Name of Your Organization:

Secunia

Web Site:

http://secunia.com

Compatible Capability:

VIM

Capability home page:

http://secunia.com/products/corporate/VIM
General Capability Questions

Product Accessibility <CR_2.4>

Provide a short description of how and where your capability is made available to your customers and the public (required):

The CVE capability is available on our public website, our on-line customer solutions, our server editions, and the local authenticated vulnerability scanning applications.

Mapping Questions

Map Currency Indication <CR_5.1>

Describe how and where your capability indicates the most recent CVE version used to create or update its mappings (required):

The Secunia database is updated continuously (daily) with CVE information. This is reflected in the documentation for the various products.

Map Currency Update Approach <CR_5.2>

Indicate how often you plan on updating the mappings to reflect new CVE versions and describe your approach to keeping reasonably current with CVE versions when mapping them to your repository (required):

CVE is monitored continuously and as an integrated part of our vulnerability intelligence gathering. Verification of mapping accuracy is a daily and continuous process.

Map Currency Update Time <CR_5.3>

Describe how and where you explain to your customers the timeframe they should expect an update of your capability’s mappings to reflect newly available CVE content (required):

This is stated in the product documentation, but given the continuous and integrated CVE matching process customers will rarely see a delay exceeding 1 business day.

Map Content Selection Criteria <CR_5.4>

Describe the criteria used for determining the relevance of a given CVE Identifier to your Capability (required):

The description and the references listed in every CVE entry are compared with our own references and description. If there isn’t a sufficient match we will compare the information of third party sources and use that or contact CVE for further discussion.

Map Currency Update Mechanism <CR_5.4>

Describe the mechanism used for reviewing CVE for content changes (required):

The CVE database is downloaded daily and all changes from the previous version are manually reviewed.

Map Content Source <CR_5.5>

Describe the source of your CVE content (required):

We always take the content directly from cve.mitre.org

Documentation Questions

CVE and Compatibility Documentation<CR_4.1>

Provide a copy, or directions to its location, of where your documentation describes CVE and CVE compatibility for your customers (required):

In Secunia VIM product documentation under Support->Manual and FAQ. There is CVE documentation in section 8.2 and section 10 of the manual. There is also an entry on CVE Compatibility in the FAQ. There is also a section on CVE under Vulnerability Database » About Secunia Advisories.

Documentation of Finding Elements Using CVE Names <CR_4.2>

Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CVE names to find the individual security elements within your capability’s repository (required):

Under Vulnerability Database » Search, the introductory text indicates that a user can do a general search (which includes search by CVE), as well as directing users to the advanced search where they can specifically search by only CVE.

Documentation of Finding CVE Names Using Elements <CR_4.3>

Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CVE names associated with individual security elements within your capability’s repository (required):

This information is contained in the same documentation as described in question 9), and is together with all the CVE information and instructions.

Type-Specific Capability Questions

Tool Questions

Finding Tasks Using CVE Names <CR_A.2.1>

Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CVE name (required):

Under Vulnerability Database » Search, the user has the option of entering a search string which will search a variety of fields, including CVE IDs. All of, for example, CVE-2009-3793, 2009-3793, and (the old format) CAN-2009-3793 would be valid search strings. Alternatively, the user can click on advanced search and search only by the CVE ID.

Finding CVE Names Using Elements in Reports <CR_A.2.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CVE names for the individual security elements in the report (required):

Any advisory report from either the VIM or the website is supported by a Secunia Advisory. Every Secunia Advisory contains all relevant CVE references where applicable. You can view an example Secunia Advisory at http://secunia.com/advisories/42151/ and scroll down to find the list of pertinent CVEs. All advisory reports have this general format.

Getting a List of CVE Names Associated with Tasks <CR_A.2.4>

Give detailed examples and explanations of how a user can obtain a listing of all of the CVE names that are associated with the tool’s tasks (recommended):

Any security advisory that is found/shown as the result of any of the tool’s tasks will contain a list of relevant CVE references associated with the advisory.

Selecting Tasks with a List of CVE Names <CR_A.2.5>

Describe the steps and format that a user would use to select a set of tasks by providing a file with a list of CVE names (recommended):

Given a set of CVE Identifiers, a user can use the search function to find relevant Secunia Advisories associated with the given CVE names. In addition, a VIM user can further associate these advisories / CVEs with affected devices / asset lists pertinent to their systems.

Selecting Tasks Using Individual CVE Names <CR_A.2.6>

Describe the steps that a user would follow to browse, select, and deselect a set of tasks for the tool by using individual CVE names (recommended):

Users can search for CVE names and find relevant Secunia Advisories using the search functions as explained above. This in turn can lead to selecting and deselecting tasks.

Non-Support Notification for a Requested CVE Name <CR_A.2.7>

Provide a description of how the tool notifies the user that task associated to a selected CVE name cannot be performed (recommended):

If no matching CVE reference is found for a given search, the search simply returns no results, indicating that the CVE name was not matched to anything in the database.

Service Questions

Service Coverage Determination Using CVE Names <CR_A.3.1>

Give detailed examples and explanations of the different ways that a user can use CVE names to find out which security elements are tested or detected by the service (i.e. by asking, by providing a list, by examining a coverage map, or by some other mechanism) (required):

A user can search for a CVE name and find all related security elements (advisories) for that name in the database.

Finding CVE Names in Service Reports Using Elements <CR_A.3.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the user can determine the associated CVE names for the individual security elements in the report (required):

Every advisory report has a clear text list of all related CVE references. Further, each CVE listed is also a clickable link directing the user to the specific page for that CVE at Secunia’s own CVE archive. You can view a sample advisory report at: http://secunia.com/advisories/42151/

Online Capability Questions

Finding Online Capability Tasks Using CVE Names <CR_A.4.1>

Give detailed examples and explanations of how a "find" or "search" function is available to the user to locate tasks in the online capability by looking for their associated CVE name or through an online mapping that links each element of the capability with its associated CVE name(s) (required):

A search function, as discussed above, is available that allows a user to search the database for any advisory listing a given CVE as relevant.

Online Capability Interface Template Usage <CR_A.4.1.1>

Provide a detailed description of how someone can use your "URL template" to interface to your capability’s search function (recommended):

When a customer is logged in to the customer support area, they can use the following template to search for a given CVE:
https://ca.secunia.com/vim30/?action=vdbSearch&searchTerm=CVE-YYYY-NNNN

Online Capability CGI GET Method Support <CR_A.4.1.2>

If the URL template is for a CGI program, does it support the HTTP "GET" method? (recommended):

YES

Finding CVE Names Using Online Capability Elements <CR_A.4.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the online capability allows the user to determine the associated CVE names for the individual security elements in the report. (required):

Each security element (advisory report) includes a list of associated CVE references, if they exist. Thus, a clear mapping is provided between each security element and its related CVEs. Any Secunia Advisory Report (such as http://secunia.com/advisories/42151/) serves as an example of this.

Aggregation Capability Questions

Finding Elements Using CVE Names <CR_A.5.1>

Give detailed examples and explanations of how a user can associated elements in the capability by looking for their associated CVE name (required):

The search functionality in each product, as discussed above, allows a user to search for any CVE identifier and get back search results consisting of all associated security elements (advisory reports) related to the CVE.

Finding CVE Names Using Elements in Reports <CR_A.5.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the capability allows the user to determine the associated CVE names for the individual security elements in the report (required):

CVE names are included directly in the Secunia Advisories.

Getting a List of CVE Names Associated with Tasks <CR_A.5.4>

Give detailed examples and explanations of how a user can obtain a listing of all of the CVE names that are associated with the capability’s tasks (recommended):

CVE names are included directly in the Secunia Advisories.

Selecting Tasks with a List of CVE Names <CR_A.5.5>

Describe the steps and format that a user would use to select a set of tasks by providing a file with a list of CVE names (recommended):

A user with a list of CVE names can manually search the advisory database for each CVE name. For each, they will get a list of advisories with the given CVE listed as a reference.

Selecting Tasks Using Individual CVE Names <CR_A.5.6>

Describe the steps that a user would follow to browse, select, and deselect a set of tasks for the capability by using individual CVE names (recommended):

The user can search for CVE names and find relevant Secunia Advisories. This can in turn lead to selecting and deselecting tasks.

Media Questions

Electronic Document Format Info <CR_B.3.1>

Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CVE-related text (required):

All document formats are commonly available and searchable — they include HTML and PDF.

Electronic Document Listing of CVE Names <CR_B.3.2>

If one of the capability’s standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CVE names are listed for each individual security element (required):

Relevant CVE names are included in all Secunia Advisories where they exist.
For example: http://secunia.com/advisories/42151/

Graphical User Interface (GUI)

Finding Elements Using CVE Names Through the GUI <CR_B.4.1>

Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability’s elements by looking for their associated CVE name(s) (required):

This is the same search function previously discussed for both products. Searching for CVE names is supported via a graphical text-area and "search" button.

GUI Element to CVE Name Mapping <CR_B.4.2>

Briefly describe how the associated CVE names are listed for the individual security elements or discuss how the user can use the mapping between CVE entries and the capability’s elements, also describe the format of the mapping (required):

Relevant CVE names are included in all Secunia Advisories where they exist.
For example: http://secunia.com/advisories/42151/

GUI Export Electronic Document Format Info <CR_B.4.3>

Provide details about the different electronic document formats that you provide for exporting or accessing CVE-related data and describe how they can be searched for specific CVE-related text (recommended):

Advisories can be viewed as either HTML or PDF, both of which are searchable with standard viewers. CVE related data is included in these advisories. Further, the CVE names in the HTML format can be clicked to be directed to Secunia’s own CVE archive, which also includes a link to the the original page at cve.mitre.org.

Questions for Signature

Statement of Compatibility <CR_2.7>

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CVE Compatibility Requirements as well as all of the additional mandatory CVE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Thomas Kristensen

Title: Chief Security Officer, Secunia

Statement of Accuracy <CR_3.4>

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability’s Repository and the CVE entries our capability identifies."

Name: Thomas Kristensen

Title: Chief Security Officer, Secunia

Page Last Updated or Reviewed: August 10, 2017