2001 Industry News Coverage (Archive)

Below is a comprehensive monthly review of the news and other media’s coverage of CVE. A brief summary of each news item is listed with its title, author (if identified), date, and media source.

Date: 12/2001
Title: The Practical Intrusion Detection Handbook (Book)

Author: Paul E. Proctor
Publisher: Prentice Hall PTR

Excerpt or Summary:
CVE is mentioned in a book by CVE Editorial Board member Paul E. Proctor of CyberSafe. In a chapter entitled "Organizations, Standards, and Government Initiatives," he mentions CVE co-founder Steve Christey and references the origins of CVE, describes what CVE is and isn’t, and states "One of the best things about CVE is its purity. It fills a vital niche..."

Date: 11/26/2001
Publication: eWeek

Byline: Cameron Sturdevant
Headline: 5 Steps to Enterprise Security-Step 3: Detection

Excerpt or Summary:
CVE is mentioned in this article about detecting network attacks, in which the author states: "There are myriad resources to help guide IT managers’ detection efforts. Books...and online sources, such as www.cve.mitre.org (the Common Vulnerabilities and Exposures site), provide examples that should get the creative juices flowing in terms of how to track down crackers." CVE is also referenced in the print issue of eWeek as a sidebar to the "5 Steps to Enterprise Security-Step 3: Detection" article. In the sidebar entitled "Heads Up," the author states: "Watch for CVE (Common Vulnerabilities and Exposures) hosted by MITRE Corp. to play a role in regularizing how attacks are reported, thereby making it easier to detect and prevent intrusions." The sidebar is not part of the online version of the article.

Date: 11/2001
Publication: Computer

Byline: Robert A. Martin
Headline: Managing Vulnerabilities in Networked Systems

Excerpt or Summary:
The article in this IEEE Computer Society magazine discusses correcting vulnerabilities and exposures in the commercial software that are used to develop an organization’s infrastructure. The author of the article is CVE Team member Robert A. Martin, who also serves as co-lead for MITRE’s Cyber Resource Center and is a principal engineer in MITRE’s Information Technologies Division. You may read the article by downloading a PDF.

Date: 11/2001
Publication: MITRE Web site

Byline: Robert Roberge and Robert A. Martin
Headline: Project Showcase: Enabling Enterprise Security with CVE

Excerpt or Summary:
This article on the MITRE Web site describes how CVE compatibility enables enterprise security through the use of shared CVE names. The article also discusses how using CVE-compatible products/services improves how an organization responds to security advisories. A graphical representation of a CVE-enabled process is also included.

Date: 10/8/2001
Publication: Network World

Byline: Betsy Yocom, Kevin Brown, and Dan Van DerVeer
Headline: Review: Intrusion-detection products grow up

Excerpt or Summary:
CVE is included in the "Features" section of this article in a discussion about the various features of the intrusion detection (IDS) products being reviewed, in which the authors state: "All the products supported a detailed explanation of attacks, including the Common Vulnerability and Exposures [List] of known vulnerabilities..."

Date: 8/20/2001
Publication: Network Computing

Byline: Greg Shipley and Patrick Mueller
Headline: Dragon Claws its Way to the Top

Excerpt or Summary:
CVE was included as evaluation criteria in this article, which is a comparison of intrusion detection systems (IDSs). CVE names were used as the basis of evaluation in a table entitled "Network IDS Signature Results," and CVE cross-references were used as a feature for evaluating the IDSs in a table entitled "Network IDS Features".

Date: 8/16/2001
Publication: NIST Computer Security Division Web site

Byline: Rebecca Bace and Peter Mell
Headline: Special Publication 800-31: Intrusion Detections Systems

Excerpt or Summary:
CVE was included in section 7.2.6.1, "Attack Naming Conventions," in which the authors state: "Fortunately, there are efforts underway within the network security community to devise a common nomenclature for computer vulnerabilities and attacks. The most popular of these is the Common Vulnerabilities and Exposures List (CVE) and is maintained by MITRE with input from a variety of security professionals worldwide. Many network security product vendors have agreed to make their products CVE-compatible." The authors also provide a link to the NIST ICAT metabase that is enabled by CVE, and a link to the CVE Web site. ICAT is listed on the CVE-compatible products page, and NIST is a member of the CVE Editorial Board.

Date: 8/13/2001
Publication: Hackers Beware (Book)

Author: Eric Cole
Publisher: New Riders Publishing

Excerpt or Summary:
CVE is mentioned in a new book entitled Hackers Beware, by CVE Editorial Board member Eric Cole of SANS. In the book he describes what CVE is and isn’t, provides the URL to the CVE Web site, and mentions CVE names and candidate numbers when describing specific issues.

Date: 8/8/2001
Publication: Signal

Byline: Clarence A. Robinson, Jr.
Headline: A Powerful Vision

Excerpt or Summary:
CVE is referenced in this cover article about U.S. Space Command’s Joint Task Force-Computer Network Operations unit. In the article the author quotes Colonel Larry Huffman, Director of the Global Network Operation & Security Center (GNOSC) for the Defense Information Systems Agency (DISA) and a member of the CVE Senior Advisory Council, who refers to CVE as "an important information assurance initiative" and then goes on to describe CVE. The author of the article then states: "CVE...helps prevent redundancy and inundating system administrators with vulnerabilities, many of which may be duplications labeled with different names by each of the services." Signal is AFCEA’s Journal for Communications, Electronics, Intelligence, and Information Systems. Armed Forces Communications and Electronics Association (AFCEA) is a national and international association for communications, electronics, intelligence, and information system professionals.

Date: 8/8/2001
Publication: Technology Spotlight, MITRE Web site

Byline: Kay Upham
Headline: Bringing all the pieces together, One manager’s perspective of CVE

Excerpt or Summary:
CVE Project Leader Margie Zuk was profiled in a recent Technology Spotlight article on the MITRE Web site. In the article Margie discusses her role on the CVE Team and the challenges she faces working on CVE.

Date: 7/2001
Publication: SC Online Information Security News

Byline: Peter Stephenson
Headline: Web Defacements - An Alarming Trend

Excerpt or Summary:
CVE is mentioned in this article in a section about defacements to Web server software. The author refers to CVE in a discussion about vulnerabilities exploited in the Apache/UNIX, Linux, Microsoft IIS, and Microsoft NT "sites and web server implementations." He also provides a link to the CVE Web site.

Date: 7/2001
Publication: Software Research Inc.’s Quality Techniques Newsletter

Byline: Robert A. Martin
Headline: The Vulnerabilities of Developing on the Net, Part 2

Excerpt or Summary:
This is part 2 of 2. Part 1 was published in the June issue. The paper, which discusses correcting vulnerabilities and exposures in the commercial software that are used to develop an organization’s systems and infrastructure, was written by CVE Team member Robert A. Martin, who also serves as co-lead for MITRE’s Cyber Resource Center and is a principal engineer in MITRE’s Information Technologies Division. You may also read the entire paper online on the CVE Documents page. (Note: A version of this paper was published in the April 2001 issue of Crosstalk magazine, a publication of the U.S. Air Force’s Software Technology Support Center.)

Date: 7/16/2001
Publication: Security Wire Digest

Byline: Lawrence M. Walsh
Headline: Lack of Common Meanings Slows CVE Progress

Excerpt or Summary:
CVE was the main topic of this article, in which the author describes the process of creating CVE names and then explains how CVE has developed an automated engine that sifts through various vulnerability alerts to form a single reference to expedite the distillation process. He further states: "evaluating and recording vulnerabilities is a time-consuming and laborious process ... the real problem is devising criteria that the security community can agree upon for what constitutes a vulnerability." The author quotes CVE co-founder and editor of the CVE List, Steve Christey: "This is the bottleneck we face," Christey says, "Even getting to a point of assigning just a candidate name is difficult." The author then states that while progress in developing CVE is a slow process, "sysadmins say it’s already having a positive effect."

Date: 6/2001
Publication: Software Research Inc.’s Quality Techniques Newsletter

Byline: Robert A. Martin
Headline: The Vulnerabilities of Developing on the Net, Part 1

Excerpt or Summary:
This is part 1 of 2. Part 2 will be published in the July issue. The paper, which discusses correcting vulnerabilities and exposures in the commercial software that are used to develop an organization’s systems and infrastructure, was written by CVE Team member Robert A. Martin, who also serves as co-lead for MITRE’s Cyber Resource Center and is a principal engineer in MITRE’s Information Technologies Division. You may also read the entire paper online on the CVE Documents page. (Note: A version of this paper was published in the April 2001 issue of Crosstalk magazine, a publication of the U.S. Air Force’s Software Technology Support Center.)

Date: 6/20/2001
Publication: Network World Fusion Security Newsletter

Byline: M. E. Kabay
Headline: Alerts and Vulnerabilities, Part 2

Excerpt or Summary:
CVE was the featured topic in this article, which was part two of a four part series. In the article the author discusses what CVE is and is not, provides the CVE definition of a ‘universal vulnerability,’ notes that CVE is free to download or review, and gives a link to the CVE Web site. The article also mentions that CVE enables the National Institute of Standards and Technology’s (NIST) ICAT metabase. ICAT is listed on the CVE-compatible products page, and NIST is a member of the CVE Editorial Board.

Date: 6/11/2001
Publication: eWeek

Byline: Timothy Dyck & Jim Rapoza
Headline: eWEEK Labs recommends: Key security resources

Excerpt or Summary:
CVE is included on a list of twelve Web sites that the authors recommend as "tried-and-true security destinations that every IT pro should bookmark and visit often." The authors describe CVE as "the authoritative list of vulnerability definitions," and provide a link to the CVE Web site.

Date: 6/5/2001
Publication: Network Magazine

Headline: News & Products: STAT Scanner Tests for New Patches

Excerpt or Summary:
CVE was mentioned in this product review about Harris Corporation’s STAT Scanner Professional Edition 4.0. In this brief review the author states: "All STAT Scanner vulnerability checks are mapped to MITRE’s Common Vulnerabilities and Exposures (CVE) dictionary." STAT (Security Test and Analysis Tool) is listed on the CVE-Compatible Products page and Harris Corporation is a member of the CVE Editorial Board.

Date: 5/28/2001
Publication: Computerworld

Byline: Vince Tuesday
Headline: SECURITY MANAGER’S JOURNAL

Excerpt or Summary:
CVE was included as one of three links in the This Week’s Links sidebar in the Security Manager’s Journal column. The sidebar included a link to the CVE Web site and described CVE as follows: "The Common Vulnerabilities and Exposures Web site, hosted by The MITRE Corp. in Bedford, Mass., includes a large [list] of publicly known security problems."

Date: 5/24/2001
Publication: ZDNet Business & Technology

Byline: Laura Taylor
Headline: A common language for security vulnerabilities

Excerpt or Summary:
CVE was the featured topic in the Security Opinion column on the ZDNet Web site. The article, which focused on the benefits of CVE for network managers and security administrators, described how CVE can be used as a basis for evaluating the coverage of scanning and intrusion detection tools, discussed candidates and the CVE naming process, listed some CVE-compatible products, and noted that there are 1,510 entries in the current version of the CVE List.

The author also states: "All security vendors should adopt [the CVE] nomenclature. There is no fee for obtaining the CVE List, and in fact you can download the entire list with a click from [the CVE Web site]." The author further states: "The CVE List makes it easier for security vendors to develop intrusion detection and scanning tools. As more IT decision makers understand the meaning of CVE, products with CVE-compatible names will likely receive a better reception on the market."

Date: 4/23/2001
Publication: Information Week

Byline: Jason Levitt
Headline: Security: The Enemy Within

Excerpt or Summary:
CVE is included as a reference in this article on network security issues. The article also includes a link to the CVE Web site.

Date: 4/15/2001
Publication: Crosstalk, The Journal of Defense Software Engineering

Byline: Robert A. Martin
Headline: The Vulnerabilities of Developing on the Net

Excerpt or Summary:
The topic of this article, which was written by CVE Team member Robert A. Martin, is correcting vulnerabilities and exposures in the commercial software that are used to develop an organization’s infrastructure and CVE’s part in that process. It was the lead article in this issue, which focused on "The Promise of Web-Based Applications." The paper was also presented at the Thirteenth Annual Software Technology Conference, sponsored by the U.S. Air Force’s Software Technology Support Center, on May 2, 2001, in Salt Lake City, Utah.

Date: 4/2/2001
Publication: Government Computer News

Byline: Patricia Daukantas
Headline: Daily Updates: Web Sites Give Computer Security Advice

Excerpt or Summary:
CVE was noted briefly in this article, which describes three Web sites that can provide security help to federal system administrators. CVE was mentioned in reference to ICAT: "The ICAT Metabase, at icat.nist.gov [see www.gcn.com/vol19_no23/news/2683-1.html] details more than 2,300 known computer and network vulnerabilities, organized by the Common Vulnerabilities and Exposures naming standards developed two years ago by MITRE Corp. of Bedford, Mass." The National Institute of Standards and Technology (NIST) ICAT metabase is listed on the CVE-compatible products page, and NIST is a member of the CVE Editorial Board.

Date: 4/1/2001
Publication: MITRE Web site

Byline: Robert Roberge
Headline: Project Showcase: MITRE’s Technology Transfer Office Q&A with Gerard Eldering

Excerpt or Summary:
CVE is mentioned in this article about technology transfer in a portion of an answer regarding industry standards, in which CVE is referred to as "participation in the development of industry standards that achieves the best possible outcome." The article also includes a description of what CVE is and is not, as well as a link to the CVE Web site.

Date: 3/2001
Publication: Software Engineering Notes, Vol. 26, No. 2

Byline: Mark Doernhoefer
Headline: Surfing the Net for Software Engineering Notes: Security-Related Web Sites

Excerpt or Summary:
CVE was included as part of a survey of security-related Web sites in this issue of the Association for Computerized Machinery (ACM) Special Interest Group on Software Engineering (SIGSOFT) newsletter. The article included a description of CVE, the CVE Web site URL, and a screen capture of the main page of the About CVE section of the CVE Web site.

Date: 3/1/2001
Publication: Maintenance Technology

Headline: New Tool for Identifying Software Vulnerabilities

Excerpt or Summary:
The National Institute for Science and Technology has developed ICAT, a searchable index of information on computer vulnerabilities that uses the standard CVE naming scheme. ICAT gives users summaries of the vulnerabilities and links to public databases on the Internet that will provide detailed information and patches to make software more secure.

Date: 2/7/2001
Publication: The Edge

Byline: Pete Tasker and Margie Zuk
Headline: CVE Continues to Grow

Excerpt or Summary:
This article is included in the most recent issue of MITRE’s The Edge magazine, the featured topic of which is information assurance. The article is an overview of CVE milestones and highlights of the past year, and also includes a hot link to the CVE Web site.

Date: 2/1/2001
Publication: The Richmond Journal of Law & Technology

Byline: Susan Brenner
Headline: State Cybercrime Legislation in the United States of America: A Survey

Excerpt or Summary:
CVE is cited as a reference in this article in "The Richmond Journal of Law & Technology," Volume VII, Issue 3, Winter 2001. The reference includes a brief description of CVE and also provides a link to the CVE Web site.

Date: 1/17/2001
Publication: CNET Builder.com

Byline: Wayne Cunningham
Headline: Hiding Security Vulnerabilities

Excerpt or Summary:
CVE is mentioned briefly in this article, which is primarily a review of IT-ISAC (Information Technology Information Sharing and Analysis Center). As part of his review, the author states "There’s certainly nothing wrong with sharing information to protect systems. The SecurityFocus and Common Vulnerabilities and Exposures sites are just two examples of resources administrators can use to patch holes." The article also includes a hot link to the CVE Web site.

Date: 1/8/2001
Publication: Network Computing

Byline: Jeff Forristal and Greg Shipley
Headline: Vulnerability Assessment Scanners

Excerpt or Summary:
This article involves a comparison of vulnerability scanners. The authors include a "scanner features" matrix with "CVE cross-references" as a featured part of the comparison. Five of the eight products included in the comparison have CVE cross-references, meaning they can be used in conjunction with other CVE-compatible products for better security coverage and improved interoperability. Other vendors not listed in the comparison have also made declarations of CVE compatibility. In addition, the article references CVE as a means of navigating through the numbers game: "MITRE Corporation’s CVE (Common Vulnerabilities and Exposures) project is attempting to bring some method to the madness by enumerating and classifying known vulnerabilities. This could help bring some objectivity into the picture..."

Date: 1/1/2001
Publication: Computerworld

Byline: Deborah Radcliff
Headline: IT Agenda 2001: Pick Your Security Officer’s Brain

Excerpt or Summary:
In a section of this article entitled, "Get Involved in Standards," the author quotes Jerry Dixon, director of information security at Marriott International Inc., Bethesda, MD, who says he’s "heartened to see not only vendors but also the security community at large start to pass standards that will simplify some of the complexities faced by IT security leaders. For example, he points to the Common Vulnerabilities and Exposures (CVE), an indexing system for vulnerabilities and threats that was started last year by Bedford, Mass.-based MITRE Corp." In a direct quote, Dixon says, "[CVE] effectively created a national standard on communicating different types of vulnerabilities and exposures so that all agencies — commercial vendors, alert publications and newsgroups — are speaking the same language. This now allows security teams to effectively communicate exploits or findings with one another."