|
|
Harris Corporation
http://www.stat.harris.com
STAT® Scanner
http://www.stat.harris.com/solutions/vuln_assess/scanner_index.asp
Provide a short description of how and where your capability is made available to your customers and the public (required):
After customers have purchased STAT Scanner, they are directed to the secure Harris Customer Premier web site: https://premier.harris.com/stat/. They are emailed a product serial number and registration key, and a login and password for the secure premier site. Once they have logged in, they can download STAT Scanner and/or STAT Scanner vulnerability updates.
Describe how and where your capability indicates the most recent CVE version used to create or update its mappings (required):
The CVE Version information is displayed in the CVE Lookup dialog. The CVE Lookup can be invoked by clicking on the CVE icon or by selecting "CVE Lookup" in the Help menu. See Figure 1.0 below. Current CVE Version number is 20030402.
Indicate how often you plan on updating the mappings to reflect new CVE versions and describe your approach to keeping reasonably current with CVE versions when mapping them to your repository (recommended):
The STAT Scanner security engineering team updates vulnerabilities, including CVE numbers, multiple times during the month. An email is sent to all STAT Scanner users to notify them of a new update. Also, if the latest update is not installed on their machine, users are prompted upon starting STAT Scanner to get the latest update from the Harris Customer Premier web site.
Describe how and where you explain to your customers the timeframe they should expect an update of your capability's mappings to reflect a newly released CVE version (recommended):
STAT Scanner is updated frequently during the month to include product enhancements and vulnerability updates (including CVE updates). An email is sent to all STAT Scanner users to notify them of a new update. Also, if the latest update is not installed on their machine, users are prompted upon starting STAT Scanner to get the latest update from the Harris Customer Premier web site.
Provide a copy, or directions to its location, of where your documentation describes CVE and CVE compatibility for your customers (required):
The CVE description is located at the bottom of the CVE Lookup dialog. See Figure 1.0 above. Also page 70 of the STAT Scanner Users Guide (included in the Help portion of the product) and a pdf on the Harris Customer Premier site https://premier.harris.com/stat/downloads.asp?cat=82 describe the CVE lookup function.
Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CVE names to find the individual security elements within your capability's repository (required):
The user can sort on the CVE column on the STAT Scanner main display. See Figure 2.0 below. To see more information pertaining to the CVE vulnerability, the user can click on the vulnerability and detailed information will appear. This includes a link to the MITRE web site. See Figure 3.0 below. The STAT Scanner Users Guide, page 32 and page 34, explain the CVE column displaying and sorting. The STAT Scanner Users Guide is included in the product as online Help and is located on the web site for download at https://premier.harris.com/stat/downloads.asp?cat=82.
Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CVE names associated with individual security elements within your capability's repository (required):
The user can sort on the CVE column on the STAT Scanner main display. See Figure 2.0 above. To see more information pertaining to the CVE vulnerability, the user can click on the vulnerability and detailed information will appear. This includes a link to the MITRE web site. See Figure 3.0 above. The STAT Scanner Users Guide, page 32 and page 34 explain the CVE column displaying and sorting. The STAT Scanner Users Guide is included in the product as online Help and is located on the web site for download at https://premier.harris.com/stat/downloads.asp?cat=82.
If your documentation includes an index, provide a copy of the items and resources that you have listed under "CVE" in your index. Alternately, provide directions to where these "CVE" items are posted on your web site (recommended):
STAT Scanner provides a CVE Lookup function. The CVE Lookup can be invoked by clicking on the CVE icon or by selecting "CVE Lookup..." in the Help menu. See Figure 1.0 above. CVE items are not posted on our web site.
If CVE candidates are supported or used, explain how you indicate that candidates are not accepted CVE entries (required):
The CVE candidates are indicated by the prefix "CAN"
If CVE candidates are supported or used, explain where and how the difference between candidates and entries is explained to your customers (recommended):
The following explanation is located at the bottom of the CVE Lookup dialog window.
"CVE 'candidates' are those vulnerabilities under consideration for acceptance into CVE. The candidate number is converted into a CVE name by replacing the 'CAN' with CVE, e.g., CAN-1999-0067 is converted to CVE-1999-0067. The assignment of a candidate number is not a guarantee that it will become an official CVE entry."
See Figure 1.0 above.
If CVE candidates are supported or used, explain your policy for changing candidates into entries within your capability and describe where and how this is communicated to your customers (recommended):
The updating of candidates to CVE are just part of the normal vulnerability update process.
If CVE candidates are supported or used, explain where and how a customer can find the explanation of your search function's ability to look for candidates and entries by using just the YYYY-NNNN portion of the CVE names (recommended):
The user can invoke the CVE Lookup function and search for "CAN-yyyy-nnnn" or "CVE-yyyy-nnnn" or just the number "yyyy-nnnn". See Figure 1.0 above.
If CVE candidates are supported or used, explain where and how a customer can find the explanation of your search function's support for retrieving the CVE entry for a candidate that is no longer a candidate (recommended):
There is no indication that a CVE candidate has changed to an official CVE other than the "CAN" notation changes to "CVE."
If CVE candidates are supported or used, explain where and how you tell your users how up-to-date your candidate information is (recommended):
No special CVE update is needed. The CVE's are updated as part of the STAT Scanner vulnerability update which occurs frequently during the month.
Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CVE name (required):
The user can sort on the CVE column on the STAT Scanner main display. See Figure 2.0 above. To see more information pertaining to the CVE vulnerability, the user can click on the vulnerability and detailed information will appear. This includes a link to the MITRE web site. See Figure 3.0 above.
Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CVE names for the individual security elements in the report (required):
STAT Scanner provides the CVE number in the Executive Summary Report (see Figure 4.0 below), the Vulnerability Summary Report (see Figure 5.0 below), the Detail Vulnerability report (see Figure 6.0 below) and the Screen Shot report (see Figure 7.0 below).
Give detailed examples and explanations of how a user can obtain a listing of all of the CVE names that are associated with the tool's tasks (recommended):
The STAT Scanner Screen Shot report (see Figure 7.0 above) and the Executive Summary Report (see Figure 4.0 above) provides a list of all CVE numbers and associated vulnerabilities.
Describe the steps and format that a user would use to select a set of tasks by providing a file with a list of CVE names (recommended):
The user can select the "Configurations" drop down menu, then "Edit Configuration File ...". When the configuration file dialog box appears, the user should select "CVE.dat" as seen in the Figure 8.0 below to just select a configuration file that contains CVE vulnerabilities. The user can choose to run the scan with all the CVE vulnerabilities or edit this file to create a subset of CVE vulnerabilities. Simply use the bottom scroll bar of the Selected Checks and scroll to the right to sort and view the CVE vulnerabilities as show in the figure below.
Describe the steps that a user would follow to browse, select, and deselect a set of tasks for the tool by using individual CVE names (recommended):
The user can select the "Configurations" drop down menu, then "Edit Configuration File ...". When the configuration file dialog box appears, the user should select "CVE.dat" as seen in the Figure 8.0 below to just select a configuration file that contains CVE vulnerabilities. The user can choose to run the scan with all the CVE vulnerabilities or edit this file to create a subset of CVE vulnerabilities. Simply use the bottom scroll bar of the Selected Checks and scroll to the right to sort and view the CVE vulnerabilities as show in the figure below.
Give detailed examples and explanations of the different ways that a user can use CVE names to find out which security elements are tested or detected by the service (i.e. by asking, by providing a list, by examining a coverage map, or by some other mechanism) (required):
STAT Scanner allows the user to select a configuration file (or coverage map) before running the scan. A configuration file that just tests CVE's is included in the product. It is named "CVE.dat". See Figure 8.0 and Figure 9.0 below to view the vulnerabilities in this file.
Give detailed examples and explanations of how, for reports that identify individual security elements, the user can determine the associated CVE names for the individual security elements in the report (required):
STAT Scanner provides the CVE number in the Executive Summary Report (see Figure 4.0 above), the Vulnerability Summary Report (see Figure 5.0 above), the Detail Vulnerability report (see Figure 6.0 above) and the Screen Shot report (see Figure 7.0 above).
Give detailed examples and explanations of how a "find" or "search" function is available to the user to locate tasks in the online capability by looking for their associated CVE name or through an online mapping that links each element of the capability with its associated CVE name(s) (required):
The CVE Lookup can be invoked by clicking on the CVE icon or by selecting "CVE Lookup..." in the Help menu. The user can invoke the CVE Lookup function and search for "CAN-yyyy-nnnn" or "CVE-yyyy-nnnn" or just the number "yyyy-nnnn". See Figure 1.0 above.
If the URL template is for a CGI program, does it support the HTTP "GET" method? (recommended):
NO
Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability's elements by looking for their associated CVE name(s) (required):
The CVE Lookup can be invoked by clicking on the CVE icon or by selecting "CVE Lookup..." in the Help menu. The user can invoke the CVE Lookup function and search for "CAN-yyyy-nnnn" or "CVE-yyyy-nnnn" or just the number "yyyy-nnnn". See Figure 1.0 above.
Briefly describe how the associated CVE names are listed for the individual security elements or discuss how the user can use the mapping between CVE entries and the capability's elements, also describe the format of the mapping (required):
The user can sort on the CVE column on the STAT Scanner main display by simply clicking on the column header. See Figure 2.0 above. To see more information pertaining to the CVE vulnerability, the user can click on the vulnerability and detailed information will appear. This includes a link to the MITRE web site. See Figure 3.0 above.
Provide details about the different electronic document formats that you provide for exporting or accessing CVE-related data and describe how they can be searched for specific CVE-related text (recommended):
STAT Scanner uses Crystal Reports Version 8.5 to create vulnerability reports. The reports which contain CVE-related data, can be exported to pdf, HTML, XML, Excel, Word, and any other format that Crystal Reports support.
Have an authorized individual sign and date the following Compatibility Statement (required):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory CVE Compatibility Requirements as well as all of the additional mandatory CVE Compatibility Requirements that are appropriate for our specific type of capability."
Name: Sandra P. Terry
Title: STAT Scanner Product Manager
Have an authorized individual sign and date the following accuracy Statement (recommended):
"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability's Repository and the CVE entries our capability identifies."
Name: William (Bill) Wall
Title: STAT Security Engineer
FOR TOOLS ONLY - Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):
"As an authorized representative of my organization and to the best of my knowledge, normally when our capability reports a specific security element, it is generally correct and normally when an event occurs that is related to a specific security element our capability generally reports it."
Name: William (Bill) Wall
Title: STAT Security Engineer