST) ICAT metabase. ICAT is listed on the CVE-compatible products page, and NIST is a member of the CVE Editorial Board.
CVE to Brief at Black Hat Briefings
On July 11, Steve Christey, the co-creator of CVE and editor of the CVE List, will be discussing CVE at the Black Hat Briefings in Las Vegas, Nevada, USA. The talk, entitled "CVE Behind the Scenes: The Complexity of Being Simple," will focus on various technical issues that are encountered in CVE. A summary of the briefing is available on the conference Web site.
New Editorial Board Member
Dana Foat of the National Security Agency (NSA) has joined the Editorial Board.
LURHQ Corporation Makes CVE Compatibility Declaration
LURHQ Corporation has declared that its Enterprise Security Monitoring Service product, Managed SherlockESM, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products page.
SPI Dynamics Makes CVE Compatibility Declaration
SPI Dynamics has declared that its Web Assessment product, WebInspect, and Log Analysis product, LogAlert, are CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products page.
CVE Featured Topic in ZDNet Security Opinion Article
CVE was the featured topic in a recent Security Opinion article on the ZDNet Business & Technology Web site. The column, entitled "A common language for security vulnerabilities," focused on the benefits of CVE for network managers and security administrators. The article described how CVE can be used as a basis for evaluating the coverage of scanning and intrusion detection tools, discussed candidates and the CVE naming process, listed some CVE-compatible products, and noted that there are 1,510 entries in the current version of the CVE List. In this opinion column, the author states: "All security vendors should adopt [the CVE] nomenclature. There is no fee for obtaining the CVE List, and in fact you can download the entire list with a click from [the CVE Web site]." The author further states: "The CVE List makes it easier for security vendors to develop intrusion detection and scanning tools. As more IT decision makers understand the meaning of CVE, products with CVE-compatible names will likely receive a better reception on the market."
nSecure Software Makes CVE Compatibility Declaration
nSecure Software has declared that its IDS product, nPatrol, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products page.
CVE Mentioned in Computerworld Magazine's Security Manager's Journal Column
CVE was included as one of three links in the This Week's Links sidebar in a recent Security Manager's Journal column in Computerworld magazine. The sidebar included a link to the CVE Web site and described CVE as follows: "The Common Vulnerabilities and Exposures Web site, hosted by The MITRE Corp. in Bedford, Mass., includes a large [list] of publicly known security problems."
MITRE Briefs CVE at DOE Computer Security Conference
MITRE presented a briefing on CVE at the U.S. Department of Energy's (DOE) 23rd DOE Computer Security Group Training Conference in Cincinnati, Ohio, on May 9, 2001. The presentation was successful and introduced CVE to DOE and DOE contract personnel involved in the acquisition, development, operation, maintenance, and use of information technology and office automation support systems.
Latest Version of CVE List Exceeds 1,500 Entries!
CVE version 20010507 has just been released. It has 201 new entries and one deprecated entry, for a total of 1510 entries. An additional 953 candidates are still being reviewed by the Editorial Board. A report is also available to identify the differences between this version and the previous version, 20010122.
CVE is publicly available and free to use. You may view, search, or download CVE, copy it, redistribute it, reference it, and analyze it, provided you do not modify CVE itself.
MITRE to Brief CVE at DOE Computer Security Conference
MITRE is scheduled to present a briefing on CVE at the U.S. Department of Energy's (DOE) 23rd DOE Computer Security Group Training Conference at the Regal Cincinnati Hotel in Cincinnati, Ohio, on May 9, 2001. The presentation will introduce CVE to DOE and DOE contract personnel involved in the acquisition, development, operation, maintenance, and use of information technology and office automation support systems. The conference is scheduled for May 7-10.
MITRE Paper on CVE Published in Crosstalk Magazine
A paper entitled "The Vulnerabilities of Developing on the Net" was published in the April 2001 issue of Crosstalk magazine, Volume 14, Number 4. The paper, which discusses correcting vulnerabilities and exposures in the commercial software that are used to develop an organization's infrastructure, was written by CVE Team member Robert A. Martin, who also serves as co-lead for MITRE's Cyber Resource Center and is a principal engineer in MITRE's Information Technologies Directorate. Crosstalk is published by the U.S. Air Force's Software Technology Support Center (STSC). You may read the paper online or download a PDF.
MITRE to Present Paper on CVE at STSC Software Technology Conference
Robert A. Martin is scheduled to present his paper on CVE entitled "The Vulnerabilities of Developing on the Net" at STSC's Thirteenth Annual Software Technology Conference, at Salt Palace Convention Center, in Salt Lake City, Utah, on May 2, 2001. The paper was also published in the April 2001 issue of Crosstalk magazine, STSC's journal of defense software engineering.
Penta Security Systems Makes CVE Compatibility Declaration
Penta Security Systems has declared that its IDS product is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products page.
MITRE Presents CVE Briefing at ISADS Conference
MITRE presented a briefing on CVE at the "Fifth International Symposium on Autonomous Decentralized Systems (ISADS) with an Emphasis on Electronic Commerce," in Dallas, Texas on March 26-28, 2001. The purpose of the symposium was to discuss next-generation systems, which are based on emerging commercial technologies and applications. These systems are expected to have the characteristics of living systems composed of largely autonomous and decentralized components. MITRE's participation in this conference introduced CVE to a new, broader audience of professionals interested in electronic commerce, telecommunications, information service systems, manufacturing systems, real-time event management, office automation, traffic and transportation control, and logistics systems.
CVE Referenced in ACM SIGSOFT Software Engineering Notes Article
CVE was included as part of a survey of security-related Web sites in the Association for Computerized Machinery (ACM) Special Interest Group on Software Engineering (SIGSOFT) newsletter, Software Engineering Notes, Vol. 26, No. 2. The article, entitled "Surfing the Net for Software Engineering Notes: Security-Related Web Sites," includes a description of CVE, the CVE Web site URL, and a screen capture of the main page of the About CVE section of the CVE Web site.
CVE Noted in Government Computer News Article
CVE was noted briefly in a recent Government Computer News article entitled, "Daily Updates: Web Sites Give Computer Security Advice." The article, which describes three Web sites that can provide security help to federal system administrators, noted CVE in reference to ICAT: "The ICAT Metabase, at icat.nist.gov [see www.gcn.com/vol19_no23/news/2683-1.html] details more than 2,300 known computer and network vulnerabilities, organized by the Common Vulnerabilities and Exposures naming standards developed two years ago by MITRE Corp. of Bedford, Mass." The National Institute of Standards and Technology (NIST) ICAT metabase is listed on the CVE-compatible products page, and NIST is a member of the CVE Editorial Board.
CVE Mentioned in Article About Technology Transfer
CVE was referenced in an article on the MITRE Web site entitled, "Project Showcase: MITRE's Technology Transfer Office Q&A with Gerard Eldering." CVE is mentioned in a portion of an answer regarding industry standards, in which CVE is referred to as "participation in the development of industry standards that achieves the best possible outcome." The article also includes a description of what CVE is and is not, as well as a link to the CVE Web site.
CVE Editorial Board Holds Meeting
The CVE Editorial Board held a face-to-face meeting on March 15-16, 2001 at Cisco in Austin, Texas. Topics of discussion included current and future roles and tasks of Editorial Board members, reserving candidate numbers and the role of the Candidate Numbering Authority (CNA), issues related to producing a Common Intrusion Event List (CIEL) to provide a naming standard for IDS events, CVE compatibility, CVE maintenance issues, future CVE activities, voting on candidates, and content decisions.
MITRE Presents CVE Briefing to Defense Logistics Agency
MITRE presented a briefing on CVE to the Defense Logistics Agency (DLA), Fort Belvoir, VA, on March 23, 2001. DLA is a logistics combat support agency that provides supplies and services to America's military forces across the country and worldwide. DLA's mission includes "managing over four million consumable items and processing more than 30 million annual distribution actions."
MITRE Presents CVE Briefing at Boston University
MITRE presented a briefing about CVE to Master of Business Administration (MBA) and Management Information System (MIS) graduate students at Boston University, Boston, MA, on March 12, 2001. This interactive discussion introduced the benefits of CVE to this group of current and upcoming information technology professionals and policy/decision makers.
Microsoft References CVE Candidate Numbers in Security Alerts
Microsoft Corporation recently released security advisories that included CVE candidate numbers. For example, the advisory, "Microsoft Security Bulletin (MS01-015), IE can Divulge Location of Cached Content" identified CAN-2001-0002, CAN-2001-0148, CAN-2001-0149, and CAN-2001-0150. Also, the advisory, "Microsoft Security Bulletin (MS01-011), Malformed Request to Domain Controller can Cause CPU Exhaustion," identified CAN-2001-0018.
Including candidate numbers in security advisories ensures that the candidates are inserted into the community as early as possible, which makes it easier for people to obtain the CVE name for an important issue. To date, CVE candidate numbers have been included in advisories from the following organizations: @stake, BindView, CERT/CC, Compaq Computer Corporation, IBM Emergency Response Service (ERS), Internet Security Systems (ISS), Network Associates (NAI), Rain Forest Puppy, SGI, and Symantec, among others.
New Editorial Board Member
John Flowers of Hiverworld has joined the Editorial Board. Tom Stracener of Hiverworld also remains as a Board member.
Other CVE Editorial Board Change
David Balenson of PGP Security, Network Associates, has left the Editorial Board. Jim Magdych of PGP Security, Network Associates remains as a Board member. See the CVE Editorial Board page for the most up-to-date list of Board members.
CVE Exhibits at MISTI's InfoSec World 2001
MITRE hosted a CVE exhibitor booth at MIS Training Institute's (MISTI) InfoSec World Conference and Expo/2001, February 26-27 at Disney's Coronado Springs Resort, Orlando, FL. The conference was successful and introduced CVE and CVE-compatible products to a variety of information security policy/decision makers and computer security specialists from government, industry, and academia.
MITRE's The Edge Magazine Focuses on Topic of Information Assurance
Information assurance is the featured topic in the most recent issue of MITRE's The Edge magazine. The issue includes an article on CVE entitled, "CVE Continues to Grow," written by MITRE CVE team members Pete Tasker and Margie Zuk.
CVE Referenced as Resource in Richmond Journal of Law & Technology
CVE is included as a reference in an article entitled "State Cybercrime Legislation in the United States of America: A Survey", in The Richmond Journal of Law & Technology, Volume VII, Issue 3, Winter 2001. The reference includes a brief description of CVE and also provides a link to the CVE Web site.
MITRE Presents CVE Briefing to AFCEA
MITRE presented a briefing on the benefits of CVE to the Germantown, MD, chapter of the Armed Forces Communications and Electronics Association (AFCEA), January 18, 2001. AFCEA is a national and international association for communications, electronics, intelligence, and information system professionals.
CVE-Compatible Products at MISTI's InfoSec World Conference and Expo/2001!
The following organizations with CVE-compatible products will be hosting booths at MIS Training Institute's (MISTI) InfoSec World Conference and Expo/2001: AXENT, BindView, CyberSafe, Harris, Internet Security Systems, Symantec, Tivoli, and World Wide Digital Security. MITRE will also host a CVE booth.
The conference will be held February 26-27 at Disney's Coronado Springs Resort, Orlando, FL. Stop by any of these booths or visit the Calendar or CVE-Compatible Products pages to learn more.
New Editorial Board Member
John Rhodes of the Department of Energy Computer Incident Advisory Center (DOE-CIAC) has joined the Editorial Board.
Editorial Board Holds Teleconference
The CVE Editorial Board held a teleconference on Thursday, January 18, 2001, with 15 Board members participating. Topics included CVE content status and new goals, MITRE's goals for creating candidates for older security problems, Board voting status and issues, entry deprecation and modification, candidate rejection, and confidence levels.
CVE Version 20010122 Released
CVE version 20010122 has been released. It has 232 new entries, for a total of 1309 entries. 815 candidates are still being reviewed by the Editorial Board. A report is also available to identify the differences between this version and the previous version, 20001013.
Compaq References CVE Candidate Number in Security Alert
Compaq Computer Corporation recently released a security advisory that included a CVE candidate number. The advisory, "Potential Security setgid problem with locale message files (Compaq Case ID: SSRT0689U)" identified CAN-2000-0844.
Intranode Makes CVE Compatibility Declaration
Intranode has declared that its Continuous Security Risk Management and Vulnerability Assessment service is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products page.
CVE Referenced in Computerworld Article
CVE was referenced in a recent article in Computerworld magazine entitled, "IT Agenda 2001: Pick Your Security Officer's Brain." In a section entitled, "Get Involved in Standards," the article quotes Jerry Dixon, director of information security at Marriott International Inc., Bethesda, MD, who says he's "heartened to see not only vendors but also the security community at large start to pass standards that will simplify some of the complexities faced by IT security leaders. For example, he points to the Common Vulnerabilities and Exposures (CVE), an indexing system for vulnerabilities and threats that was started last year by Bedford, Mass.-based MITRE Corp." In a direct quote, Dixon says, "[CVE] effectively created a national standard on communicating different types of vulnerabilities and exposures so that all agencies - commercial vendors, alert publications and newsgroups - are speaking the same language. This now allows security teams to effectively communicate exploits or findings with one another."
Network Computing References CVE in Tool Comparison
Network Computing recently performed a comparison of vulnerability scanners in which they include a "scanner features" matrix with "CVE cross-references" as featured part of the comparison. Five of the eight products included CVE cross-references, meaning that they can be used in conjunction with other CVE-compatible products for better security coverage and improved interoperability. Other vendors not listed in the comparison have also made declarations of CVE compatibility. In addition, the article references CVE as a means of navigating through the numbers game: "MITRE Corporation's CVE (Common Vulnerabilities and Exposures) project is attempting to bring some method to the madness by enumerating and classifying known vulnerabilities. This could help bring some objectivity into the picture..."
CVE to Host Booth at InfoSec World Conference and Expo/2001 February 26-28
MITRE is scheduled to host a CVE exhibitor booth at MIS Training Institutes' (MISTI) InfoSec World Conference and Expo/2001, at Disney's Coronado Springs Resort, FL, February 26-28. The conference will expose CVE to a new audience of attendees from the banking, finance, real estate, insurance, and health care industries, among others. The conference is targeted to information security policy and decision makers from these and other industries, as well as directors and managers of information security, information security staff, network and systems security administrators, data security professional, IT auditors, CIOs, IT/MIS staff, systems planners and analysts, systems administrators, software and application developers, engineers, technical and support specialists, systems integrators, Web masters, strategic planners, and other information security vendors. In addition, companies with CVE-compatible products will be exhibiting.
CVE Referenced Extensively in Securitywatch.com Article
CVE was referenced extensively in an article on Securitywatch.com. The primary focus on the article was ICAT, a searchable vulnerability index maintained by the National Institute of Standards and Technology (NIST). ICAT, which has a CVE compatibility declaration on our CVE-Compatible Products page, uses CVE names and candidates as the basis of its service, taking the standardized CVE names and then providing links to the appropriate public vulnerability databases, which in turn provide users with detailed vulnerability and patch information. The article, entitled "The Lowdown on the NIST's ICAT," references CVE throughout and also provides a link to the CVE Web site.