Name of Your Organization:

McAfee, Inc. (formerly Foundstone, Inc.)

Web Site:

http://www.mcafee.com

Compatible Capability:

McAfee Foundstone Appliances (formerly Foundstone Enterprise Risk Solutions)

Capability home page:

http://www.mcafee.com/us/mcafeesecure/products/vulnerability-assessment.html
General Capability Questions

1) Product Accessibility <CR_2.4>

Provide a short description of how and where your capability is made available to your customers and the public (required):

Foundstone Enterprise Risk Solutions users have access to CVE entries during the scan configuration and reporting phases. In each, the CVE mapping is presented with the vulnerability description and detail.
Mapping Questions

4) Map Currency Indication <CR_5.1>

Describe how and where your capability indicates the most recent CVE version used to create or update its mappings (required):

Foundstone Enterprise Risk Solutions monitors new and changed CVE entries via the CVE mailing list and changelog rather than merging the complete CVE database into the Foundstone Enterprise Risk Solutions VulnDB each time there is a CVE version update. Therefore it does not indicate a version number based on the CVE database.

5) Map Currency Update Approach <CR_5.2>

Indicate how often you plan on updating the mappings to reflect new CVE versions and describe your approach to keeping reasonably current with CVE versions when mapping them to your repository (recommended):

Foundstone has dedicated Threat Intelligence staff members whose sole duty is to maintain the accuracy of the Foundstone Enterprise Risk Solutions vulnerability database which includes tracking the proper CVE entry for each vulnerability. The staff will monitor both the CVE mailing list and change log located at https://cassandra.cerias.purdue.edu/CVE_changes/ Updates are issued on a weekly basis as new vulnerability checks are rolled.

6) Map Currency Update Time <CR_5.3>

Describe how and where you explain to your customers the timeframe they should expect an update of your capability's mappings to reflect a newly released CVE version (recommended):

Foundstone Enterprise Risk Solutions releases new vulnerabilities in a regular weekly cycle, this release also contains updates to the Foundstone Enterprise Risk Solutions VulnDB when appropriate (i.e. a CAN to CVE promotion).
Documentation Questions

7) CVE and Compatibility Documentation<CR_4.1>

Provide a copy, or directions to its location, of where your documentation describes CVE and CVE compatibility for your customers (required):

The Foundstone Enterprise Risk Solutions web portal online help contains a page describing CVE and Foundstone Enterprise Risk Solutions' CVE compatibility. It is indexed under the following terms within the help file:

  • Associating CVE Names with Vulnerabilities Common
  • Vulnerabilities and Exposures
  • CVE
  • Exposures
  • Finding CVE Names
  • Vulnerabilities
  • Vulnerability Checklist

8) Documentation of Finding Elements Using CVE Names <CR_4.2>

Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CVE names to find the individual security elements within your capability's repository (required):

Directions are included within the online help file, indexed under the following terms in addition to "CVE":
  • Common Vulnerabilities and Exposures
  • Vulnerabilities by IP Report
  • Vulnerability Details Report
  • Windows Vulnerability Details Report

The following text appears in the help file:
CVE - Common Vulnerabilities and Exposures
As various vulnerabilities appear in new products and technologies, several organizations track them, categorize them, and publish information about them. One of the best-known lists of vulnerabilities is the federally-funded CVE dictionary, maintained by the Mitre Corporation.
The CVE dictionary lists a name for each known vulnerability, and it gives each one a unique identification number. By providing common names and identifiers in a dynamic world of constantly growing technology, CVE provides the means of using multiple security tools and references as you find and fix vulnerabilities.

Using CVE with Foundstone Enterprise Risk Solutions
Foundstone Enterprise Risk Solutions supports the standardization of vulnerability information by using CVE names and numbers throughout its database. You can search for this information in the Foundstone Enterprise Risk Solutions reports and by reviewing the Vulnerability Checklist. If you ever need more information about a specific vulnerability, you can look up the CVE number at https://cve.mitre.org.
To view the vulnerability checklist
Edit or view a scan configuration.
To do this, click SCANS > EDIT/NEW and click Edit or View.
In the Jump To dropdown box, select Vulnerability Checks.
To find the CVE name associated with a vulnerability
In the Search by dropdown box, choose Name.
In the text box, enter part of the vulnerability name you want to find.
Click Search.
If a CVE entry exists, Foundstone Enterprise Risk Solutions shows the entry name, CVE link and vulnerability description.
To find a vulnerability by CVE Name
In the Search by dropdown box, choose CVE Number.
In the text box, enter part of the number you want to find.
Click Search.
If a CVE entry exists, Foundstone Enterprise Risk Solutions shows the entry name, CVE link and vulnerability description.

About CVE Candidates
New vulnerabilities that have not yet received a CVE number are known as candidates, and are also referenced in the CVE database. Their identification numbers begin with the letters CAN to differentiate them from CVE vulnerabilities. The number assigned to the candidate is a combination of the current year (4 digits – YYYY) and an index number (also 4 digits – NNNN). If the candidate becomes a CVE, the letters CAN are replaced by CVE.
Sample Candidate ID: CAN-1999-0455 (Allaire ColdFusion openfile.cfm File Upload)
Sample CVE ID: CVE-2001-0455 (Cisco Aironet 340 Series WLAN AP Web Administration Access)
How candidates become full CVE entries
Foundstone subscribes to Mitre Corporation's email list for CVE updates. This allows Foundstone to be aware of any CVE candidates that have been upgraded to CVE entries. Using this list and by adding newly developed vulnerability checks, Foundstone keeps the Foundstone Enterprise Risk Solutions database up-to-date. Foundstone customers receive the updated database along and vulnerability checks on a regular basis, ensuring timely, accurate information.
Identifying CVE names in Foundstone Enterprise Risk Solutions Reports
CVE names and links to the CVE Database appear in The Foundstone Enterprise Risk Solutions Vulnerability Details Report.
To open the Vulnerability Details Report
Click RESULTS > REPORTS.
Select Vulnerability from the Navigate drop-down box.
Under the section that shows the Risk Level and Vulnerability Names, click any Vulnerability Name to open the detailed report.
This report shows each vulnerability, provides a list of affected machines, descriptions and observations regarding the vulnerability, a recommendation on fixing the vulnerability, and a CVE name and link. Click the CVE link to get more information regarding the vulnerability from the CVE dictionary.

9) Documentation of Finding CVE Names Using Elements <CR_4.3>

Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CVE names associated with individual security elements within your capability's repository (required):

Directions are included within the online help file, indexed under the following terms in addition to "CVE":

  • Common Vulnerabilities and Exposures
  • Vulnerabilities by IP Report
  • Vulnerability Details Report
  • Windows Vulnerability Details Report

To view the vulnerability checklist
Edit or view a scan configuration.
To do this, click SCANS > EDIT/NEW and click Edit or View.
In the Jump To dropdown box, select Vulnerability Checks.
To find the CVE name associated with a vulnerability
In the Search by dropdown box, choose Name.
In the text box, enter part of the vulnerability name you want to find.
Click Search.
If a CVE entry exists, Foundstone Enterprise Risk Solutions shows the entry name, CVE link and vulnerability description.
To find a vulnerability by CVE Name
In the Search by dropdown box, choose CVE Number.
In the text box, enter part of the number you want to find.
Click Search.
If a CVE entry exists, Foundstone Enterprise Risk Solutions shows the entry name, CVE link and vulnerability description.

10) Documentation Indexing of CVE-Related Material <CR_4.4>

If your documentation includes an index, provide a copy of the items and resources that you have listed under "CVE" in your index. Alternately, provide directions to where these "CVE" items are posted on your web site (recommended):

CVE information is available via the online help in the Foundstone Enterprise Risk Solutions web portal, and indexed by the following terms:

  • Common Vulnerabilities and Exposures
  • Vulnerabilities by IP Report
  • Vulnerability Details Report
  • Windows Vulnerability Details Report
Candidate Support Questions

11) Candidates Versus Entries Indication <CR_6.1>

If CVE candidates are supported or used, explain how you indicate that candidates are not accepted CVE entries (required):

About CVE Candidates

New vulnerabilities that have not yet received a CVE number are known as candidates, and are also referenced in the CVE database. Their identification numbers begin with the letters CAN to differentiate them from CVE vulnerabilities. The number assigned to the candidate is a combination of the current year (4 digits – YYYY) and an index number (also 4 digits – NNNN). If the candidate becomes a CVE, the letters CAN are replaced by CVE.

Sample Candidate ID: CAN-1999-0455 (Allaire ColdFusion openfile.cfm File Upload)

Sample CVE ID: CVE-2001-0455 (Cisco Aironet 340 Series WLAN AP Web Administration Access)

12) Candidates Versus Entries Explanation <CR_6.2>

If CVE candidates are supported or used, explain where and how the difference between candidates and entries is explained to your customers (recommended):

The online help file contains the following definition to explain a CVE candidate to the user:

How candidates become full CVE entries

Foundstone subscribes to Mitre Corporation's email list for CVE updates. This allows Foundstone to be aware of any CVE candidates that have been upgraded to CVE entries. Using this list and by adding newly developed vulnerability checks, Foundstone keeps the Foundstone Enterprise Risk Solutions database up-to-date. Foundstone customers receive the updated database along and vulnerability checks on a regular basis, ensuring timely, accurate information.

13) Candidate to Entry Promotion <CR_6.3>

If CVE candidates are supported or used, explain your policy for changing candidates into entries within your capability and describe where and how this is communicated to your customers (recommended):

Foundstone Threat Intelligence staff members will update the entries of CVE candidates that become full CVE entries as a matter of weekly database maintenance that occurs with each FSL check release. This explanation is located in the online help file.

14) Candidate and Entry Search Support <CR_6.4>

If CVE candidates are supported or used, explain where and how a customer can find the explanation of your search function's ability to look for candidates and entries by using just the YYYY-NNNN portion of the CVE names (recommended):

This functionality is documented in the Foundstone Enterprise Risk Solutions web portal online help.

To view the vulnerability checklist
Edit or view a scan configuration.
To do this, click SCANS > EDIT/NEW and click Edit or View.
In the Jump To dropdown box, select Vulnerability Checks.
To find the CVE name associated with a vulnerability
In the Search by dropdown box, choose Name.
In the text box, enter part of the vulnerability name you want to find.
Click Search.
If a CVE entry exists, Foundstone Enterprise Risk Solutions shows the entry name, CVE link and vulnerability description.
To find a vulnerability by CVE Name
In the Search by dropdown box, choose CVE Number.
In the text box, enter part of the number you want to find.
Click Search.
If a CVE entry exists, Foundstone Enterprise Risk Solutions shows the entry name, CVE link and vulnerability description.

16) Candidate Mapping Currency Indication <CR_6.6>

If CVE candidates are supported or used, explain where and how you tell your users how up-to-date your candidate information is (recommended):

Foundstone provides documentation regarding this in the online help system:

"Foundstone subscribes to Mitre Corporation's email list for CVE updates. This allows Foundstone to be aware of any CVE candidates that have been upgraded to CVE entries. Using this list and by adding newly developed vulnerability checks, Foundstone keeps the Foundstone Enterprise Risk Solutions database up-to-date. Foundstone customers receive the updated database along and vulnerability checks on a regular basis, ensuring timely, accurate information."

Type-Specific Capability Questions

Tool Questions

17) Finding Tasks Using CVE Names <CR_A.2.1>

Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CVE name (required):

To find a vulnerability by CVE Name or Number:

To view the vulnerability checklist
Edit or view a scan configuration.
To do this, click SCANS > EDIT/NEW and click Edit or View.
In the Jump To dropdown box, select Vulnerability Checks.
To find the CVE name associated with a vulnerability
In the Search by dropdown box, choose Name.
In the text box, enter part of the vulnerability name you want to find.
Click Search.
If a CVE entry exists, Foundstone Enterprise Risk Solutions shows the entry name, CVE link and vulnerability description.
To find a vulnerability by CVE Name
In the Search by dropdown box, choose CVE Number.
In the text box, enter part of the number you want to find.
Click Search.
If a CVE entry exists, Foundstone Enterprise Risk Solutions shows the entry name, CVE link and vulnerability description.

18) Finding CVE Names Using Elements in Reports <CR_A.2.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CVE names for the individual security elements in the report (required):

Identifying CVE names in Foundstone Enterprise Risk Solutions Reports
CVE names and links to the CVE Database appear in The Foundstone Enterprise Risk Solutions Vulnerability Details Report.
To open the Vulnerability Details Report
Click RESULTS > REPORTS.
Select Vulnerability from the Navigate drop-down box.
Under the section that shows the Risk Level and Vulnerability Names, click any Vulnerability Name to open the detailed report.
This report shows each vulnerability, provides a list of affected machines, descriptions and observations regarding the vulnerability, a recommendation on fixing the vulnerability, and a CVE name and link. Click the CVE link to get more information regarding the vulnerability from the CVE dictionary.

19) Getting a List of CVE Names Associated with Tasks <CR_A.2.4>

Give detailed examples and explanations of how a user can obtain a listing of all of the CVE names that are associated with the tool's tasks (recommended):

Foundstone Enterprise Risk Solutions has no feature that directly performs this function, however many customers have used
Microsoft's SQL DTS utility to export vulnerability data into an easier to manage format like CSV or XLS.

Using the following SQL query and Microsoft's SQL DTS utility (located at: Start\Programs\Microsoft SQL
Server\Import and Export Data) users can export the data into any format or destination that is supported by
DTS.

"SELECT [FaultlineID], [CVE], [Name], [Description] FROM [Faultline].[dbo].[Vulns]"

Media Questions

31) Electronic Document Format Info <CR_B.3.1>

Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CVE-related text (required):

Identifying CVE names in Foundstone Enterprise Risk Solutions Reports CVE names and links to the CVE Database appear in Foundstone Enterprise Risk Solutions' Vulnerability Details Report.

To open the Vulnerability Details Report

  1. Click Reports, and View Reports.
  2. Select Vulnerability from the Navigate dropdown box.
  3. Under the section that shows the Risk Level and Vulnerability Names, click any Vulnerability Name to open the details report.

This report shows each vulnerability, provides a list of affected machines, descriptions and observations regarding the vulnerability, a recommendation on fixing the vulnerability, and a CVE name and link. Click the CVE link to get more information regarding the vulnerability from the CVE dictionary.

32) Electronic Document Listing of CVE Names <CR_B.3.2>

If one of the capability's standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CVE names are listed for each individual security element (required):

Identifying CVE names in Foundstone Enterprise Risk Solutions Reports CVE names and links to the CVE Database appear in Foundstone Enterprise Risk Solutions' Vulnerability Details Report.

To open the Vulnerability Details Report

  1. Click Reports, and View Reports.
  2. Select Vulnerability from the Navigate dropdown box.
  3. Under the section that shows the Risk Level and Vulnerability Names, click any Vulnerability Name to open the details report.

This report shows each vulnerability, provides a list of affected machines, descriptions and observations regarding the vulnerability, a recommendation on fixing the vulnerability, and a CVE name and link. Click the CVE link to get more information regarding the vulnerability from the CVE dictionary.

33) Electronic Document Element to CVE Name Mapping <CR_B.3.3>

Provide example documents that demonstrate the mapping from the capability's individual elements to the respective CVE name(s) (recommended):

Identifying CVE names in Foundstone Enterprise Risk Solutions Reports CVE names and links to the CVE Database appear in Foundstone Enterprise Risk Solutions' Vulnerability Details Report.

To open the Vulnerability Details Report

  1. Click Reports, and View Reports.
  2. Select Vulnerability from the Navigate dropdown box.
  3. Under the section that shows the Risk Level and Vulnerability Names, click any Vulnerability Name to open the details report.

This report shows each vulnerability, provides a list of affected machines, descriptions and observations regarding the vulnerability, a recommendation on fixing the vulnerability, and a CVE name and link. Click the CVE link to get more information regarding the vulnerability from the CVE dictionary.

Graphical User Interface (GUI)

34) Finding Elements Using CVE Names Through the GUI <CR_B.4.1>

Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability's elements by looking for their associated CVE name(s) (required):

Foundstone Enterprise Risk Solutions users may search for individual CVE entries using the Vulnerability Check selection search engine (as described above) or they may also sort the vulnerability list tree on CVE and CAN prefixes by year. This makes it easy to select vulnerabilities by their entry date.

35) GUI Element to CVE Name Mapping <CR_B.4.2>

Briefly describe how the associated CVE names are listed for the individual security elements or discuss how the user can use the mapping between CVE entries and the capability's elements, also describe the format of the mapping (required):

CVE names are listed for individual security elements in the Vulnerability Checklist.

36) GUI Export Electronic Document Format Info <CR_B.4.3>

Provide details about the different electronic document formats that you provide for exporting or accessing CVE-related data and describe how they can be searched for specific CVE-related text (recommended):

Foundstone Enterprise Risk Solutions offers XML output format support for reporting and also stores its vulnerability data in a Microsoft SQL database. This database can be queried for vulnerability description information and exported to any format supported by the MS data export function (i.e. XLS, CSV, XML).
Questions for Signature

37) Statement of Compatibility <CR_2.7>

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CVE Compatibility Requirements as well as all of the additional mandatory CVE Compatibility Requirements that are appropriate for our specific type of capability."

Name: David Cole

Title: Director of Product Management

39) Statement on False-Positives and False-Negatives <CR_A.2.8 and/or CR_A.3.5>

FOR TOOLS ONLY - Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):

"As an authorized representative of my organization and to the best of my knowledge, normally when our capability reports a specific security element, it is generally correct and normally when an event occurs that is related to a specific security element our capability generally reports it."

Name: David Cole

Title: Director of Product Management

Page Last Updated or Reviewed: September 08, 2017