|
|
New Standard for Vulnerability Assessment Builds upon CVE
A new community-based standard for vulnerability assessment, the Open Vulnerability Assessment Language (OVAL), uses CVE names and CVE candidates as the basis for queries that determine if certain vulnerabilities are present on local computer systems. The MITRE Corporation issued a news release announcing OVAL on December 10, 2002.
OVAL provides a common language for security experts to discuss the technical details of how to check for the presence of vulnerabilities on local systems. These discussions occur on the OVAL Community Forum and include participation from members of the industry-based OVAL Board (many of whom are also members of the CVE Editorial Board), as well as system administrators, software vendors, security analysts, and others from across the information security community. The end results are collaboratively developed SQL queries, called OVAL queries, which are based on a common OVAL Schema and are an implementation of the language. For each CVE entry there are one or more OVAL queries that measure the presence of that vulnerability on an end system. OVAL's initial supported platforms are Windows 2000, Windows NT 4.0, Solaris 7, and Solaris 8. Red Hat Linux is supported in draft form. OVAL queries are available for review on the OVAL Web site.
The OVAL Web site is listed on the CVE-Compatible Products/Services page, or you may visit the site directly at https://oval.mitre.org.
Obtaining CVE Candidate Numbers Included as Major Step in Latest ISS Disclosure Process on Security Warnings
CVE was included in a December 3, 2003 article entitled "ISS revamps disclosure process on security warnings" on Computerworld.com. In the article the author outlines Internet Security Systems' (ISS) new security disclosure guidelines (download PDF from ISS), which are dated November 18, 2003 and include four phases: discovery, vendor notification, customer notification, and public disclosure. The author notes that obtaining CVE candidate numbers (CANs) from the CVE Initiative is included by ISS as major step after vendor notification and prior to customer notification: " . . . the usual procedure is for X-Force after 30 days to contact The [MITRE Corporation], a nonprofit research company in Bedford, Mass., to receive a common vulnerability and exposures candidate number that sets a standard name for the vulnerability." ISS is a member of the CVE Editorial Board, has several products listed on the CVE-Compatible Products/Services page, and includes CANs in its security advisories.
MITRE Corporation Makes CVE Compatibility Declaration
The MITRE Corporation has declared that the Web site for its new vulnerability assessment standard, the Open Vulnerability Assessment Language (OVAL), is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
netForensics, Inc. Makes CVE Compatibility Declaration
netForensics, Inc. has declared that netForensics, its security information management, notification, and analysis service, will be CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
Edgeos, Inc. Makes CVE Compatibility Declaration
Edgeos, Inc. has declared that its network security analysis service, EdgeSecure, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
CVE to Host Booth/Participate on Panels at the 7th Annual Information Assurance (IA) Workshop, January 28 - 30
MITRE is scheduled to host a CVE exhibitor booth at the Defense Information Systems Agency (DISA) and National Security Agency (NSA) "7th Annual Information Assurance (IA) Workshop" at the Williamsburg Marriott Hotel, Williamsburg, Virginia, USA, January 28-30, 2003. Members of the CVE Team will also participate as panel members in workshop tutorials. The purpose of the workshop is to "provide a forum in which the IA community can provide updates and work issues on relevant IA topics" that have been aligned with the goals of Department of Defense (DOD) IA strategy. Attendance is limited to DOD and other Federal Government employees and their sponsored contractors. Visit the CVE Calendar page for information on this and other upcoming events.
CVE Featured Topic in IATAC's Information Assurance Newsletter
CVE was the featured topic in an article entitled "Enterprise Security Enabled by CVE" in the Fall 2002 issue of Information Assurance Newsletter. The article, which was written by CVE Compatibility Lead Robert A. Martin, describes how CVE compatibility enables enterprise security through the use of shared CVE names. The article also discusses how using CVE-compatible products/services improves how an organization responds to security advisories. A graphical representation of a CVE-enabled process is also included. IA Newsletter is a publication of the Information Assurance Technology Analysis Center (IATAC), a U.S. Department of Defense Information Analysis Center (IAC) sponsored by the Defense Technical Information Center (DTIC), which is part of the Defense Information Systems Agency (DISA).
CVE Hosts Booth/Presents Paper at "IMN Cyber Security in the Financial Sector Summit"
MITRE hosted a CVE exhibitor booth at the "IMN Cyber Security in the Financial Sector Summit" at the Crowne Plaza Times Square, New York, New York, USA, November 20-22. In addition, CVE Compatibility Lead Robert A. Martin presented his paper on CVE entitled "Integrating Your Information Security Vulnerability Management Capabilities through an Industry Standard (CVE)" on November 22nd. The summit and exposition were successful and exposed the CVE Initiative to high-level policy and decision makers from the private sector, state and local governments, and U.S. government agencies responsible for protecting the critical infrastructures of the financial sector. Several companies with CVE-compatible products/services also exhibited. Visit the CVE Calendar page for information on upcoming events.
"CVE Announce" e-Newsletter Adds 1,000+ Subscribers since January
Since January of this year, 1,067 information security professionals and others have subscribed to the CVE-Announce e-newsletter for a total of 3,133 subscribers. CVE-Announce is free, issued once every two weeks or less, and provides general news about CVE such as new versions, new compatible product vendors, upcoming conferences, new Web site features, etc.
Based upon email addresses, CVE-Announce has an extensive international audience: 85 countries are represented with 754 subscribers from countries with Internet domains where English is not the native language, 152 subscribers from English speaking countries with Internet domains, and 2,227 subscribers from general USA Internet domains (i.e., com, net, mil, org, edu, and gov).
In addition to CVE-Announce, users may also subscribe to CVE-Data-Update for technical updates. Intended for technical users of CVE such as vulnerability database maintainers or those who require timely notification of new candidates, the CVE-Data-Update e-newsletter is issued once per week or less and provides subscribers with reports of new CVE entries and/or candidates and other detailed technical information regarding CVE.
You may sign up for either or both free e-newsletters to receive information and updates directly in your mailbox.
Application Security, Inc. Makes CVE Compatibility Declaration
Application Security, Inc. has declared that its vulnerability assessment tool, AppDetective for IBM DB2, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
Joeun Security Co., Ltd. Makes CVE Compatibility Declaration
Joeun Security Co., Ltd. has declared that its Cypollo-N, its network-based intrusion detection system, and Cypollo-H, its host-based intrusion detection system, are CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
CVE to Host Booth/Present Paper at IMN Cyber Security in the Financial Sector Summit November 20-22
MITRE is scheduled to host a CVE exhibitor booth at the IMN Cyber Security in the Financial Sector Summit at the Crowne Plaza Times Square, New York, New York, USA, November 20-22. Robert A. Martin, CVE Compatibility Lead, will present his paper on CVE entitled Integrating Your Information Security Vulnerability Management Capabilities through an Industry Standard (CVE)" on November 22nd. Several companies with CVE-compatible products/services will also be exhibiting throughout the exposition.
This summit and exposition will expose the CVE Initiative to professionals from U.S. government agencies, state and local governments, and the private sector responsible for protecting the critical infrastructures of the financial sector.
Visit the CVE Calendar page for information on this and other upcoming events.
TippingPoint Technologies Makes CVE Compatibility Declaration
TippingPoint Technologies has declared that its Network-Based Intrusion Prevention System, UnityOne Network Defense System, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
CVE Presents Paper at 21st Digital Avionics Systems Conference
Robert A. Martin, CVE Compatibility Lead, presented his paper on CVE entitled "Managing Vulnerabilities In Your Commercial-Off-The-Shelf (COTS) Systems Using An Industry Standards Effort" at the 21st Digital Avionics Systems Conference in Irvine, California, USA, on October 27th. The presentation was well received and introduced CVE to a variety of civilian, government, and military professionals specializing in air traffic management systems and avionics.
CVE Presents Briefing at Open Source Security Summit
Steve Christey, co-creator of CVE and editor of the CVE List, will presented a briefing entitled "Vulnerability Disclosure and CVE" at the Open Source Security Summit in Washington, D.C., USA on October 29th. The presentation was well received and introduced CVE to an international audience of enterprise security experts interested in securing infrastructures with open source software. The conference was co-sponsored by Red Hat and Dell. Red Hat is a member of the CVE Editorial Board and is listed on the CVE-Compatible Products/Services page.
CVE Presents Paper at NDIA 5th Annual Systems Engineering Conference
Robert A. Martin, CVE Compatibility Lead, presented his paper on CVE entitled "Managing Software Risks in Software Intensive Systems with Metrics and Measures" at the National Defense Industrial Association's (NDIA) 5th Annual Systems Engineering Conference in Tampa, Florida, USA, on October 24th. The presentation was well received and introduced CVE to a variety of government and military professionals specializing in communications, electronics, intelligence, and information systems.
CVE Exhibits at SANS Network Security 2002
MITRE hosted a CVE exhibitor booth at SANS Network Security 2002, October 22-24, in Washington, D.C., USA. The conference was successful and introduced the CVE Initiative and CVE-compatible products/services to a diverse audience of security and audit professionals and system and network administrators.
Several Tools Scan for CVE Names Included in the "Top Twenty" Internet Security Threats List
Several tools are now available that scan for the vulnerabilities included in the SANS/FBI Twenty Most Critical Internet Security Vulnerabilities consensus list. A PDF describing the five organizations offering the tools may be downloaded from the SANS Web site.
All of the organizations identified and their scanners are listed on the CVE-Compatible Products and Services page: Qualys, Internet Security Services, Foundstone, Nessus, and Advanced Research Corporation. The scanners are all CVE-compatible and use CVE names and CVE candidates (CANs) to uniquely identify the vulnerabilities described in the top twenty list.
SANS is a member of the CVE Editorial Board and its education and training materials are listed on the CVE-Compatible Products and Services page.
CVE Editorial Board Holds Teleconference
The CVE Editorial Board held a teleconference on Thursday, October 17, 2002, with 12 Board members participating, and four representatives from MITRE. Topics included CVE content status and issues; Board membership roles and issues; and an introduction to the entire Board regarding a new MITRE project, of which some Board members are a part, focusing on the synergistic relationship between CVE names and system vulnerability scanners.
Qualys Makes CVE Compatibility Declaration
Qualys has declared that its free QualysGuard SANS/FBI Top 20 Vulnerabilities Scanner, and its intranet vulnerability assessment service, QualysGuard Intranet Scanner, are CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
CVE to Present Paper at NDIA 5th Annual Systems Engineering Conference
Robert A. Martin, CVE Compatibility Lead, will present his paper on CVE entitled "Managing Software Risks in Software Intensive Systems with Metrics and Measures" at the National Defense Industrial Association's (NDIA) 5th Annual Systems Engineering Conference in Tampa, Florida, USA, on October 24th.
The conference will focus on "Mission Capability Areas and Weapon/Command & Control Systems, including Interoperability, Supportability and reducing Total Ownership Costs, will be convened ... under the auspices of the National Defense Industrial Association, Systems Engineering Division in conjunction with the Director, Interoperability, Office of the Under Secretary of Defense, Acquisition, Technology and Logistics (AT&L), with technical co-sponsorship by the International Council on Systems Engineering (INCOSE)." The conference will run October 21-24.
Visit the CVE Calendar page for information on this and other upcoming events.
CVE Names Included in Consensus List of "Top Twenty" Internet Security Threats
The recently updated Twenty Most Critical Internet Security Vulnerabilities, a SANS/FBI consensus list of the most critical problem areas in Internet security, was released on October 7, 2002. The list includes CVE names and CVE candidates (CANs) to uniquely identify the vulnerabilities it describes. This will help system administrators use CVE-compatible products and services to help make their networks more secure.
In addition, the introduction page includes a note that describes what CVE is, provides a link to the CVE Web site, and states: "The CVE and CAN numbers reflect the top priority vulnerabilities that should be checked for each item [on the consensus list]."
SANS is a member of the CVE Editorial Board and its education and training materials are listed on the CVE-Compatible Products and Services page.
CVE to Present Briefing at Open Source Security Summit
Steve Christey, co-creator of CVE and editor of the CVE List, will present a briefing entitled "Vulnerability Disclosure and CVE" at the Open Source Security Summit in Washington, D.C., USA on October 29th.
The conference, co-sponsored by Red Hat and Dell, will expose CVE to an international audience of enterprise security experts interested in securing infrastructures with open source software. Red Hat is a member of the CVE Editorial Board and its Apache Week Web Server and Red Hat Security Advisories are listed on the CVE-Compatible Products and Services page.
Visit the CVE Calendar page for information on this and other upcoming events.
CVE Recommended by NIST in Special Publication 800-51 "Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme"
The USA National Institute of Standards and Technology (NIST) released a September 2002 special document entitled "NIST Special Publication (SP) 800-51, "Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme" that recommends the use of the CVE List and CVE-compatible products and services by U.S. agencies. A draft of this document was issued for public comment and review in January.
Specifically, the final publication "recommends that federal agencies make use of the Common Vulnerabilities and Exposures (CVE) vulnerability naming scheme by (1) giving substantial consideration to the acquisition and use of security-related IT products and services that are compatible with CVE; (2) monitoring their systems for applicable vulnerabilities listed in CVE; and (3) using CVE names in their descriptions and communications of vulnerabilities."
The document is available on the NIST Special Publications page of the NIST Computer Security Resource Center (CSRC) Web site. NIST is a member of the CVE Editorial Board, and the NIST ICAT metabase is listed on the CVE-compatible products/services page.
Archer Technologies LLC Makes CVE Compatibility Declaration
Archer Technologies LLC has declared that its security knowledge management integration and functionality portal, Archer Technologies Security2002, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
CVE List Exceeds 5,000 Security Issues
Since 1999, the CVE List has grown from the original 321 official CVE entries (also called "names") to 2,223 entries and 2,900 CVE candidates, which are those vulnerabilities or exposures under consideration for acceptance into CVE. This means there are currently 5,123 unique issues with publicly known names available on the CVE Web site.
And the list is always growing. Approximately 100 new candidates are added each month based upon newly discovered issues. Use Get CVE to view, search, or download the CVE List or the candidates.
CVE Presents Paper at Quality Week Conference
Robert A. Martin, CVE Compatibility Lead, presented his paper entitled "Vulnerabilities and Developing on the Net" at the Quality Week 2002 Conference on September 5th. "The mission of the Quality Week conference is to increase awareness of the entire spectrum of methods used to achieve Internet and software quality." The conference was held September 3-6 in San Francisco, California, USA.
Visit the CVE Calendar page for information on upcoming events.
CVE Hosts Booth/Participates on Discussion Panels at SECTOR 5 Conference
MITRE hosted a CVE exhibitor booth August 21-23 at the SECTOR 5 Global Summit Exploring Cyber Terrorism and the Targets of Critical Infrastructures in Washington, D.C., USA. MITRE also participated on two discussion panels, one on Telecommunications and Information Services, and the other on Vital Health, Safety, and Emergency Services. The conference exposed CVE to a new audience of executive-level policy and decision makers from government and industry responsible for critical infrastructure security. Several companies with CVE-compatible products/services also exhibited.
CVE Included in TechRepublic Article about Preventing and Dealing with Network Hacks
CVE was included in an August 12, 2002 article entitled "Strategies to Prevent and Deal with Network Hacks" on TechRepublic.com. CVE is mentioned in a section about reading up on new security threats in which the author states: "Another excellent source of information is the Common, Vulnerabilities and Exposures (CVE) [List] maintained by The MITRE Corporation. It offers a list of standardized names for vulnerabilities and information security exposures. On its site, MITRE cites the list as a sort of dictionary that helps tech professionals understand vulnerabilities and enables data sharing about threats contained in different databases. The CVE List can be downloaded and used as an internal vulnerability reference in the event an attack occurs." The article also provides a link to the CVE Web site.
IntruVert Networks, Inc. Makes CVE Compatibility Declaration
IntruVert Networks, Inc. has declared that its network-based intrusion detection system, IntruShield, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
CVE Senior Advisory Council Holds Meeting
The CVE Senior Advisory Council held a meeting on Wednesday, August 14, 2002. The council was briefed on the significant increases in the rate of vulnerability discovery, the issues involved in responsible disclosure, and their impact on CVE. The meeting emphasized the synergistic relationships among CVE names, standard configuration guides, and system vulnerability scanners.
OneSecure, Inc. Makes CVE Compatibility Declaration
OneSecure, Inc. has declared that its OneSecure Intrusion Detection and Prevention (IDP) System is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
Kingnet Security, Inc. Makes CVE Compatibility Declaration
Kingnet Security, Inc. has declared that its Kingnet Intrusion Detection System is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
Rapid 7, Inc. Makes CVE Compatibility Declaration
Rapid 7, Inc. has declared that its vulnerability assessment tool, NeXpose, will be CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
CVE to Host Booth/Participate on Discussion Panels at SECTOR 5 Critical Infrastructures Conference August 21-23
MITRE is scheduled to host a CVE exhibitor booth at the SECTOR 5 Global Summit Exploring Cyber Terrorism and the Targets of Critical Infrastructures at the Grand Hyatt Washington, Washington, D.C., USA, August 21-23. MITRE will also be participating on two discussion panels during the conference, one on Telecommunications and Information Services, and the other on Vital Health, Safety, and Emergency Services. Several companies with CVE-compatible products/services will also be exhibiting.
This conference will expose CVE to executive-level policy and decision makers from government and industry including "critical infrastructure security officers and executive management, federal and state security officers, chief executive officers, chief technology officers, chief information officers, MIS executives, IS executives, IT executives and risk management officers from domestic and multinational corporations, global cyber and high tech crime officials, appropriate military officers and personnel, and government officials."
Vigilinx, Inc. Makes CVE Compatibility Declaration
Vigilinx, Inc. has declared that its vulnerability database and threat notification service, Vigilinx IntelliSHIELD Security Intelligence Service, its intrusion monitoring and response service, Vigilinx Managed Network and Host Intrusion Detection System, and its Vigilinx Vulnerability Management Service, are CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
Symantec Makes CVE Compatibility Declaration
Symantec has declared that its security vulnerabilities and advisories Web site and email service, Symantec Security Response, is CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
CVE Presents Paper at FIRST Conference
Steve Christey, co-creator of CVE and editor of the CVE List, and Robert A. Martin, CVE Compatibility Lead, presented a paper entitled "A Progress Report on the CVE Initiative" at the FIRST 14th Annual Computer Security Incident Handling Conference on June 27th. Forum of Incident Response and Security Teams (FIRST) is an international association of computer security incident response teams from government, commercial, and academic organizations. The conference was held June 24-28 in Kona, Hawaii.
Visit the CVE Calendar page for information on upcoming events.
New CVE Version Released
CVE version 20020625 has just been released. It has 191 new entries for a total of 2,223 official CVE entries. An additional 2,419 candidates are still being reviewed by the CVE Editorial Board.
With the new release there are now 4,642 unique issues with publicly known names available on the CVE Web site. A report is available to identify the differences between this version and the previous version, 20020309.
CVE is publicly available and free to use. You may view, search, or download CVE, copy it, redistribute it, reference it, and analyze it, provided you do not modify CVE itself.
eEye Digital Security Makes Compatibility Declaration
eEye Digital Security has declared that its vulnerability assessment tool, Retina Network Security Scanner, will be CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
Apple Computer Includes CVE Names in Security Advisories
Apple Computer, Inc. has released a security advisory that included a CVE name and candidate number (CAN). An advisory on June 5, 2002 entitled "Security enhancements in Mac OS X 10.1.5," identified CVE-2001-0653 and CAN-2002-0184. In addition, the Security Updates page on the Apple Web site references CANs for other security problems, includes a link to the Get CVE page, and states: "Where possible, CVE [names] are used to reference the vulnerabilities for further information."
To date, more than 300 CANs have appeared in vulnerability advisories from 28 organizations. Including CANs in security advisories ensures the community benefits by having CVE names as soon as the problem is announced.
See Vulnerability Alerts/Announcements for a list of all organizations that have included or are including CANs in their security advisories.
Cert-IST Includes CVE Candidate Numbers in Security Advisories
Computer Emergency Response Team-Industrie Services et Tertiaire (Cert-IST), a CERT organization for France's industrial and services sector, has released security advisories that include CVE candidate numbers (CANs). An advisory on May 30, 2002 provided information about a problem involving CAN-2002-0368, and an advisory on May 28, 2002 provided information about a problem involving CAN-2002-0374, among many others.
See Vulnerability Alerts/Announcements for a list of all organizations that have included or are including CANs in their security advisories.
Cert-IST Makes CVE Compatibility Declaration
Cert-IST has declared that its Cert-IST Security Advisory and Alerts, and its vulnerability database, Cert-IST knowledge base, are CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
Qualys Makes CVE Compatibility Declaration
Qualys has declared that its browser vulnerability assessment tool, Qualys Browser Check, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
Application Security, Inc. Makes CVE Compatibility Declaration
Application Security, Inc. has declared that its vulnerability assessment tools, AppDetective for Oracle, AppDetective for MS SQL Server, AppDetective for Sybase, and AppDetective for Lotus Domino, will be CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
N-Stalker Makes CVE Compatibility Declaration
N-Stalker has declared that its vulnerability assessment tool, N-Stealth, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
NSFOCUS Information Technology Co., Ltd. Makes CVE Compatibility Declaration
NSFOCUS Information Technology Co., Ltd. has declared that its vulnerability assessment tool, RSAS, and intrusion detection system, Eye of Ice, are CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
CVE to Present Paper at FIRST Conference
Steve Christey, co-creator of CVE and editor of the CVE List, and Robert A. Martin, CVE Compatibility Lead, will present their paper on CVE at the FIRST 14th Annual Computer Security Incident Handling Conference, Kona, Hawaii, USA, scheduled for June 24-28. The paper, entitled "A Progress Report on the CVE Initiative," will be presented on Thursday, June 27th.
Forum of Incident Response and Security Teams (FIRST) is an international association of computer security incident response teams from government, commercial, and academic organizations. FIRST "aims to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing among members and the global community at large."
Visit the CVE Calendar page for information on this and other upcoming events.
E-Soft, Inc. Makes CVE Compatibility Declaration
E-Soft, Inc. has declared that its vulnerability assessment service, SecuritySpace Security Audits, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
esCERT-UPC Makes CVE Compatibility Declaration
esCERT-UPC, the UPC University Computer Emergency Response Team, has declared that its vulnerability alerts database, ALTAIR, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
Securesoft, Inc. Makes CVE Compatibility Declaration
Securesoft, Inc. has declared that its network-based intrusion detection system (IDS), TUTAN IDS (formerly SUHOSHIN IDS), is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
INTRINsec Makes CVE Compatibility Declaration
INTRINsec has declared that its vulnerability database, INTRINsec Cit@delle, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
LinuxToday Article Covers Red Hat's Endorsement of the CVE Initiative
Red Hat's promotion of its involvement and endorsement of the CVE Initiative CVE was the featured topic in an April 11, 2002 article entitled "Red Hat Unveils CVE Security Compatibility" on LinuxToday.com. The article was essentially a reprint of the recent Red Hat news release.
SANS NewsBites Article Endorses Red Hat's Involvement in CVE Initiative
Red Hat's involvement with CVE was endorsed in a brief article entitled "Red Hat To Issue Vulnerability Alerts Using CVE" in the April 17, 2002 issue of SANS NewsBites, an opt-in e-newsletter from the SANS (System Administration, Networking and Security) Institute. The article and endorsement appeared in the Top of the News section in an editor's note by Alan Paller: "This announcement demonstrates security awareness and leadership. Other system vendors may well follow Red Hat's lead. Security vendors, such as ISS and Symantec, already provide CVE references for the vulnerabilities they report. In addition, the new global site security certification process is being based on a consensus list of highest priority vulnerabilities developed using CVE numbers. [A copy of the CVE List that includes] a valuable additional reference list is searchable at http://icat.nist.gov." Alan Paller is a member of the CVE Editorial Board, and the SANS GIAC Security Training materials are listed on the CVE-Compatible Products/Services page.
Red Hat Issues News Release Promoting Its Involvement in CVE Initiative
Red Hat recently issued a news release promoting its involvement and endorsement of the CVE Initiative. In the release, Red Hat announced that Mark Cox, Red Hat's senior director of engineering, had joined the CVE Editorial Board. The release also stated that Red Hat is working to improve accuracy in security reporting.
"One of the greatest strengths of open source development is the ability to harness the efforts of millions of programmers, users and vendors across the industry to quickly change software, including fixing vulnerabilities," said [Red Hat's Mark Cox]. "The CVE dictionary delivers a common language, enabling our customers to spend less time investigating and categorizing security events, reducing risk and any associated impact."
Cox further stated: "We are working with MITRE and the rest of the CVE Editorial Board to contribute and validate new entries that affect Linux and open source projects, as well as publish CVE entries in our security advisories. It is essential that security vulnerabilities get reported accurately so that affected users can make informed decisions."
Red Hat issued a security advisory on February 22, 2002 that included CVE candidate number (CAN) CAN-2001-0869. In addition, Red Hat's Apache Week released a March 22, 2002 security advisory that identified CAN-2002-0061, and a March 1, 2002 advisory that identified CAN-2002-0081. To date, more than 300 CANs have appeared in vulnerability advisories from 26 organizations.
Visit the CVE-Compatible Products/Services page or Vulnerability Alerts/Announcements for more information.
New Editorial Board Member
Mark Cox of Red Hat has joined the Editorial Board.
New Editorial Board Member
Jim Jones of Predictive Systems has joined the Editorial Board.
Red Hat Makes CVE Compatibility Declaration
Red Hat has declared that its Red Hat Security Advisories, and its database of vulnerabilities for the Apache Web server, Apache Week, are CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
CVE Included in NIST Special Publication 800-40 "Procedures for Handling Security Patches"
The USA National Institute of Standards and Technology (NIST) released a draft special document on April 2, 2002 entitled " Draft NIST Special Publication 800-40, Procedures for Handling Security Patches." The document describes and recommends to U.S. agencies the use of a "systematic, accountable, and documented process for handling security patches and vulnerabilities" and "provides specific advice for obtaining, testing, distributing, and installing security patches." CVE is mentioned throughout and is included as a subtopic in a section on Government Vulnerability Identification Resources.
In that section the authors describe what CVE is and isn't, discusses CVE-compatible products and services, and includes a link to the CVE Web site. The authors state the following about CVE: "This emerging industry standard has achieved wide acceptance by the security industry and a number of government organizations." In discussing how CVE compatibility can be used in enterprise security for the handling of security patches, the authors say: " . . . CVE is useful as an authoritative listing of most known vulnerabilities . . . we do recommend using CVE-compatible vulnerability resources monitoring for vulnerabilities."
The document is available for comment on the Draft Publications page of the NIST Computer Security Resource Center (CSRC) Web site. NIST is a member of the CVE Editorial Board, and the NIST ICAT metabase is listed on the CVE-compatible products/services page.
Citadel Technology Makes Compatibility Declaration
Citadel Technology has declared its automated vulnerability remediation product, Hercules, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
FuJian RongJi Software Development Company, Ltd. Makes Compatibility Declaration
FuJian RongJi Software Development Company, Ltd. has declared its vulnerability assessment tool, RJ-iTop Network Vulnerability Scanner System, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
Linux Vendors Reference CVE Candidate Numbers in Security Advisories
Four Linux vendors recently referenced CVE candidate numbers (CANs) in their security advisories: Mandrake Linux, EnGarde Secure Linux, Debian, and Caldera. To date, more than 300 CANs have appeared in vulnerability advisories from 26 organizations. Including CANs in security advisories ensures the community benefits by having CVE names as soon as the problem is announced.
Mandrake Linux issued a security advisory on March 13, 2002, " MDKSA-2002:023-1, packages containing zlib," that identified CAN-2002-0059, and a February 7, 2002 advisory " MDKSA-2002:012, groff update" that identified CAN-2002-0023, among others.
EnGarde Secure Linux issued a security advisory on March 11, 2002 " ESA-20020311-008: Double free() in zlib may lead to buffer overflow," that identified CAN-2002-0059, a March 7, 2002 advisory that identified CAN-2002-0083, and a March 1, 2002 advisory that identified CAN-2002-0081, among others.
Debian issued a security advisory on March 11, 2002 " DSA-122-1 zlib -- malloc error (double free)," that identified CAN-2002-0059, and a February 18, 2002 advisory identified CAN-2002-0062. The advisories also included direct links to the CANs on the CVE Web site.
Caldera issued a security advisory on February 11, 2002, " CSSA-2001-SCO.36.2, REVISED: Open UNIX, UnixWare 7: wu-ftpd ftpglob() vulnerability," that identified CAN-2001-0550, and a December 10, 2001 advisory " CSSA-2001-SCO.39] Open UNIX, UnixWare 7: timed does not enforce nulls" that identified CVE-2001-0388, among others.
See Vulnerability Alerts/Announcements for a list of all organizations that have included or are including CANs in their security advisories.
Several Organizations Reference CVE Candidate Numbers in Security Advisories
A number of organizations recently referenced CVE candidate numbers (CANs) or CVE names in their security advisories: NSFOCUS; Sanctum, Inc.; FreeBSD; eEye Digital Security; VIGILANTe.com; Rapid 7; eSecurityOnline; and SecurityFocus.
NSFOCUS (Network Security Focus) issued a security advisory on April 2, 2002 " NSFOCUS Security Advisory (SA2002-01), Sun Solaris Xsun "-co" heap overflow" that identified CAN-2002-0158, a November 15, 2001 advisory that identified CVE-2001-0815, and an August 17, 2001 advisory that identified CVE-2001-0506, among several others. NSFOCUS has been including CANs and CVE names in advisories since a November 23, 2000 advisory identified CVE-2000-0886.
Sanctum, Inc. issued a security advisory on March 21, 2002 "Vulnerability in Apache for Win32 batch file processing - Remote" that identified CAN-2002-0061. The advisories also included a direct link to the CAN on the CVE Web site.
FreeBSD issued a security advisory on March 18, 2002 " FreeBSD-SA-02:18, zlib double-free" that identified CAN-2002-0059, a March 12, 2002 advisory that identified CAN-2001-0869, and a March 7, 2002 advisory that identified CAN-2002-0083.
eEye Digital Security issued a security advisory on March 8, 2002 " D20020308, Windows Shell Overflow" that identified CAN-2002-0070, a December 20, 2001 advisory that identified CAN-2001-0876, and a September 5, 2001 advisory that identified CAN-2001-0669.
VIGILANTe.com issued a security advisory on December 21, 2001 " VIGILANTE-2001003, Atmel SNMP Non Public Community String DoS Vulnerability" that identified CAN-2001-0888, and a November 23, 2001 advisory that identified CAN-2001-0868.
Rapid 7 issued a security advisory on November 30, 2001 " Rapid 7 Advisory R7-0002: Alchemy Eye Remote Unauthenticated" that identified CAN-2001-0870.
eSecurityOnline issued a security advisory on October 29, 2001 " ESO Security Advisory 4198: Sun Solaris cachefsd mount file buffer overflow vulnerability" that identified CAN-2002-0084, an October 29, 2001 advisory that identified CAN-2002-0085, and an October 15, 2001 advisory that identified CAN-2002-0086, among several others. eSecurityOnline has been including CANs in advisories since a March 28, 2000 advisory identified CAN-2002-0089.
SecurityFocus issued a security advisory on August 20, 2001 " *ALERT* UPDATED BID 3163 (URGENCY 6.58): Sendmail Debugger Arbitrary" that identified CAN-2001-0653.
See Vulnerability Alerts/Announcements for a complete list of the participating organizations.
CVE Senior Advisory Council Holds Meeting
The CVE Senior Advisory Council held a meeting on Tuesday, March 26, 2002. Topics included CVE policy issues, status reports on the recent 2,000+ entries and other milestones, CVE-compatible products/services growth and process updates, and the NIST draft recommendation for USA government agencies, " Use of the CVE Vulnerability Naming Scheme Within its Acquired Products and Information Technology Security Procedures".
CVE Exhibits at MISTI's InfoSec World 2002
MITRE hosted a CVE exhibitor booth at MIS Training Institute's (MISTI) InfoSec World Conference and Expo/2002, March 18-19 at Disney's Coronado Springs Resort, Lake Buena Vista, Florida, USA. The conference was successful and introduced CVE and CVE-compatible products and services to a diverse audience of information security professionals from the banking, finance, real estate, insurance, and health care industries, among others.
CVE Presents Briefing at SW Quality Week Europe
CVE Team Member Robert A. Martin presented a briefing on CVE, entitled "Vulnerabilities and Developing for the Net," at SW Quality Week Europe in Brussels, Belgium, on March 11th. The presentation was well received and introduced CVE to an audience of government and industry professionals in the international software development and testing community. Read an abstract of the briefing.
Government Computer News Web Site notes CVE 2,000+ Entries Milestone
CVE was the featured topic in a April 1, 2002 Government Computer News Web site article about the CVE 2,000+ entries milestone entitled " CVE dictionary contains more than 2,000 entries." In the article the author describes what CVE is, quotes CVE Project Leader Margie Zuk about the significance of the milestone, notes the number of organizations with compatible products and services, and mentioned that the list of top 20 Internet security vulnerabilities published by the FBI and SANS Institute includes CVE names. The article also included a link to the CVE Web site. You may also read the MITRE 2,000+ entries milestone news release.
CVE Achieves 2,000+ Entries Milestone!
CVE has achieved a major milestone of 2,032 official entries with the release of CVE version 20020309. The new version has 432 new CVE entries with another 1,994 candidates currently pending. More information for this new version is available.
CVE began in September 1999 with 321 entries. In an October 1, 1999 article about the launch of CVE entitled " New Dictionary Defines Cyber Threats" in Network World, Steve Northcutt, at the time director of SANS' intrusion detection program, stated: "...when CVE hits the point of 1,000 entries, it will be a powerful tool."
CVE achieved the 1,000 entries in October 2000, and this new 2,000+ entries milestone is itself powerful evidence of how fully the information security community has embraced the CVE Initiative. As further examples, to-date 49 organizations have declared that 75 network security products or services are or will be CVE-compatible and 21 vendors are including or have included CVE candidate numbers in their security advisories. Read the MITRE news release.
VIGILANTe.com, Inc. Makes CVE Compatibility Declaration
VIGILANTE.com, Inc. has declared that its integrated security suite, SecureScan NX (formerly CYRANO e-Secure and NV e-secure), is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
CVE-Compatible Products/Services at MISTI's InfoSec World Conference and Expo/2002
The following organizations with CVE-compatible products or services will be hosting booths March 18-19 at MIS Training Institute's (MISTI) InfoSec World Conference and Expo/2002: BindView Corporation; Citadel Security Software; Foundstone; Harris Corporation; Internet Security Systems; NetIQ; NFR Security; Recourse Technologies; SAINT Corporation; Sanctum; SecurityFocus; SPI Dynamics; and Symantec. MITRE will also host a CVE booth.
The conference will be held at Disney's Coronado Springs Resort, Lake Buena Vista, Florida, USA and will expose CVE and CVE-compatible products and services to a diverse audience of information security professionals from the banking, finance, real estate, insurance, and health care industries, among others.
Internet Security Services, Inc. Makes CVE Compatibility Declaration
Internet Security Services, Inc. (ISS) has declared that its security management platform, RealSecure SiteProtector 1.0, will be CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
CVE Mentioned in Article about Good Vulnerability Management in Information Security Magazine
CVE is mentioned briefly in this article about Vulnerability Management entitled "FEELING VULNERABLE? If you're bedeviled by swarms of vulnerability alerts, you can take control by practicing good management" in the February 2002 issue of Information Security Magazine. CVE was included in a section entitled "Free Resources," in which the author discusses resources for identifying vulnerabilities in a system and identifies Bugtraq and CVE as "the two major catalogers of security problems."
CVE Included as a 'Standard' in Gartner Market Analysis of IDSs
CVE was mentioned in a section on 'Standards' in a recently released market analysis of IDSs by Gartner entitled " Intrusion Detection Systems (IDSs): Perspective, Note Number DPRO-95367." The document, issued on January 4, 2002, describes what CVE is and isn't, discusses the makeup and role of the CVE Editorial Board, and provides a link to the CVE Web site.
CVE-Compatible Products and Services Increase by 26 in Jan-Feb
The number of new products and services being declared CVE-compatible has increased significantly since the beginning of the year. Since January 1st, 14 new organizations have declared that 16 products or services are or will be CVE-compatible. This includes declarations this week by NetIQ, NetSecure Technology, Recourse Technologies, and Sanctum. In addition, 4 organizations that previously made compatibility declarationsBindView, CERIAS/Purdue University, Inzen, and Symantecdeclared this week that an additional 10 products/services are or will be CVE-compatible.
Last year during the same time period, one organization declared one product CVE-compatible.
This significant increase is an indication of the security industry's strong endorsement of CVE-compatibility. In the next few months MITRE will be rolling out a new "CVE Compatibility Process." The new process will include formal evaluations, posting questionnaires citing how organizations have satisfied the compatibility requirements, and a "branding program" with a CVE compatibility logo. Watch for additional information.
NetIQ, Inc. Makes CVE Compatibility Declaration
NetIQ, Inc. has declared that its vulnerability assessment tool, Security Analyzer, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
NetSecure Technology, Inc. Makes CVE Compatibility Declaration
NetSecure Technology, Inc. has declared that its network-based intrusion detection system, NetSpecter, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
Recourse Technologies Makes CVE Compatibility Declaration
Recourse Technologies has declared that its threat management solution, ManHunt, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
Sanctum Inc. Makes CVE Compatibility Declaration
Sanctum Inc. has declared that its Web application vulnerability assessment tool, AppScan, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
BindView Corporation Makes CVE Compatibility Declaration
BindView Corporation has declared that its open source common vulnerabilities assessment tool, VLAD the Scanner, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
CERIAS/Purdue University Makes CVE Compatibility Declaration
CERIAS/Purdue University has declared that its incident report database and management system, CERIAS IRDB, and its profiled search tool of vulnerability database, Cassandra, are CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
Inzen Makes CVE Compatibility Declaration
Inzen has declared that its Windows 2000/NT-based intrusion detection system, NeoGuard@ESM for NT, and host vulnerability assessment tool, NewScanner@ESM for System, are CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
Symantec Makes CVE Compatibility Declaration
Symantec has declared that its network intrusion detection product, Symantec NetProwler v3.5, and its personal firewall/intrusion detection product, Norton Internet Security 2002 Professional Edition, are CVE-compatible. In addition, Symantec has declared that its policy-based security assessment and manager product, Symantec Enterprise Security Manager v5.5; host intrusion detection product, Symantec Intruder Alert v3.6; and network vulnerability assessment product, Symantec NetRecon v3.5; will be CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
Compatibility Requirements Updated as First Stage of New 'CVE Compatibility Process'
MITRE has updated the " Requirements and Recommendations for CVE Compatibility" document in the CVE-Compatible Products/Services section. Although the basic requirements have not changed, they have been refined in a number of areas and the document has been extensively restructured. This update is the first stage in a new and much more extensive CVE compatibility process that MITRE will be rolling out in the next few months, in line with the USA National Institute of Standards and Technology's (NIST) draft recommendation for the usage of CVE-compatible products and services that was issued in January. A major component of the new "CVE Compatibility Process" will be formalized review and evaluation activities. Vendors and other organizations will be required to answer a questionnaire citing specific details of how they have satisfied the compatibility requirements. This formal process will have a "branding program" and logo to indicate compatibility, and the questionnaires will be posted as part of organizations' compatibility declarations. Watch for additional information in the coming months.
New Tool Monitors Changes to the CVE and Candidate Lists
CERIAS/Purdue University has added a new tool to its Cassandra service that monitors changes to the CVE List and the CVE candidates list. This " CVE Change Logs" feature, which is available from the Cassandra Web site, allows you to obtain daily or monthly changes to both lists. The Cassandra incident response database service is listed on the CVE-Compatible Products/Services page, and CERIAS/Purdue University is a member of the CVE Editorial Board.
New Editorial Board Member
Franck Veysset of Intranode has joined the Editorial Board.
New Editorial Board Member
Jimmy Alderson of e-Security, Inc. has joined the Editorial Board.
KaVaDo, Inc. Makes CVE Compatibility Declaration
KaVaDo, Inc. has declared that its vulnerability assessment scanner, ScanDO, will be CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
Strongbox Security Inc. Makes CVE Compatibility Declaration
Strongbox Security Inc. has declared that its risk analysis subscription service, Monthly Risk Analysis Service, will be CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
Wins Technet Co., Inc. Makes CVE Compatibility Declaration
Wins Technet Co., Inc. has declared that its network-based intrusion detection system, SNIPER, will be CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
CVE to Host Booth at InfoSec World Conference and Expo/2002 March 18-19
MITRE is scheduled to host a CVE exhibitor booth at MIS Training Institutes' ( MISTI) InfoSec World Conference and Expo/2002, at Disney's Coronado Springs Resort, Lake Buena Vista, FL, March 18-19. The conference will expose CVE to a diverse audience of attendees from the banking, finance, real estate, insurance, and health care industries, among others. The conference is targeted to information security policy and decision makers from these and other industries, as well as directors and managers of information security, CIOs, network and systems security administrators, IT auditors, systems planners and analysts, systems administrators, software and application developers, engineers, systems integrators, strategic planners, and other information security professionals. In addition, numerous companies with CVE-compatible products/services will be exhibiting.
LinuxWorld Article about Security Advisories Advocates CVE
CVE is mentioned in an article entitled " 'Chinese Whisper' security advisories--Before panicking about a security advisory, it's best to go to the source" in the January 21, 2002 issue of LinuxWorld. In this article about inconsistent descriptions of possible vulnerabilities in the security advisories produced from various Linux vendors, the author states that such inconsistencies can cause confusion, or at worst, result in inaccurate information. He concludes by saying that CVE will help with this problem: "If all vendors started attaching CVE [names] to their advisories, then it would be easy for users to work out which issues were being fixed even if the descriptions in each advisory were widely different. Since November [Red Hat has] been working with MITRE to get these descriptions into the Red Hat advisories." The article also provides a link to the CVE Web site.
CVE Sponsors Page Updated for FY02
The Sponsors page in the CVE Senior Advisory Council section has been updated. CVE is funded for FY02 by the Federal Computer Incident Response Center (FedCIRC), which is part of the General Services Administration. FedCIRC is the central coordination and analysis facility dealing with computer security related issues affecting the civilian agencies and departments of the federal government. FedCIRC's incident response and advisory activities bring together elements of the federal government, law enforcement, the intelligence community, academia, and private industry to jointly address threats to components of the nation's critical infrastructure. FedCIRC accomplishes its work in part by encouraging and promoting the development of important security efforts such as the CVE Initiative. Past sponsors of CVE are also listed on the page.
NFR Security Makes CVE Compatibility Declaration
NFR Security has declared that its intrusion detection system, NFR Network Intrusion Detection (NFR NID), and its Host intrusion detection system, NFR Host Intrusion Detection (NFR HID), are CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products/Services page. NFR Security is also a member of the CVE Editorial Board.
SecureInfo Corporation Makes CVE Compatibility Declaration
SecureInfo Corporation has declared that its vulnerability database and alert system, Total Enterprise Security Service (TESS) Security Vulnerability Tracker (SVT) is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
ArcSight, Inc. Makes CVE Compatibility Declaration
ArcSight, Inc. has declared that its security awareness and incident response service, ArcSight 1.0 is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
NIST Releases Draft Recommendation for Usage of CVE-Compatible Products and Services
On January 15, 2002 the USA National Institute of Standards and Technology (NIST) released a draft recommendation for the usage of CVE-compatible products and services. The document is available for comment on the Draft Publications page of the NIST Computer Security Resource Center (CSRC) Web site. All comments must be submitted by February 18, 2002.
The draft recommendation " Use of the CVE Vulnerability Naming Scheme Within its Acquired Products and Information Technology Security Procedures" advises USA agencies about CVE and recommends that agencies give substantial consideration to buying products and services compatible with the CVE naming scheme. The recommendation also advises agencies to periodically monitor their systems for vulnerabilities listed in CVE. Agencies are also advised to use the CVE naming scheme in their communications and descriptions of vulnerabilities.
Comments should be submitted to both Peter Mell and Timothy Grance at peter.mell@nist.gov and timothy.grance@nist.gov. NIST is a member of the CVE Editorial Board, and the NIST ICAT metabase is listed on the CVE-compatible products/services page.
Snort Development Team Makes CVE Compatibility Declaration
Snort Development Team has declared that its intrusion detection system, Snort, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
Shake Communications Pty Ltd Makes CVE Compatibility Declaration
Shake Communications Pty Ltd has declared that its SecuritySearch.Net Vulnerabilities Database is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
China National Computer Software & Technology Service Corporation (CSS) Makes CVE Compatibility Declaration
China National Computer & Technology Service Corporation (CSS) has declared that its vulnerability assessment tool, Internet Security Ranger, ISRanger 7.0, and its intrusion detection system, Distributed Intrusion Detection, DIDSystem 7.0, are CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products/Services page.
CVE Topic of Discussion with President's Special Advisor on Cyber Security
On December 10th, MITRE's CVE Team presented a briefing that included CVE to Richard Clarke, the President's Special Advisor on Cyber Security, at MITRE's Bedford, Massachusetts location.
CVE Referenced in Article on Information Assurance in Signal Magazine
CVE was referenced as part of a special "Security Solutions" section, in an article entitled "Government Faces Information Security Challenges" in the January 2002 issue of Signal magazine. The article was written by Jim Flyzik, Deputy Assistant Secretary (Information Systems) and CIO for the Department of the Treasury, and a member of the CVE Senior Advisory Council, who states: "Several important information assurance efforts have effects across the federal government, and they warrant active attention from the senior executives within the government who are responsible for information assurance. The Common Vulnerabilities and Exposures (CVE) program is one such effort. A constant problem in protecting systems and networks is the proliferation of names for and references to a single vulnerability or attack. The wide range of security products in use can produce a torrent of reports that are incomprehensible without a common lexicon. With the support of the bulk of the commercial product vendors and software companies, CVE provides the necessary "Rosetta Stone." Signal magazine is the Armed Forces Communications and Electronics Association's (AFCEA's) Journal for Communications, Electronics, Intelligence, and Information Systems. The article is not part of the online edition of the magazine.