2003 Industry News Coverage (Archive)

Below is a comprehensive monthly review of the news and other media's coverage of CVE. A brief summary of each news item is listed with its title, author (if identified), date, and media source.

Date: 12/2003
Publication: Information Security Managers Handbook, 5th Edition (Book)

Author: Harold F Tipton and Micki Krause
Publisher: Auerbach Publications

Excerpt or Summary:
Chapter 70 of this book is entitled "A Progress Report on the CVE Initiative." It was written by Steven M. Christey, co-creator and editor of the CVE List; Robert A. Martin, CVE compatibility lead; and David W. Baker, CVE team member. A version of the information provided in this chapter is included on the CVE Documents page.

Date: 12/30/2003
Publication: PC Magazine

Byline: Matthew D. Sarrel
Headline: "Network Security: Know Your Weaknesses"

Excerpt or Summary:
CVE was included in this article about network vulnerability assessment in which the author also reviews six vulnerability scanners. Of these, CVE is noted as a product feature in the review text of four of them: GFI LANguard Network Security Scanner 3.3, Retina Network Security Scanner, Nessus Scanner, and Security Analyzer 5.0.

In the Nessus review, the author provides a link to the CVE Web site: "Links to the Common Vulnerabilities and Exposures (CVE) dictionary (https://cve.mitre.org), which lists known vulnerabilities . . . are also provided . . ." Though not mentioned in the article, another of the scanners being reviewed, SAINT 5, also checks for CVE names.

The article includes a Summary of Features chart in which CVE is included as a feature under the reporting category: "Reports include data for Bugtraq/CVE." Five of these six scanners under review are noted as including CVE names.

In a Performance Analysis section, the article noted that PC Labs checked for a number of CVE candidates during their testing of the scanners under review, including: CAN-2003-0715, CAN-2003-0528, and CAN-2003-0605; CAN-2003-0660; CAN-2003-0682, CAN-2003-0693, and CAN-2003-0695; CAN 1999-0554; and CAN-2002-0400.

Finally, five of the six scanners reviewed—GFI LANguard Network Security Scanner 3.3, Nessus Scanner, Retina Network Security Scanner, SAINT 5, and Security Analyzer 5.0—are listed on the CVE-Compatible Products and Services page.

Date: 12/24/2003
Publication: Ziff Davis Channel Zone

Byline: Joel Shore
Headline: "PredatorWatch Prowls for Network Integrators"

Excerpt or Summary:
CVE was included in this article about PredatorWatch Auditor. In a section entitled "Proving Full Compliance," the author states: "That's the idea behind PredatorWatch. Updated daily with a government-sponsored standardized dictionary of vulnerabilities, PredatorWatch generates reports documenting compliance, or areas that need to be looked at. Rather than staffing up to compile its own list of vulnerabilities, PredatorWatch leverages Common Vulnerabilities and Exposures (CVE), a standardized dictionary of known threats. Maintained by MITRE Corp. under a government contract, the CVE dictionary is sold as a subscription [by PredatorWatch], allowing the PredatorWatch Auditor device to automatically update itself daily. The raw CVE dictionary is [free and remains] in the public domain." The author then goes on to describe how PredatorWatch administers and charges for its CVE updates subscription service.

PredatorWatch, Inc. and PredatorWatch Auditor are listed on the CVE-Compatible Products and Services page.

Date: 12/5/2003
Publication: eWeek

Byline: Brian Fonseca
Headline: "Oracle Issues High-Severity Vulnerability Warning"

Excerpt or Summary:
CVE was mentioned in this article in which the main topic was "a high severity security alert warning of Secure Sockets Layer (SSL) vulnerabilities that will require the immediate attention of managers to apply patch fixes on at-risk systems." The reference to CVE occurred in the second paragraph in which the author states: "According to an Oracle Security Alert issued on Thursday, the notification addresses SSL vulnerabilities detailed in CERT Advisory CA-2003-26 and SSL vulnerabilities detailed in several older Common Vulnerabilities and Exposures (CVE) Candidates."

Date: 12/4/2003
Publication: Government Computer News

Byline: William Jackson
Headline: "Look it up: A common language for vulnerabilities"

Excerpt or Summary:
CVE was mentioned in this article in which the main topic is MITRE's Open Vulnerability Assessment Language (OVAL) effort. The article quotes CVE Compatibility Lead Robert A. Martin: "[OVAL is] how you describe the test conditions for vulnerabilities [on the CVE List]." Martin goes on to say that OVAL is the next step in standardizing vulnerability management.

CVE, which plays a large part in OVAL as all OVAL queries are based on CVE names, is mentioned throughout the article. The author describes the creation of CVE in 1999, mentions the information security community component of the CVE Editorial Board, mentions that CVE is funded by the Department of Homeland Security, and describes CVE Compatibility noting that "Both the National Institute of Standards and Technology and the Defense Department recommend that agencies give preference to CVE-compatible products" and "To date, 143 computer security products or services from 96 organizations are compatible with the scheme, using CVE designations to identify vulnerabilities." The author also includes the current number of entries on the CVE List: "[CVE] now contains about 2,572 entries, with another 3,832 under evaluation."

The author concludes the article with the following statement about OVAL: "Although testing and scanning tools are becoming common for discovering vulnerabilities in computer systems, there are no standards for these tasks. OVAL will provide standards so that automating vulnerability management can be more effective, Martin said. It will define the attributes needed to find vulnerabilities in a system, to prioritize them and fix them."

Date: 11/25/2003
Publication: SearchSecurity.com

Byline: Mike Chapple
Headline: "Vulnerability scanning with Nessus"

Excerpt or Summary:
CVE was mentioned in a November 25, 2003 article on the SecuritySearch.com Web site entitled "Vulnerability scanning with Nessus." In this "Network Security Tip" article, the author discusses vulnerability scanning with Nessus Security Scanner and states: "This free tool offers a surprisingly robust feature set and is widely supported among the information security community. It doesn't take long between the discovery of a new vulnerability and the posting of an updated script for Nessus to detect it. In fact, Nessus takes advantage of the Common Vulnerabilities and Exposures architecture that facilitates easy cross-linking between compliant security tools." The article also includes a link to the CVE Web site and another direct link to the CVE-Compatible Products and Services section.

Nessus Project is a member of the CVE Editorial Board, and Nessus Security Scanner is listed on the CVE-Compatible Products and Services page.

Date: 11/24/2003
Publication: MarketWire

Headline: Press Release: "PredatorWatch, Inc. Announces Auditor(TM) Release 2.1"

Excerpt or Summary:
CVE was mentioned twice in a November 24, 2003 press release by PredatorWatch, Inc. The first mention was in the first paragraph: "The PredatorWatch Auditor version 2.0 was the first to detect common vulnerabilities and exposures (CVEs) in Microsoft Windows Server 2003, the new Microsoft Wireless Router, and other mission critical platforms." The second mention is in the second paragraph of the press release, in which access to the CVE List through the CVE Web site is included as one of the product's main features: "[Auditor 2.1] has been enhanced and is now delivered in a . . . Linux-based security auditing appliance. Including . . . built-in access to MITRE's CVE search engine . . ."

PredatorWatch, Inc. and PredatorWatch Auditor are listed on the CVE-Compatible Products and Services page.

Date: 11/2003
Publication: OVAL White Paper

Byline: Matthew Wojcik, Tiffany Bergeron, Todd Wittbold, and Robert Roberge
Headline: "OVAL: A New Language to Determine the Presence of Software Vulnerabilities"

Excerpt or Summary:
This white paper white paper discusses the role CVE plays in the OVAL effort and the importance of OVAL's CVE compatibility. OVAL is Open Vulnerability Assessment Language, an effort by MITRE and the international information security community to standardize the way in which vulnerabilities are identified on computer systems. OVAL—which supports Windows, UNIX, and Linux—uses Structured Query Language (SQL) queries to identify the vulnerabilities on systems. XML is also supported for tool developers. All OVAL queries are based on the CVE List; for each CVE entry, there are one or more OVAL queries.

The white paper explains what OVAL is and how OVAL improves vulnerability assessment. Also discussed are an OVAL-enabled process; the OVAL Board of industry, academia, and government organizations; OVAL's broad industry participation via the OVAL Community Forum; the community-developed OVAL Schema; the process for creating OVAL queries; a technical discussion about the Reference Query Interpreter and how other implementations and uses of OVAL are actively encouraged; the value of OVAL's CVE compatibility; MITRE's role; and a summary of OVAL benefits.

Many of the organizations participating in OVAL effort are also involved in CVE. The white paper is available from the Documents page on the OVAL Web site.

Date: 10/24/2003
Publication: eWeek

Byline: Larry Seltzer
Headline: "All The Threat Information You Want, And Then Some"

Excerpt or Summary:
CVE was mentioned in this article about Symantec, Inc.'s DeepSight Alert Services, a configurable Web-based interface that keeps users "informed on vulnerabilities in excruciating detail," and its Threat Management Services, which provides "a series of reports and statistics on threats worldwide that are collected from a large network of honey pots and other monitoring systems." The author notes that a CVE name is one of the five ways in which the DeepSight Alert Service provides information on vulnerabilities. Each alert includes: "a CVE code for those who track vulnerabilities that way". The alerts also include: a SecurityFocus BugTraq ID; the original publication dates of the alert and the last update date; whether the vulnerability is remote and/or local; and a classification of the type of bug it is (e.g., a "Boundary Condition Error").

Symantec, Inc. is a member of the CVE Editorial Board, and seven Symantec products are listed on the CVE-Compatible Products and Services page.

Date: 10/2003
Publication: NIST Special Publications

Byline: Timothy Grance, Marc Stevens, and Marissa Myers
Headline: "SP 800-36: Guide to Selecting Information Security Products"

Excerpt or Summary:
CVE was included as one of the methods vulnerability scanning tools should use to identify vulnerabilities in the "Vulnerability Scanner Product Characteristics" section of this National Institute of Standards and Technology (NIST) report. According to the authors, scanning tools should use a combination of methods to identify vulnerabilities and that those methods will "vary from product to product and are also dependent on whether host or network scanning is being performed and on the operating system of the target. "CVE is included as number seven: "Whenever applicable, the tool should report the CVE number for each identified vulnerability." CVE is also mentioned in a footnote: "ICAT is a search engine for an industry standard set of known vulnerabilities (https://cve.mitre.org) containing links to vulnerability and patch information."

NIST is a member of the CVE Editorial Board, and the NIST ICAT metabase is listed on the CVE-Compatible Products and Services page.

Date: 10/2003
Publication: NIST Special Publications

Byline: John Wack, Miles Tracy, and Murugiah Souppaya
Headline: "SP 800-42: Guideline on Network Security Testing" (NOTE: SP 800-42 was replaced by NIST Special Publication 800-11: Technical Guide to Information Security Testing and Assessment in 2008.)

Excerpt or Summary:
CVE is mentioned twice in the "Security Testing Techniques" section of this National Institute of Standards and Technology (NIST) report. Both mentions are brief and in footnotes. In the first, the author's state: "NIST maintains a database of vulnerability and related patch information at http://icat.nist.gov. This database uses the Common Vulnerabilities and Exposures (CVE) vulnerability identification scheme in use by other databases and vendors." The second mention is a list of URLs: "Some popular vulnerability databases include: http://icat.nist.gov/icat.cfm, https://cve.mitre.org/, http://www.securityfocus.com/."

NIST is a member of the CVE Editorial Board, and the NIST ICAT metabase is listed on the CVE-Compatible Products and Services page.

Date: 9/24/2003
Publication: Network Magazine

Byline: Andrew Conry-Murray
Headline: "Vulnerability Assessment Tools Find New Uses"

Excerpt or Summary:
CVE was mentioned in this article which focuses on what the authors considers three recent trends in the vulnerability assessment tools market that "affect the way vulnerability data is acquired and used." These three trends are: (1) vulnerability assessment as a managed service; (2) vulnerability data being drafted in such a way as to help make intrusion detection systems (IDSs) smarter; and, (3) new tools "that perform passive vulnerability assessment [to] address some of the current shortcomings of active scanners and provide a new source of information for managing risk."

CVE was mentioned in two instances in the article in a section about IDSs, in which the author states that an "IDS can go beyond detecting attack traffic and determine if the target is susceptible by consulting vulnerability data." The first mention of CVE is when the author discusses products by Qualys, Inc.: "In July 2003, Qualys announced QuIDScor, a software module that ties vulnerability data from its QualysGuard VA service with Snort, the popular open-source IDS. A correlation engine in QuIDScor accepts raw alerts from Snort and runs them against QualysGuard's vulnerability database using Common Vulnerabilities and Exposures (CVE) identifiers."

The second mention of CVE involves a discussion about Tenable Network Security's Lightning Console, which "lets users manage multiple Nessus [vulnerability scanning] engines to scan large networks. It automates scanning activities such as scheduling, and helps track scan results and manage remediation of discovered vulnerabilities." "Using CVE and BugTraq ID numbers, the console can match IDS events with targets that have the corresponding vulnerabilities."

The Nessus Project is a member of the CVE Editorial Board, and both the Nessus Project's Nessus Security Scanner and Qualys Inc.'s QualysGuard Intranet Scanner are listed on the CVE-Compatible Products/Services page.

Date: 9/12/2003
Publication: Network Computing's Security Pipeline

Byline: Mike Janowski, Tom Oele, and Greg Shipley
Headline: "Too Much Information"

Excerpt or Summary:
CVE was mentioned in this article about the amount of data generated by security information management (SIM) tools, and the need for correlating that data. The authors state: "We found that the holy grail of correlation and data reduction is taking into account assets, attacks, target operating system knowledge and, ideally, vulnerability information." "Unfortunately, most SIM vendors aren't at this level yet . . . New vulnerabilities are coming out at a rate of 50 to 100 per month, resulting in hundreds of new device-specific IDS [intrusion detection system] signatures and vulnerability checks. Add the need for each correlation solution to support dozens of IDS and vulnerability-assessment (VA) products, and you have a nightmarish maintenance-and-update process for SIM vendors." CVE is mentioned immediately following this discussion: "Although vulnerability dictionaries, such as CVE (Common Vulnerabilities and Exposures), attempt to create some common methods of correlating products, our own investigation of signature sets and vulnerability checks showed a 60 percent crossover rate in best-case scenarios, below 30 percent in others. Doing it "by hand" is still the only accurate mapping method we know of."

Date: 9/11/2003
Publication: Computerworld

Byline: Brett Oliphant
Headline: "How to Minimize the Threat"

Excerpt or Summary:
CVE was mentioned twice in this opinion article about how enterprises must address the constantly evolving types of attacks on their networks. The first mention is when the author notes that intrusion detection system (IDS)/intrusion-prevention system (IPS) technologies "are generally able to spot attacks by common vulnerabilities and exposures, or CVE, identifying that they see on a network . . . "

The second mention of CVE is when the author discusses how "Vendors must create ways to integrate systems, share information intelligently to better defend against blended threats, reduce management and cost requirements, and automate IDS/IPS configuration and tuning along with vulnerability identification and remediation functionalities." The author mentions CVE when he talks about one of the three benefits of such integration: "Cross-referencing of the threat's identifier with the target's configuration: The CVE [name] or other identifier and the destination IP address are fed into the logic engine where it cross-references the threat with the machine's software and security configuration profiles. These profiles consist of the targeted machine's operating system and applications by file versions, patches by hashes and security policy configurations." The other two benefits of integration are "elimination of nearly all false positives and negatives" and "remediation of the vulnerability remotely."

Date: 9/5/2003
Publication: InfoWorld

Byline: Victor R. Garza and Joseph L. Roth
Headline: "No-frills security scanning"

Excerpt or Summary:
CVE was included as feature of both products in this product review of Internet Security Systems's (ISS) Internet Scanner and the Nessus Project's Nessus Scanner. In the review, the authors' state: "the scanning engines of Internet Scanner and Nessus were accurate, with verifiable reporting and links to MITRE's CVE (Common Vulnerabilities and Exposures) List." The review also included a link to the CVE Web site.

Both Internet Security Systems and the Nessus Project are members of the CVE Editorial Board, and ISS Internet Scanner and Nessus Scanner are listed on the CVE-Compatible Products and Services page.

Date: 8/2003
Publication: MITRE Digest

Byline: Robert Roberge
Headline: "OVAL: A New Language to Determine the Presence of Software Vulnerabilities"

Excerpt or Summary:
CVE was mentioned in this article about MITRE's Open Vulnerability Assessment Language (OVAL) effort. The article describes what OVAL is and explains how OVAL improves vulnerability assessment for organizations. The article discusses the official, community-developed OVAL Schema, OVAL queries, the part CVE plays, and the community-involvement and community-endorsement aspect of the OVAL effort via the OVAL Board and the OVAL Community Forum.

OVAL which supports Windows, UNIX, and Linux uses Structured Query Language (SQL) queries to identify the vulnerabilities on systems. Called OVAL queries, each query is based on the vulnerabilities and exposures identified on the CVE List. For each CVE entry or candidate, there are one or more OVAL queries. Many of the organizations participating in OVAL effort are also involved in CVE.

Date: 7/1/2003
Publication: TechWorld.com

Byline: Kieren McCarthy
Headline: "X-Force blasts computer monsters: Catastrophic Risk Index a new tool in network security"

Excerpt or Summary:
CVE was referred to as the "industry norm" for vulnerability names in this article, which is a discussion of in Internet Security Systems' X-Force Catastrophic Risk Index. The author makes the reference to CVE in a section about what information is included in the index: "Each vulnerability comes with an ISS reference number, the risk name, a brief description and the industry-norm CVE (Common Vulnerabilities and Exposures) and CAN (candidate vulnerability) numbers. Hypertext links connect to full information about the vulnerability and how to deal with it."

Date: 7/2003
Publication: Information Security Magazine

Byline: Mathew Schwartz
Headline: "Vulnerable Discussion: New group aims to establish a responsible disclosure standard"

Excerpt or Summary:
Steve Christey, co-creator and Editor of the CVE List, was quoted in this article about the Organization for Internet Safety's (OIS) guidelines for responsible vulnerability disclosure, which according to the article recommends that "Vendors should respond to vulnerability researchers within seven days of a flaw being reported and come up with a fix within a month. And bug-hunters need to hold off telling the world what they found during that 30-day window." Christey is quoted regarding two potential sticking points of the OIS effort as noted in the article: (1) how much time should the vendor take to fix something, and (2) how much detail for instance, published exploit code, should there be made public. Of these two issues, Christey points out: "There are widely varying opinions on how to address this sort of process." The author concludes the article by stating that OIS will incorporate public comments in a final version that will be presented at the Black Hat Briefings conference in Las Vegas, Nevada, USA at the end of July 2003. A photo of Christey in his CVE jersey is also included.

Date: 6/23/2003
Publication: Ziff Davis Security Supersite

Byline: Larry Seltzer
Headline: "A Dictionary For Vulnerabilities"

Excerpt or Summary:
CVE was the main topic of this article, which discussed the difference between a bug and a vulnerability; explained CVE, CVE entries, and CVE candidates (CANs); and mentioned the purpose of the CVE Editorial Board. The main focus of the article was CVE timeliness issues and how long it takes for a CAN to become an official CVE entry. The article also included multiple links to the CVE Web site.

Date: 6/18/2003
Publication: SearchSecurity.com

Byline: Robert L. Scheier
Headline: "Vulnerability assessment: Leave the scanning to someone else?"

Excerpt or Summary:
CVE was mentioned briefly in this article about vulnerability assessment in a discussion about a "proposed Application Vulnerability Description Language . . . managed by the Organization for the Advancement of Structured Information Standards [that will] work with the existing CVE (Common Vulnerabilities and Exposures) list of common names for security threats that allows intrusion-detection products to more easily share information."

Date: 6/9/2003
Publication: Federal Computer Week

Byline: Vincil Bishop and Earl Greer
Headline: "Vulnerability scanning: It's all about control"

Excerpt or Summary:
CVE was recommended as a deciding factor in choosing vulnerability scanning tools in a product review of Qualys Inc.'s QualysGuard Intranet Scanner, which was compared to Nessus Security Scanner from The Nessus Project. According to the authors, "A vulnerability scanner is the best tool for ensuring that all of your users are following security policies and applying all the patches."

The authors mention CVE as part of the product review: "Both QualysGuard and Nessus arrange reports by the industry-standard list of Common Vulnerabilities and Exposures (see www.cve.mitre.org for more information)." The authors then go on to make the following statement: "We recommend against buying any product that does not comply with [the CVE] standard."

The Nessus Project is a member of the CVE Editorial Board, and both the Nessus Project's Nessus Security Scanner and Qualys Inc.'s QualysGuard Intranet Scanner are listed on the CVE-Compatible Products/Services page.

Date: 6/9/2003
Publication: Security Wire Digest, Vol. 5, No. 43

Headline: "Can Vulnerability Disclosers Agree?"

Excerpt or Summary:
This article included a quote by Steve Christey, co-creator and editor of the CVE List. The focus of the article is the draft responsible disclosure guidelines by The Organization for Internet Safety (OIS) entitled "Security Vulnerability Reporting and Response Process," which was made available for public comment on the OIS Web site.

Christey states: "There are widely varying opinions on how to address this sort of process." The author then notes that Christey thinks that if professional researchers do adopt the OIS responsible disclosure guidelines, " . . . others will follow by example."

The OIS responsible vulnerability disclosure document is described in the article as follows: "Among the 37-page report's guidelines: vendors acknowledge receipt of a report within seven days, then update status with the vulnerability reporter every seven days; list clear contact information on vendor Web sites for reporting vulnerabilities; and vendors vigilantly monitor several email addresses (such as support) for submissions. The report also recommends 30 days from first notification as a reasonable starting point for all parties to agree upon before public disclosure. It offers that length of time as a way to balance the vulnerability's risk with the challenge of engineering a remedy." The document is available for review and comment at http://www.oisafety.org until July 4, 2003.

Date: 6/2003
Publication: NIST Intragency Reports

Byline: Peter Mell, Vincent Hu, Richard Lippmann, Josh Haines, and Marc Zissman
Headline: "NIST IR: Testing Intrusion Detection Systems"

Excerpt or Summary:
CVE is mentioned in a section of this National Institute of Standards and Technology (NIST) report that focused on those measurements that can be made on intrusion detection systems (IDSs) that are "quantitative and that relate to detection accuracy." Specifically, CVE is mentioned with regard to "This disparity concerning the proper level of granularity for viewing attacks makes it difficult to count the number of attacks that an IDS detects and to compare the coverage of multiple IDSs."

The authors state: "This problem is somewhat alleviated by the Common Vulnerabilities and Exposures (CVE), which is a standard list of virtually all known vulnerabilities [2]. However, the CVE approach does not solve this problem when multiple attacks are used to exploit the same vulnerability using different approaches to evade IDS systems. To address this issue, the CVE standards group has started a project to name attacks, but this work is still in the research stages." The footnote in the quote references the original paper on the creation of CVE, "Towards a Common Enumeration of Vulnerabilities," presented at the 2nd Workshop on Research with Security Vulnerability Databases at Purdue University in January 1999. This paper is available for download or review from the CVE Documents page.

NIST is a member of the CVE Editorial Board, and the NIST ICAT metabase is listed on the CVE-Compatible Products and Services page.

Date: 6/2003
Publication: MITRE Web site

Byline: Alison Stern-Dunyak
Headline: "Tough on Computer Intruders: OVAL Helps IT Professionals Identify System Security Flaws"

Excerpt or Summary:
OVAL Editor Matthew Wojcik was profiled in this "Employee Spotlight" article on the MITRE Web site. The article describes what OVAL is and explains Wojcik's role in the OVAL effort. It also describes Wojcik's personal background.

OVAL is Open Vulnerability Assessment Language, an effort by MITRE and the international information security community to standardize the way in which vulnerabilities are identified on computer systems. OVAL—which supports Windows, Solaris, and Linux—uses Structured Query Language (SQL) queries to identify the vulnerabilities on systems. It is these queries, called OVAL queries, and an official SQL-based OVAL Schema that serves to keep queries consistent and standardized, that the experts employ as their common language. OVAL queries are based on the CVE List. For each CVE entry, there are one or more OVAL queries. Many of the organizations participating in OVAL effort are also involved in CVE.

CVE is mentioned in a section of the article describing OVAL queries: "The queries rely mainly on definitions and descriptions from the Common Vulnerabilities and Exposures (CVE) List, the increasingly popular IT resource developed and managed by MITRE with the cooperation of the worldwide security community." The article also provides a link to the CVE Web site.

Date: 4/22/2003
Publication: SANS Institute Web Site

Byline: Michael Rohse
Headline: "Vulnerability naming schemes and description languages: CVE, Bugtraq, AVDL and VulnXML"

Excerpt or Summary:
CVE was a main topic of this white paper. The author describes what CVE is and isn't, notes the origins of CVE, and mentions CVE compatibility and the part the CVE Editorial Board plays in creating CVE names. The author also compares and contrasts CVE with Bugtraq, AVDL, and VulnXML.

SANS is a member of the CVE Editorial Board and its GIAC Security Training materials are listed on the CVE-Compatible Products and Services page.

Date: 4/17/2003
Publication: Computerworld

Byline: Carl Banzhof
Headline: "Strategies to protect against network security vulnerabilities"

Excerpt or Summary:
CVE was mentioned as an information resource in this article by Carl Banzhof, CTO of Citadel Security Software. Citadel is listed on the CVE-Compatible Products and Services page, and Banzhof is a member of the CVE Editorial Board and the OVAL Board. In the article, Banzhof outlines five best practices for vulnerability remediation that can help administrators assess their current risk, as well as "take steps to prepare their vulnerability defense with minimal interruption to current processes and lay the groundwork to proactively address future vulnerabilities (with their current IT staff) before they are exploited."

Banzhof identifies the following five steps as "crucial to helping administrators": (1) Identification/Discovery of Systems, (2) Vulnerability Assessment, (3) Vulnerability Review, (4) Vulnerability Remediation, and (5) Ongoing Vulnerability Management.

CVE is mentioned in two instances. In step 2, Banzhof states: "Information on commercial scanners can be found on the Common Vulnerabilities and Exposures (CVE) Web site." Banzhof also provides a similar reference in step 4, in which he states: "The [CVE] Web site is also a good resource for finding information about [vulnerability remediation] tools."

Numerous information security tools and services are listed in the CVE-Compatible Products and Services section of the CVE Web site. To date, 129 information security products and services have been declared CVE-compatible or are in the process of being made CVE-compatible by 86 organizations from industry, government, and academia worldwide.

Date: 4/7/2003
Publication: eWeek Labs

Byline: Cameron Sturdevant
Headline: "QualysGuard Spots, Reports Flaws"

Excerpt or Summary:
An eWeek Labs product review entitled "QualysGuard Spots, Reports Flaws" mentions CVE when describing one of the product's main features. The author mentions CVE when discussing how Qualys Inc.'s QualysGuard Intranet Scanner analyzes data off-site and makes reports available to administrators via a Web interface. The author states: "As we applied security fixes, vulnerabilities . . . were closed and reported fixed by QualysGuard [in the Web interface]. In this version, report data is normalized to the Common Vulnerabilities and Exposures list of standardized names (see www.cve.mitre.org for more information). Security administrators who are already using this popular site to categorize vulnerabilities and security exposures can easily fit QualysGuard scans into their workflow."

Qualys' QualysGuard Intranet Scanner and three other Qualys products are listed on the CVE-Compatible Products/Services page.

Date: 3/3/2003
Publication: Government Computer News

Byline: William Jackson
Headline: "Weakness endangers Net e-mail"

Excerpt or Summary:
CVE was mentioned in this article about a ". . . vulnerability [that] affects both open-source and commercial versions of the Sendmail Mail Transfer Agent, which is installed on more than 1.5 million systems connected to the Internet and has been reported to handle from 50 percent to 75 percent of Internet e-mail traffic." After thoroughly describing the vulnerability and potential consequences for U.S. government agencies, the author states: "The Common Vulnerabilities and Exposures project has assigned the identifier CAN-2002-1337 to the vulnerability, which is being evaluated for inclusion in the CVE [List] on the Web at cve.mitre.org." A link was also included to the CVE Web site.

Date: 3/2003
Publication: IEEE Software, Vol. 20, No. 2

Byline: Terry Costlow
Headline: "Software Language Should Help Protect Networks from Hackers"

Excerpt or Summary:
CVE was included in this article about MITRE's Open Vulnerability Assessment Language (OVAL) effort in which the author describes what OVAL is, how it builds upon the CVE Initiative, mentions the importance of information security community involvement and participation in the development of OVAL queries, and includes links to the OVAL and CVE Web sites.

Regarding CVE, the author states: "The [OVAL] language builds upon the Common Vulnerabilities and Exposures (www.cve.mitre.org), a dictionary of standard names and descriptions of existing information security openings. OVAL is a natural follow on that will eliminate most ambiguity that currently plagues IT managers who are always on the lookout for the latest entry points for hackers."

The author also states: ". . . OVAL's big benefit is that it provides another avenue for [technologists and programmers] to share ideas. Many of these companies are working on the same problems at the same time, developing proprietary ideas. At times this work is redundant; at other times, the ideas could be enhanced if more programmers were aware of them." The author further states: "Once these programmers use OVAL to create tools for locating vulnerabilities, their customers should find it much easier to prevent viruses, worms, and hackers from wreaking havoc on their systems."

Date: 2/24/2003
Publication: Government Computer News, Vol. 22, No. 4

Byline: John McCormick
Headline: "Watch the bugs and don't get stung—or complacent"

Excerpt or Summary:
CVE was mentioned briefly in this article about dealing with software server vulnerabilities. The article mentions CVE when discussing vulnerabilities for a particular server, where the author states that all of the vulnerabilities noted are ". . . mentioned in the Common Vulnerabilities and Exposures lexicon, at cve.mitre.org, maintained by MITRE Corp. of Bedford, Mass., and on the SANS-FBI top 20 list."

Date: 2/19/2003
Publication: SPARC Product Directory Web site

Byline:
Headline: "Harris Corporation Computer Security Tool Now Includes Department of Homeland Security Vulnerabilities List"

Excerpt or Summary:
This article, excerpted from a Harris press release, states that Harris Corporation is the first company in the industry to add the list of computer vulnerabilities published by the Federal Computer Incident Response Center (FedCIRC) to its vulnerability assessment tool. The article also states that ". . .STAT Scanner searches for vulnerabilities from several other sources, including the MITRE Common Vulnerabilities and Exposures (CVE) List, the SANS/FBI Top 20 vulnerabilities list, the CERT list, and the Information Assurance Vulnerability Alerts (IAVAs) issued by the DOD and all the military branches."

FedCIRC and Harris Corporation are both members of the CVE Editorial Board, and Harris' STAT Scanner is listed on the CVE-Compatible Products/Services page.

Date: 2/2003
Publication: Business 2.0 Magazine Web site

Byline:
Headline: "Security Technology Web Guide"

Excerpt or Summary:
The security technology guide on the business2.com Web site lists the magazine's top 23 security technology picks in alphabetical order, of which CVE is number 15. The listing includes a link to the CVE Web site and the following description: "MITRE Corporation: Common Vulnerabilities and Exposures-List of standardized names for vulnerabilities and other information security exposures. The goal of CVE is to make it easier to share data across separate vulnerability databases and security tools. Use online or download."

Also included on the list are CVE Editorial Board members CERT/CC (#3), eSecurityOnline.com (#6), Microsoft (#14), SANS (#18), and SecurityFocus (#20). Four of these organizations-CERT/CC, eSecurityOnline.com, SANS, and SecurityFocus–are also listed on the CVE–Compatible Products/Services page.

Date: 2/2003
Publication: Information Security Magazine

Byline: Keith Regan
Headline: "Groups Develop Granular Security Info"

Excerpt or Summary:
CVE was mentioned in this article about refining the dissemination of vulnerability alerts and security advisories to "[help] organizations make sense of the daily torrent of virtually unrefined information." The author mentions CVE when discussing how MITRE's OVAL project addresses this problem: "Similarly, the keepers of the Common Vulnerabilities and Exposures list recently launched Open Vulnerability Assessment Language (OVAL) which builds upon CVE to create a means for making vulnerability alerts more applicable to individual enterprises."

The author describes how OVAL works as a community effort and quotes CVE project leader Margie Zuk on the link between CVE and OVAL: "It's the logical next step. CVE was the beginning of trying to bring some order, and [OVAL] is aimed at improving things." The author explains that while a large amount of information is exchanged at a general level there isn't much detailed technical information included in it about how to detect if that vulnerability exists on an organizations own network, and OVAL addresses this. He also notes that OVAL addresses the problem of system administrators running various diagnostic software programs to determine if vulnerabilities are present but then getting different answers from the different programs.

The author concludes the article with a quote from co-creator and editor of the CVE List Steve Christey, who states: "[OVAL] brings us one step closer to demystifying and improving how vulnerabilities can be detected on computer systems. It raises the bar by actually creating a bar."

Date: 1/27/2003
Publication: California Computer News Magazine

Byline:
Headline: "Worm Hits Internet"

Excerpt or Summary:
In this article about the "SQL Slammer" worm the author identifies CVE CAN-2002-0649 and concludes the article with the following under Additional Information: "The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2002-0649 to this issue. This is a candidate for inclusion in the CVE List (https://cve.mitre.org), which standardizes names for security problems."

Date: 1/13/2003
Publication: Open Web Application Security Project (OWASP) Web Site

Byline: OWASP
Headline: "Top Ten Most Critical Web Application Security Vulnerabilities"

Excerpt or Summary:
A quote by Steve Christey, co-creator and editor of the CVE List, was included in the commentary section of this document which describes each of the top ten Web vulnerabilities as defined by OWASP, the environments affected for each, and provides examples and references to illustrate them. The document also explains how to determine if your system is vulnerable from each and how to protect it. Christey is quoted as follows: "This list is an important development for consumers and vendors alike. It will educate vendors to avoid the same mistakes that have been repeated countless times in other Web applications. But it also gives consumers a way of asking vendors to follow a minimum set of expectations for Web application security and, just as importantly, to identify which vendors are not living up to those expectations." OWASP is an international open source community initiative for "developing software tools and knowledge-based documentation that helps people secure Web applications and Web services."

Date: 1/10/2003
Publication: InfoWorld

Byline: David L. Margulius
Headline: "Managing it all"

Excerpt or Summary:
CVE was noted as an information security standard in this article about managing security-related technologies. The author includes CVE in a section about data management, integration, and scalability in which the author states: "Efforts are under way to develop standardized security-event representations, including the CVE (Common Vulnerabilities and Exposures) project and those under way at the Computer Emergency Response Team (CERT) Coordination Center." CERT is a member of the CVE Editorial Board, is listed on the CVE-Compatible Products/Services page, and includes CANs in its security advisories.

Date: 1/9/2003
Publication: NetworkWorldFusion.com

Headline: "Resource Link, Security Researchers"

Excerpt or Summary:
CVE was included as a Resource Link for security researchers on Network World Fusion Web site. The listing includes a brief description of what CVE is, as follows: "A list of standardized names for vulnerabilities and other information security exposures - CVE aims to standardize the names for all publicly known vulnerabilities and security exposures." The listing also includes a link to the CVE Web site, and an opportunity for visitors to "rate" CVE as a resource.