|
|
ThreatGuard, Inc.
http://www.ThreatGuard.com
ThreatGuard Traveler
http://www.ThreatGuard.com
Provide a short description of how and where your capability is made available to your customers and the public (required):
Recognizing the importance of common indexing of known vulnerabilities, ThreatGuard has included CVE references in ThreatGuard. These references are seamlessly integrated with the ThreatGuard Navigator client application, reports, and search engine. As we release new vulnerability tests, it is among ThreatGuard's top priorities to ensure CVE referencing is included and accurate, extending the efforts of the CVE initiative.
Describe how and where your capability indicates the most recent CVE version used to create or update its mappings (required):
The ThreatGuard Navigator client application shows the most recent CVE version used in the "About" screen. This is accessed from the main Navigator menu bar.
Indicate how often you plan on updating the mappings to reflect new CVE versions and describe your approach to keeping reasonably current with CVE versions when mapping them to your repository (recommended):
With a certified CVE-Compatible product in ThreatGuard, ThreatGuard will receive email notifications from MITRE within an hour of changes to the CVE database. These notification messages will be automatically parsed and compared to our database of vulnerability plug-in tests to determine which ones need to be updated. Our plug-in development team then receives notification of changes that need to be made. Once the required updates are applied, compiled, and tested, ThreatGuard stages the new plug-in versions for distribution to all ThreatGuard appliances.
Describe how and where you explain to your customers the timeframe they should expect an update of your capability's mappings to reflect a newly released CVE version (recommended):
ThreatGuard's vulnerability test development team will receive notification of CVE version changes as described above. Within a day the changes will be fully prepared and staged for distribution. Within 12 hours of staging, every active ThreatGuard appliance with Internet access will download and install the updates for immediate reference.
Provide a copy, or directions to its location, of where your documentation describes CVE and CVE compatibility for your customers (required):
From APPENDIX C of the ThreatGuard User's Manual:
C1: About CVE
CVE is a list of names for vulnerabilities and security issues that have been standardized for common reference across disparate products and databases. Mitre, a non-profit organization, launched the CVE project in 1999 to standardize the names for publicly known vulnerabilities. Using a common name makes it easier to share data and integrate across a wide variety of resources. CVE references allow the user to quickly and accurately access additional information to attain more insight into the problem and suggested remediation steps. In short, CVE integration allows the CSA/CM System to interoperate with a world of security resources.
The content of CVE is a result of a collaborative effort of the CVE Editorial Board (https://cve.mitre.org/board/index.html). The Editorial Board includes representatives from numerous security-related organizations such as security tool vendors, academic institutions, and government as well as other prominent security experts. The MITRE Corporation maintains the CVE definitions and moderates Editorial Board discussions. CVE is funded by the U.S. Department of Homeland Security.
C2: CVE-compatibility
"CVE-compatible" means that a tool, Web site, database, or service uses CVE names in a way that allows it to cross-link with other repositories that also use CVE names. CVE-compatible products must meet four primary requirements:
- Searchability: A user can search using a CVE number to find related information.
- References in Output: Information is presented which includes the related CVE number(s).
- Mapping: The vendor has made a good faith effort to ensure accuracy in assigning CVE numbers to enclosed references.
- Documentation: The vendor's standard documentation includes a description of the significance of CVE and details on how to leverage CVE-related functionality of its product.
Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CVE names to find the individual security elements within your capability's repository (required):
From APPENDIX C of the ThreatGuard User's Manual:
C3: Finding Vulnerabilities by CVE Number
Figure C3: Searching by CVE NumberThe ThreatGuard Navigator allows you to search for vulnerabilities by CVE number. The bottom, left-hand corner of the main window has a Search pane as shown at the top of Figure C3. Adjust the search parameter to "CVE Number", type in the CVE reference of interest and click the Search button. The Search Results window (also shown in Figure C3) is displayed, holding the title, description, and solution for the vulnerability, as well as all related hosts.
Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CVE names associated with individual security elements within your capability's repository (required):
From APPENDIX C of the ThreatGuard User's Manual:
C4: Finding CVE References in GUI Elements
As a universal vulnerability assessor, ThreatGuard includes many different types of vulnerability references. While most high-profile vulnerabilities can be cross-referenced to multiple sources, many fail to be covered by all. The ThreatGuard Vulnerability Test Development Team makes every attempt to include all public industry references such that the user can view them with the Vulnerability Details window. This window is launched by double-clicking on any vulnerability in the Navigator GUI, including the Search Results window of Figure C3 (shown above).
Figure C4: Vulnerability DetailsFigure C4 shows the Vulnerability Details window for the Microsoft DCOM array of vulnerabilities. References to multiple sources are listed in the bottom portion of the window, including Bugtraq ID (Security Focus), CERT (The Computer Emergency Response Team located at the Software Engineering Institute and operated by Carnegie Mellon University), CVE, and Vendor (in this example Microsoft Advisory Bulletins are referenced). Other references may be listed as available and multiple references to the same source is not uncommon. In this case, four (4) CVE references are related to the vulnerability.
C5: Finding CVE References in Reports
Figure C5 provides an example of how ThreatGuard reports embed CVE numbers. This excerpt from the Host Detail report provides details of a specific vulnerability. The References section lists all related CVE numbers as well as references to other sources such as Security Focus, the US-CERT, and vendor references. Similarly, the Formal Report includes an appendix of all vulnerabilities found in the scope of the test. That appendix includes the same vulnerability information as shown in C5.
If your documentation includes an index, provide a copy of the items and resources that you have listed under "CVE" in your index. Alternately, provide directions to where these "CVE" items are posted on your web site (recommended):
Our documentation does not include an index. Our User Guide does include a Table of Contents that lists "Appendix C: Common Vulnerabilities and Exposures" along with the page number.
If CVE candidates are supported or used, explain how you indicate that candidates are not accepted CVE entries (required):
All candidate CVE references are displayed with the appropriate "CAN-" prefix, indicating they have not yet been accepted by the CVE Editorial Board. Section C3 of Appendix C of the ThreatGuard User's Manual explains the difference between a candidate and an approved entry.
If CVE candidates are supported or used, explain where and how the difference between candidates and entries is explained to your customers (recommended):
Section C3 of Appendix C of the ThreatGuard User's Manual briefly explains that "CAN-" entries are considered candidates while "CVE-" entries have been accepted by the CVE Editorial Board.
If CVE candidates are supported or used, explain your policy for changing candidates into entries within your capability and describe where and how this is communicated to your customers (recommended):
Section C3 of the Appendix C describes how ThreatGuard updates candidates to entries and describes how these changes are communicated to the user base:On a bi-weekly basis, ThreatGuard reviews the CVE database looking for candidate entries which have been accepted by the Editorial Board and upgraded to CVE status. When this occurs, a new plug-in version will be created by ThreatGuard and downloaded by ThreatGuard. Historical records of this action can be referenced through the system Message Center.
If CVE candidates are supported or used, explain where and how a customer can find the explanation of your search function's ability to look for candidates and entries by using just the YYYY-NNNN portion of the CVE names (recommended):
Excerpt from Section C3 of Appendix C:
To remove the need to guess the status of a CVE entry, the user may omit the prefix and type only the 'YYYY-NNNN' portion of the CVE Names. Entering "2003-0715" would have produced the same results as "CAN-2003-0715", while "CVE-2003-0715" would generate no results. If the user submits a search string that returns multiple CVE Numbers, the Combo Box and the "Showing Results" arrows at the bottom of the window permit navigation through all matching entries.
If CVE candidates are supported or used, explain where and how a customer can find the explanation of your search function's support for retrieving the CVE entry for a candidate that is no longer a candidate (recommended):
Our application's User Manual describes the methods to search for CVE entries. This includes a means to search for the YYYY-NNNN portion of the CVE name which allows a user to retrieve "CAN" and "CVE" matches.
If CVE candidates are supported or used, explain where and how you tell your users how up-to-date your candidate information is (recommended):
The About item under the ThreatGuard Navigator Help menu provides CVE database version information.
Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CVE name (required):
The search capability shown in Figure C3 (above) illustrates how a user can search for CVE names.
Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CVE names for the individual security elements in the report (required):
Each vulnerability reference in the Host Detail Report includes references to associated CVE Numbers. An example can be seen in Figure C5 (above). The Formal Report provides details of all included vulnerabilities in an appendix. These details include CVE numbers in the same manner as the Host Detail Report.
Give detailed examples and explanations of how a user can obtain a listing of all of the CVE names that are associated with the tool's tasks (recommended):
The search capability shown in Figure C3 (above) illustrates how a user can search for CVE names. By entering a "C" as the search text, a list of all plug-ins associated with a CAN- or CVE- name is produced.
Provide a description of how the tool notifies the user that task associated to a selected CVE name cannot be performed (recommended):
This is handled in the Search tool described in Section C3 of the CSA/CM System User's Manual. If a user searches for a CVE number that doesn't have a matching plug-in the search tool returns no results. If the user searches for a CVE number that matches a plug-in but does not have a matching vulnerable host, the results screen indicates there are no matching vulnerable hosts (therefore there is no action for the user to take).
Give detailed examples and explanations of the different ways that a user can use CVE names to find out which security elements are tested or detected by the service (i.e. by asking, by providing a list, by examining a coverage map, or by some other mechanism) (required):
Where applicable, CVE names are included with each vulnerability check that ThreatGuard performs. These CVE names are included with each mention of the associated vulnerability in our system. For example, when viewing a hosts security posture in the Host Risk Manager tool, the reference tab lists any CVE name associated with a vulnerability. As mentioned earlier, a user can also use the search tool to enter a full CVE name or parts of a CVE name to generate a list of all vulnerabilities that match that CVE name. The user can view the details of the vulnerability and view all hosts for which the vulnerability was found. CVE names are also included in vulnerability-centric reports including the detailed Formal report and Host Detail reports.
Give detailed examples and explanations of how, for reports that identify individual security elements, the user can determine the associated CVE names for the individual security elements in the report (required):
All vulnerability-centric reports include references for each vulnerability discovered, including CVE names. The use of this feature and an example of a report are included in Appendix C of our user guide (see attachment).
Please provide the name and version number of any product that the service allows users to have direct access to if that product identifies security elements (recommended):
ThreatGuard Database version 2.0.3 and newer
ThreatGuard Navigator Client Application version 2.3.0 and newer
Give detailed examples and explanations of how a "find" or "search" function is available to the user to locate tasks in the online capability by looking for their associated CVE name or through an online mapping that links each element of the capability with its associated CVE name(s) (required):
ThreatGuard does not provide a web-based online capability. It is a network appliance that is accessed from a Java client application. The user can use this client application to query the system for CVE names and generate details of associated security tests in the system as well as a list of any hosts on which those vulnerabilities have been discovered by ThreatGuard. ThreatGuard and our partners sell these appliances to customers to operate on their networks. We do not provide a web-based security portal for users to refer back to. Where appropriate, we provide URLs within our vulnerability problem, solution, and references that point to any external resources (like the location where the user can go to download a particular patch).It is important to note that the ThreatGuard appliance does include a SOAP interface. This permits authenticated applications to perform various queries against the database. Currently, the SOAP service provides access to reports, target information, and a search capability. This capability provides a way for external resources to query for a CVE name or part of a name. The results include the details of all vulnerabilities that match the CVE name (or portion of the name) and any hosts on which the vulnerability was discovered.
Provide a detailed description of how someone can use your "URL template" to interface to your capability's search function (recommended):
Examples:
As mentioned above, we do not provide web-based access to the vulnerability database on the ThreatGuard appliances. Communications are handled via a secure connection between our Java client and the ThreatGuard appliance and through our SOAP interface.http://www.example.com/cgi-bin/db-search.cgi?cvename=CVE-YYYY-NNNN
http://www.example.com/cve/CVE-YYYY-NNNN.html
If the URL template is for a CGI program, does it support the HTTP "GET" method? (recommended):
Communications are handled via a secure connection between our Java client and the ThreatGuard appliance and through our SOAP interface. An HTTP GET method is not supported.
Give detailed examples and explanations of how, for reports that identify individual security elements, the online capability allows the user to determine the associated CVE names for the individual security elements in the report (required):
Where applicable, our reports include CVE name references with each instance of a vulnerability. An example of this is included in our user guide appendix C (see attachment). While we do not provide a web-based online capability, we do include a Java-based client application and a SOAP interface to access this information.
If details for individual security elements are not provided, give examples and explanations of how a user can obtain a mapping that links each element with its associated CVE name(s), otherwise enter N/A (required):
As previously mentioned, we provide a variety of ways for a user to see the mapping between vulnerabilities and CVE names. Methods include reports, search tool, Host Risk Manager, and the SOAP interface.
Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CVE-related text (required):
All reports can be rendered in both PDF and HTML formats. Both options provide a means to search the document for arbitrary text, including CVE names.
If one of the capability's standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CVE names are listed for each individual security element (required):
ThreatGuard reports include the long title of the vulnerability, severity level, problem description, solution description, and applicable references (including CVE name). An example of this is included appendix C of our user guide.
Provide example documents that demonstrate the mapping from the capability's individual elements to the respective CVE name(s) (recommended):
An example of this is included in Appendix C of our user guide.
Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability's elements by looking for their associated CVE name(s) (required):
The ThreatGuard Navigator has a search tool that includes a "search by CVE number". This allows a user to search for a full or partial CVE name. Appendix C of our user guide has an explanation of how the ThreatGuard Navigator search tool can be used to search for CVE names.
Briefly describe how the associated CVE names are listed for the individual security elements or discuss how the user can use the mapping between CVE entries and the capability's elements, also describe the format of the mapping (required):
Each of the ThreatGuard vulnerability tests includes a set of references. These references can be Bugtraq ID, CVE Name, CIAC code, or something that is vendor specific such as a web site or online security bulletin. Please see the attached Figure C5 (above) for details on how these references are displayed in the GUI and in reports.
Provide details about the different electronic document formats that you provide for exporting or accessing CVE-related data and describe how they can be searched for specific CVE-related text (recommended):
The GUI and SOAP interfaces provide access to detailed reports that include CVE references. Our report viewer allows the user to export the contents of the report into CSV and other formats. As previously mentioned, ThreatGuard provides a SOAP interface that supports queries for CVE names and returns associated vulnerability details in a SOAP document.
Have an authorized individual sign and date the following Compatibility Statement (required):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory CVE Compatibility Requirements as well as all of the additional mandatory CVE Compatibility Requirements that are appropriate for our specific type of capability."
Name: Robert L. Hollis
Title: Director of Product Development
Have an authorized individual sign and date the following accuracy Statement (recommended):
"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability's Repository and the CVE entries our capability identifies."
Name: Robert L. Hollis
Title: Director of Product Development
FOR TOOLS ONLY - Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):
"As an authorized representative of my organization and to the best of my knowledge, normally when our capability reports a specific security element, it is generally correct and normally when an event occurs that is related to a specific security element our capability generally reports it."
Name: Robert L. Hollis
Title: Director of Product Development