|
|
MITRE Presents Making Security Measurable White Paper at MILCOM 2008 on November 19
MITRE Principal Engineer and CVE Adoption Lead Robert A. Martin presented a white paper entitled "Making Security Measurable and Manageable" at MILCOM 2008 on November 19, 2008 in San Diego, California, USA. The paper introduces MITRE’s Making Security Measurable effort by explaining in detail how information security data standards such as CVE, CCE, OVAL, CPE, CAPEC, CWE, and others facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.
Visit the CVE Calendar page for information on this and other upcoming events.
CVE Mentioned in MITRE News Release about Recommendation Tracker
CVE was mentioned in a December 1, 2008 MITRE news release entitled "MITRE Releases New Security Software" about its new, open source "Recommendation Tracker" software that "facilitates development of automated security benchmarks." "System administrators use benchmarks-essentially a set of recommendations-to securely configure an operating system or software application and then set up automatic testing to ensure proper configuration."
CVE is mentioned when the release notes that Recommendation Tracker is "the latest tool developed by MITRE in the last 10 years to help the security community produce automated, standardized benchmarks" and that four MITRE-run information security data standards — CVE, CCE, CPE, and OVAL — are among the six existing standards used in the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP) to enable automated vulnerability management, measurement, and policy compliance evaluation.
The release also mentions MITRE’s free one-day Benchmark Development Course that instructs attendees how to use MITRE’s CCE, OVAL, Recommendation Tracker, and Benchmark Editor, as well as other information assurance standards and tools, to help vendors and security content developers produce good benchmarks more efficiently.
Trustwave Posts CVE Compatibility Questionnaire
Trustwave has achieved the second phase of the CVE Compatibility Process by submitting a CVE Compatibility Questionnaire for TrustKeeper. In Phase 2 of the compatibility process the organization’s completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible."
For additional information and to review the complete list of all products and services participating in the compatibility program, visit the CVE-Compatible Products and Services section.
SecurView Inc. Makes Declaration of CVE Compatibility
SecurView Inc. has declared that its risk management and event monitoring service, CASPER, will be CVE-Compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services section.
MITRE Scheduled to Present Making Security Measurable White Paper at MILCOM 2008 on November 19
CWE Program Manager Robert A. Martin is scheduled to present a white paper entitled "Making Security Measurable and Manageable" at MILCOM 2008 on November 19, 2008 in San Diego, California, USA.
The paper introduces MITRE’s Making Security Measurable effort by explaining in detail how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.
The conference itself runs November 17-19. Visit the CVE Calendar page for information on this and other upcoming events.
CVE-Related Workshops and "Making Security Measurable" Table Booth at Security Automation Conference 2008, September 23-25
The CVE Team contributed to CVE-related workshops and MITRE hosted a Making Security Measurable table booth at the U.S. National Institute of Standards and Technology’s (NIST) Security Automation Conference & Workshop 2008 on September 23-25, 2008 in Gaithersburg, Maryland, USA.
NIST’s Security Content Automation Protocol (SCAP) employs existing community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and CVE is one of the six open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results.
CVE and NIST also recently announced a partnership to replace the CVE Compatibility program with two independent but complementary efforts, a "CVE Adoption Program" managed by MITRE and a "Security Content Automation Protocol (SCAP) Validation Program" managed by NIST. Refer to the CVE Adoption Program page for additional information.
Visit the CVE Calendar for information on this and other events.
NSFocus Information Technology (Beijing) Co., Ltd. Makes Four Declarations of CVE Compatibility
NSFocus Information Technology (Beijing) Co., Ltd. declared that its ICEYE NIPS (Network Intrusion Prevention System), ICEYE SCM (Security Content Management System), ICEYE SG (Security Gateway), and ICEYE WAF (Web Application Firewall) are CVE-Compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products and Services section.
CVE and NIST Partner to Create New CVE Adoption/Validation Programs
CVE has partnered with the U.S. National Institute of Standards and Technology (NIST) to replace the CVE Compatibility program with two independent but complementary efforts, a "CVE Adoption Program" managed by MITRE and the "Security Content Automation Protocol (SCAP) Validation Program" managed by NIST.
NIST will provide additional details about the new programs at its Security Automation Conference & Workshop 2008 on September 23-24, 2008 in Gaithersburg, Maryland, USA.
During the coming months the CVE Web site will be updated to reflect the new program. Products currently listed in the CVE Compatibility section will be moved into a new CVE Adoption section. Additional information is available on the CVE Adoption Program page.
CVE Included as Topic at Security Automation Conference 2008, September 23-25
CVE will be included as a topic at the U.S. National Institute of Standards and Technology’s (NIST) Security Automation Conference & Workshop 2008 on September 23-25, 2008 in Gaithersburg, Maryland, USA. The CVE Team is also scheduled to contribute to the CVE-related workshops.
NIST’s Security Content Automation Protocol (SCAP) employs existing community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and CCE is one of the six open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. The other five standards are Open Vulnerability and Assessment Language (OVAL), a standard XML for security testing procedures and reporting; Common Configuration Enumeration (CCE), standard identifiers and a dictionary for system security configuration issues; Common Platform Enumeration (CPE), standard identifiers and a dictionary for platform and product naming; Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; and Common Vulnerability Scoring System (CVSS), a standard for conveying and scoring the impact of vulnerabilities.
Visit the CVE Calendar for information on this and other events.
Catbird Networks Inc. Posts CVE Compatibility Questionnaire
Catbird Networks Inc. has achieved the second phase of the CVE Compatibility Process by submitting a CVE Compatibility Questionnaire for Catbird V-Security. In Phase 2 of the compatibility process the organization’s completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible."
For additional information and to review the complete list of all products and services participating in the compatibility program, visit the CVE-Compatible Products and Services section.
TMC y Cia Posts CVE Compatibility Questionnaire
TMC y Cia has achieved the second phase of the CVE Compatibility Process by submitting a CVE Compatibility Questionnaire for Falcon Vulnerabilities Analysis (FAV). In Phase 2 of the compatibility process the organization’s completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible."
For additional information and to review the complete list of all products and services participating in the compatibility program, visit the CVE-Compatible Products and Services section.
Beijing Venus Information Security Technology, Inc. Makes Declaration of CVE Compatibility
Beijing Venus Information Security Technology, Inc. has declared that its Cybervision Intrusion Prevention System is CVE-Compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services section.
CVE Participates in "Making Security Measurable" Booth at Black Hat Briefings 2008
CVE participated in a Making Security Measurable booth at Black Hat Briefings 2008 on August 6-7, 2008 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA.
Visitors to the booth learned how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.
Visit the CVE Calendar for information on this and other events.
Adoption of CVE by Oracle Announced on Oracle’s Global Product Security Blog
On July 15, 2008 Oracle began including CVE Identifiers in its quarterly Critical Patch Update (CPU) documentation and is now a CVE Candidate Numbering Authority, joining other major software companies (Cisco, Red Hat, Debian, HP, FreeBSD, Ubuntu Linux, Microsoft, and Apple) already independently issuing CVE IDs for their products.
Oracle promoted their adoption of CVE IDs in a July 15, 2008 posting on their "Oracle Global Product Security Blog" about the July CPU in which the author states: "As mentioned earlier in this blog, this CPU is also characterized by the adoption of the Common Vulnerabilities and Exposure (CVE) system. As explained on the CVE program web site, "CVE Identifiers (also called "CVE IDs," "CVE names," "CVE numbers," and "CVEs") are unique, common identifiers for publicly known information security vulnerabilities." Starting with the July 2008 Critical Patch Update, Oracle will use these CVE identifiers to identify the vulnerabilities fixed in each new CPU, and will no longer use the proprietary numbering convention that was previously used in the CPU risk matrices. As a result, each new vulnerability fixed in the CPU will be assigned a unique CVE Identifier. This change was made possible because Oracle became a ‘Candidate Naming Authority’ under the CVE program. Note that while the CPU documentation is the only authoritative source of information about vulnerabilities in Oracle products, and as such should remain the primary source of information about such vulnerabilities, the use of unique CVE identifiers should result in simplifying how Oracle vulnerabilities are identified in external security reports such as those produced by security researchers and vulnerability management systems. The use in the CPU documentation of CVE identifiers, along with the publication of the Common Vulnerability Scoring System (CVSS) base scores, is further evidence of Oracle’s customer focus in its vulnerability disclosure practices."
Oracle’s "July 2008 Critical Patch Update" was released on July 15, 2008.
CVE Mentioned in Article about Oracle Patch Update on Government Computer News
CVE was mentioned in a July 16, 2008 article entitled "Oracle releases critical updates" in Government Computer News about Oracle including CVE Identifiers in its quarterly Critical Patch Update (CPU) documentation. The author provides three examples of the patches along with their corresponding CVE IDs, and concludes the article with the following statement: "This quarterly patch cycle is the first to assign CVE Identifiers (CVE IDs) to vulnerabilities, according to Mitre, which oversees CVE management."
CVE Mentioned in Article about Oracle Patch Update on InternetNews.com
CVE was mentioned in a July 16, 2008 article entitled "Oracle Patches 45 Vulnerabilities" on InternetNews.com about Oracle including CVE Identifiers in its quarterly Critical Patch Update (CPU) documentation. The author states: "Common Vulnerabilities and Exposure, or CVE, is a standard approach to providing a common identifier for vulnerabilities. The CVE system is widely used by several technology vendors such as Microsoft … and Mozilla to identify security items." The article also includes a quote from a blog post from Eric Maurice, manager for security in Oracle’s global technology business unit, who explains how Oracle’s adoption of CVE: "Starting with the July 2008 Critical Patch Update, Oracle will use these CVE identifiers to identify the vulnerabilities fixed in each new CPU, and will no longer use the proprietary numbering convention previously used in the CPU risk matrices. As a result, each new vulnerability fixed in the CPU will be assigned a unique CVE Identifier. This change was made possible because Oracle became a "Candidate Naming Authority" under the CVE program."
Openware Posts CVE Compatibility Questionnaire
Openware has achieved the second phase of the CVE Compatibility Process by submitting a CVE Compatibility Questionnaire for ATTAKA. In Phase 2 of the compatibility process the organization’s completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible."
For additional information and to review the complete list of all products and services participating in the compatibility program, visit the CVE-Compatible Products and Services section.
CVE Identifiers Now Included in Oracle’s "Critical Patch Updates"
Oracle is now including CVE Identifiers (CVE IDs) in its quarterly Critical Patch Update (CPU) documentation. "The July 2008 Critical Patch Update" was released on July 15, 2008.
"Oracle is delighted to become a Candidate Naming Authority under CVE. The adoption of CVE, along with our use of CVSS is further evidence of Oracle’s desire to lead the industry in term of secure development and remediation practices," said Mary Ann Davidson, Oracle CSO. "While the CPU documentation will remain the main source of information about vulnerabilities in Oracle products, we believe that the use of unique CVE Identifiers should result in helping to simplify how Oracle vulnerabilities are identified in external security reports such as those produced by security researchers and vulnerability management systems."
Over 70 organizations from around the world have included CVE IDs in their security advisories, ensuring that the community benefits by having CVE IDs as soon as the problem is announced.
"Including CVE IDs in the initial public announcement of security fixes is of great benefit to security managers of enterprises that use Oracle software," said Robert Martin, CVE Outreach Lead. "This will help those enterprises manage their Oracle patching effort in the same manner as they manage their vulnerability and patching efforts for the rest of their applications and operating systems software. Including CVE IDs is definitely something we encourage of every software product vendor."
The other software companies independently issuing CVE IDs for their products include Cisco, Red Hat, Debian, HP, FreeBSD, Ubuntu Linux, Microsoft, and Apple.
Gamasec Ltd. Makes Declaration of CVE Compatibility
Gamasec Ltd. declared that its Web site vulnerability assessment service, GamaScan, is CVE-Compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services section.
CVE to Participate in "Making Security Measurable" Booth at Black Hat Briefings 2008 on August 6-7
CVE is scheduled to participate in a Making Security Measurable booth at Black Hat Briefings 2008 on August 6-7, 2008 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA.
Visit us at Booth A and learn how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.
Visit the CVE Calendar for information on this and other events.
TMC y Cia Makes Declaration of CVE Compatibility
TMC y Cia declared that its vulnerability analysis service, Falcon Vulnerabilities Analysis (FAV), is CVE-Compatible. For additional information about this and other CVE-compatible products, visit CVE-Compatible Products and Services.
MITRE Hosts "Making Security Measurable" Booth at 2008 Cyberspace Symposium on June 16-19
MITRE hosted a Making Security Measurable booth at the 2008 Cyberspace Symposium on June 16-19, 2008 at the Best Westin Royal Plaza Hotel and Trade Center in Marlborough, Massachusetts, USA.
Visit the CVE Calendar for information on this and other events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, CCE, CPE, CAPEC, CWE, CEE, CRF, OVAL, and/or Making Security Measurable at your event.
One IBM Internet Security Systems Product Now Registered as Officially "CVE-Compatible"
IBM Internet Security Systems’s Proventia Enterprise Scanner has achieved the final stage of MITRE’s formal CVE Compatibility Process and is now officially "CVE-Compatible." A total of 81 products to-date have been recognized as officially compatible.
The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for each product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.
For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.
Xi’an Jiaotong University Jump Network Technology Co., Ltd. Makes Declaration of CVE Compatibility
Xi’an Jiaotong University Jump Network Technology Co., Ltd. declared that its intrusion prevention service, JumpIPS, is CVE-Compatible. For additional information about this and other CVE-compatible products, visit CVE-Compatible Products and Services.
MITRE Presents "Making Security Measurable" Briefing at 4th Annual GFIRST Conference on June 2-4
CVE Compatibility Lead/CWE Program Manager Robert A. Martin presented a briefing about Making Security Measurable at the 4th Annual GFIRST Conference on June 2-4, 2008 at the Caribe Royale Hotel in Orlando, Florida, USA.
Visit the CVE Calendar for information on this and other events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, CCE, CPE, CWE, CAPEC, CEE, CRF, OVAL, and/or Making Security Measurable at your event.
MITRE Presents "Making Security Measurable" Briefing and a Half-Day Tutorial at AusCERT 2008 on May 18-23
CVE Compatibility Lead/CWE Program Manager Robert A. Martin and CVE Technical Lead/CWE Technical Lead Steven M. Christey presented a Making Security Measurable briefing and hosted a half-day Making Security Measurable tutorial at AusCERT 2008 on May 18-23, 2008 at Royal Pines Resort in Gold Coast, Australia.
Visit the CVE Calendar for information on this and other events.
XML Schema for CVE List Added to CVE Downloads Page
An XML Schema Definition (.xsd) download for the CVE List is now available on the CVE Downloads page. The schema, which was contributed by the U.S. National Institute of Standards and Technology (NIST), will assist those using CVE in XML format.
Tenable Network Security Inc. Posts Three CVE Compatibility Questionnaires
Tenable Network Security Inc. has achieved the second phase of the CVE Compatibility Process for three products by submitting a CVE Compatibility Questionnaire for Passive Vulnerability Scanner, a CVE Compatibility Questionnaire for Security Center, and a CVE Compatibility Questionnaire for Nessus 3 Security Scanner. In Phase 2 of the compatibility process the organization’s completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible."
For additional information and to review the complete list of all products and services participating in the compatibility program, visit the CVE-Compatible Products and Services section.
FrSIRT Makes Declaration of CVE Compatibility
French Security Incident Response Team (FrSIRT) declared that its FrSIRT Vulnerability Notification Service is CVE-Compatible. For additional information about this and other CVE-compatible products, visit CVE-Compatible Products and Services.
MITRE Scheduled to Present "Making Security Measurable" Briefing and a Full-Day Tutorial at AusCERT 2008 on May 18-23
CVE Compatibility Lead/CWE Project Manager Robert A. Martin and CVE Technical Lead/CWE CVE Technical Lead Steven M. Christey are scheduled to present a Making Security Measurable briefing and host a full-day Making Security Measurable tutorial at AusCERT 2008 on May 18-23, 2008 at Royal Pines Resort in Gold Coast, Australia.
Visit the CVE Calendar for information on this and other events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, CCE, CPE, CWE, CAPEC, CEE, CRF, OVAL, and/or Making Security Measurable at your event.
MITRE Scheduled to Present "Making Security Measurable" Briefing at 4th Annual GFIRST Conference on June 2-4
CVE Compatibility Lead/CWE Project Manager Robert A. Martin is scheduled to present a briefing about Making Security Measurable at the 4th Annual GFIRST Conference on June 2-4, 2008 at the Caribe Royale Hotel in Orlando, Florida, USA.
Visit the CVE Calendar for information on this and other events.
MITRE Scheduled to Host "Making Security Measurable" Booth at 2008 Cyberspace Symposium on June 16-19
MITRE is scheduled to host a Making Security Measurable booth at the 2008 Cyberspace Symposium on June 16-19, 2008 at the Best Westin Royal Plaza Hotel and Trade Center in Marlborough, Massachusetts, USA.
Visit the CVE Calendar for information on this and other events.
MITRE Presents "Making Security Measurable" Briefing at 2008 IEEE Conference on Technologies for Homeland on May 12-13
CVE Compatibility Lead/CWE Project Manager Robert A. Martin presented a Making Security Measurable briefing at 2008 IEEE Conference on Technologies for Homeland on May 12-13, 2008 at the Westin Hotel in Waltham, Massachusetts, USA.
Visit the CVE Calendar for information on this and other events.
CVE Identifiers Used throughout Microsoft Security Intelligence Report
CVE Identifiers were used to identify the security issues under analyses in Microsoft Corporation’s recently released Microsoft Security Intelligence Report, Volume 4, (July through December 2007). The report provides an "in-depth perspective on the changing threat landscape including software vulnerability disclosures and exploits, malicious software (malware), and potentially unwanted software."
CVE Identifiers were used to "normalize the data set" with each exploit "matched with its corresponding vulnerability using Common Vulnerabilities and Exposures (CVE) identifiers and Microsoft security bulletins." "Each Microsoft security bulletin may address multiple vulnerabilities, so the Microsoft security bulletin-to-CVE translation isn’t a one-to-one correlation. Researchers used information provided by the Microsoft Security Response Center (MSRC), the CVE, the NVD, and SecurityPatch.org to create a final MSRC-to-CVE mapping." Results of these mapping are discussed throughout the report, summarized in a chart entitled "Exploits in select Microsoft products by CVE identifier, 2006-2007," and reviewed in detail in "Appendix B: Exploit Counts by Microsoft Security Bulletin and CVE ID."
The report also uses the U.S. National Institute of Standards and Technology’s (NIST) U.S. National Vulnerability Database (NVD) and the Forum of Incident Response and Security Teams’ (FIRST) Common Vulnerability Scoring System (CVSS).
NVD and CVE are sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.
IBM Internet Security Systems Posts CVE Compatibility Questionnaire
IBM Internet Security Systems has achieved the second phase of the CVE Compatibility Process by submitting a CVE Compatibility Questionnaire for Proventia Enterprise Scanner. In Phase 2 of the compatibility process the organization’s completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible."
For additional information and to review the complete list of all products and services participating in the compatibility program, visit the CVE-Compatible Products and Services section.
Trustwave Makes Declaration of CVE Compatibility
Trustwave declared that its vulnerability scanning service, TrustKeeper, is CVE-Compatible. For additional information about this and other CVE-compatible products, visit CVE-Compatible Products and Services.
MITRE Presents "Making Security Measurable" Briefing at CSI Security Exchange 2008 on April 27
CVE Compatibility Lead/CWE Project Manager Robert A. Martin presented a Making Security Measurable briefing entitled "Architecting Security Measurement and Management for Compliance" at CSI Security Exchange 2008 on April 27, 2008 at Mandalay Bay Convention Center in Las Vegas, Nevada, USA.
Visit the CVE Calendar for information on this and other events.
MITRE Presents "Making Security Measurable" Briefing at GOVSEC on April 24
CVE Compatibility Lead/CWE Project Manager Robert A. Martin presented a Making Security Measurable briefing entitled "Architecting Your IT Security Standards to Secure your Enterprise" at GOVSEC on April 24, 2008 at Walter E. Washington Convention Center in Washington, D.C., USA.
Visit the CVE Calendar for information on this and other events.
Three Products from Two Organizations Now Registered as Officially "CVE-Compatible"
Three additional information security products have achieved the final stage of MITRE’s formal CVE Compatibility Process and are now officially "CVE-Compatible." The products are now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for each product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 82 products to-date have been recognized as officially compatible.
The following products are now registered as officially "CVE-Compatible":
Critical Watch | - | FusionVM Enterprise System |
- | FusionVM Managed Service | |
Watchfire Corporation-IBM | - | AppScan |
Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.
For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.
MITRE Hosts "Making Security Measurable" Booth at RSA 2008, April 7-11
MITRE hosted a Making Security Measurable exhibitor booth at RSA 2008 on April 7-11, 2008 at the Moscone Center in San Francisco, California, USA.
The conference exposed the CVE, CCE, CME, CPE, CAPEC, CWE, CEE, CRF, OVAL, and Making Security Measurable efforts to information security professionals from government and industry. Visit the CVE Calendar for information on this and other events.
CVE List Reaches 30,000 CVE Identifiers
The CVE Web site now contains 30,000 unique information security issues with publicly known names. CVE, which began in 1999 with just 321 common names on the CVE List, is considered the international standard for public software vulnerability names. Information security professionals and product vendors from around the world use CVE Identifiers (CVE IDs) as a standard method for identifying vulnerabilities, and for cross-linking among products, services, and other repositories that use the identifiers.
The widespread adoption of CVE in enterprise security is illustrated by the numerous CVE-Compatible Products and Services in use throughout industry, government, and academia for vulnerability management, vulnerability alerting, intrusion detection, and patch management. Major OS vendors and other organizations from around the world also include CVE IDs in their security alerts to ensure that the international community benefits by having the identifiers as soon as a problem is announced. CVE IDs are also used to uniquely identify vulnerabilities in public watch lists such as the SANS Top 20 Most Critical Internet Security Vulnerabilities and OWASP Top 10 Web Application Security Issues.
CVE has also inspired new efforts. MITRE’s Common Weakness Enumeration (CWE) dictionary of software weakness types is based in part on the CVE List, and its Open Vulnerability and Assessment Language (OVAL) effort uses CVE IDs for its standardized OVAL Vulnerability Definitions that test systems for the presence of CVEs. In addition, the U.S. National Vulnerability Database (NVD) of CVE fix information that is synchronized with and based on the CVE List recently expanded to include Security Content Automation Protocol (SCAP) content. SCAP employs community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and CVE is one of the six open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results.
Each of the 30,000+ identifiers on the CVE List includes the following: CVE Identifier number (i.e., "CVE-1999-0067"); indication of "entry" or "candidate" status; brief description of the security vulnerability; and pertinent references such as vulnerability reports and advisories or OVAL-ID. Visit the CVE List page to download the complete list in various formats or to look-up an individual identifier. Fix information and enhanced searching of CVE is available from NVD.
MITRE Scheduled to Host "Making Security Measurable" Booth at RSA 2008, April 7-11
MITRE is scheduled to host a Making Security Measurable exhibitor booth at RSA 2008 on April 7-11, 2008 at the Moscone Center in San Francisco, California, USA.
The conference will expose the CVE, CCE, CME, CPE, CAPEC, CWE, CEE, CRF, OVAL, and Making Security Measurable efforts to information security professionals from government and industry. Visit the CVE Calendar for information on this and other events.
MITRE Scheduled to Present "Making Security Measurable" Briefing at GOVSEC on April 24
CVE Compatibility Lead/CWE Project Manager Robert A. Martin is scheduled to present a Making Security Measurable briefing entitled "Architecting Your IT Security Standards to Secure your Enterprise" at GOVSEC on April 24, 2008 at Walter E. Washington Convention Center in Washington, D.C., USA.
Visit the CVE Calendar for information on this and other events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, CCE, CME, CPE, CWE, CAPEC, CEE, CRF, OVAL, and/or Making Security Measurable at your event.
MITRE Scheduled to Present "Making Security Measurable" Briefing at CSI Security Exchange 2008 on April 27
CVE Compatibility Lead/CWE Project Manager Robert A. Martin is scheduled to present a Making Security Measurable briefing entitled "Architecting Security Measurement and Management for Compliance" at CSI Security Exchange 2008 on April 27, 2008 at Mandalay Bay Convention Center in Las Vegas, Nevada, USA.
Visit the CVE Calendar for information on this and other events.
MITRE Presents "Making Security Measurable" Briefing at SEPG North America 2008 on March 18
CVE Compatibility Lead/CWE Project Manager Robert A. Martin presented a Making Security Measurable briefing entitled "Architecting Security for Enterprise Process Improvement" at SEPG North America 2008 on March 1, 2008 at the Tampa Convention Center in Tampa, Florida, USA.
Visit the CVE Calendar for information on this and other events.
Two Products from Two Organizations Now Registered as Officially "CVE-Compatible"
Two additional information security products have achieved the final stage of MITRE’s formal CVE Compatibility Process and are now officially "CVE-Compatible." The products are now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for each product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 78 products to-date have been recognized as officially compatible.
The following products are now registered as officially "CVE-Compatible":
Archer Technologies | - | Archer Threat Management |
GFI Software Ltd. | - | GFI LANguard Network Security Scanner |
Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.
For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.
CVE Mentioned in Government Computer News Article about SCAP
CVE was mentioned in a March 3, 2008 article entitled "SCAP narrows security gap" in Government Computer News. The main topic of the article is the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP) program, which is "a suite of tools to help automate vulnerability management and evaluate compliance with federal information technology security requirements."
CVE is mentioned as one of the "more mature standards" of the six SCAP includes: "The Common Vulnerabilities and Exposures Standard from Mitre, which provides standard identifiers and a dictionary for security vulnerabilities related to software flaws."
Three of the other standards the author references as mature are Open Vulnerability and Assessment Language (OVAL), a standard XML for security testing procedures and reporting; Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; and Common Vulnerability Scoring System (CVSS), a standard for conveying and scoring the impact of vulnerabilities. The author also notes the two "less mature" standards SCAP uses: Common Configuration Enumeration (CCE), standard identifiers and a dictionary for system security configuration issues; and Common Platform Enumeration (CPE), standard identifiers and a dictionary for platform and product naming.
SCAP is an expansion of NIST’s U.S. National Vulnerability Database (NVD) that is based upon the CVE List. NVD, CVE, and OVAL are all sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.
MITRE Scheduled to Present "Making Security Measurable" Briefing at SEPG North America 2008 on March 18
CVE Compatibility Lead/CWE Project Manager Robert A. Martin is scheduled to present a Making Security Measurable briefing entitled "Architecting Security for Enterprise Process Improvement" at SEPG North America 2008 on March 1, 2008 at the Tampa Convention Center in Tampa, Florida, USA.
Visit the CVE Calendar for information on this and other events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, CCE, CME, CPE, CWE, CAPEC, CEE, CRF, OVAL, and/or Making Security Measurable at your event.
MITRE Hosts "Making Security Measurable" Booth at InfoSec World 2008, March 10-11
MITRE hosted a Making Security Measurable exhibitor booth at InfoSec World Conference & Expo 2008 on March 10-11, 2008 at the Rosen Shingle Creek Resort in Orlando, Florida, USA.
The conference exposed the CVE, CCE, CME, CPE, CWE, CAPEC, CEE, CRF, OVAL, and Making Security Measurable efforts to information security professionals from government and industry. Visit the CVE Calendar for information on this and other events.
Four Products from Four Organizations Now Registered as Officially "CVE-Compatible"
Four additional information security products have achieved the final stage of MITRE’s formal CVE Compatibility Process and are now officially "CVE-Compatible." The products are now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for each product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 76 products to-date have been recognized as officially compatible.
The following products are now registered as officially "CVE-Compatible":
Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.
For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.
Lenovo Security Technologies, Inc. Makes Declaration of CVE Compatibility
Lenovo Security Technologies, Inc. declared that its Lenovo Security Intrusion Detection System is CVE-Compatible. For additional information about this and other CVE-compatible products, visit CVE-Compatible Products and Services.
CVE Mentioned in SC Magazine Article about Vulnerability Management
CVE was mentioned in an article entitled "Vulnerability management: weathering the storm" in the February 1, 2008 issue of SC Magazine. CVE is mentioned in a section entitled "Vulnerabilities on the rise" when the author states: "Last year gave rise to about 7,000 unique vulnerabilities, says Steve Christey, principal information security engineer at MITRE, which maintains the Common Vulnerabilities and Exposure (CVE) list, a dictionary that provides the common names for publicly known security vulnerabilities. Since 1999, MITRE has tracked some 28,000 vulnerabilities in packaged software. While the sheer number of bugs is certainly cause for concern, flaws do have one positive attribute: they provide a tangible way to assess risk, say experts."
CVE is mentioned again when the author explains that "Each CVE listing in the National Vulnerability Database, the U.S. government repository of standards based vulnerability management data, supports the Common Vulnerability Scoring System (CVSS), an open framework that standardizes the severity of vulnerabilities across heterogeneous platforms."
Also included is a quote about CVSS who states that "CVSS is a way to provide a consistent risk metric. All of the vulnerability scanning tools and all of the alerts will use their own definition of risk, so a consumer of this information, if they’re not using CVSS, might get multiple interpretations of how significant a single vulnerability is."
The article also mentions MITRE’s Common Weakness Enumeration (CWE), which is based in part on CVE.
MITRE to Host "Making Security Measurable" Booth at InfoSec World 2008, March 10-11
MITRE is scheduled to host a Making Security Measurable exhibitor booth at InfoSec World Conference & Expo 2008 on March 10-11, 2008 at the Rosen Shingle Creek Resort in Orlando, Florida, USA.
The conference will expose the CVE, CCE, CME, CPE, CWE, CAPEC, CEE, CRF, OVAL, and Making Security Measurable efforts to information security professionals from government and industry. Visit the CVE Calendar for information on this and other events.
MITRE Hosts "Making Security Measurable" Booth at 2008 Information Assurance Workshop, January 28 - February 1
MITRE hosted a Making Security Measurable exhibitor booth at the 2008 Information Assurance Workshop on January 28 - February 1, 2008 at the Philadelphia Marriott Downtown in Philadelphia, Pennsylvania, USA.
The conference exposed the CVE, CCE, CME, CEE, CPE, CWE, CAPEC, CRF, OVAL, and Making Security Measurable efforts to information security professionals from government and industry. Visit the CVE Calendar for information on this and other events
MITRE Announces Initial "Making Security Measurable" Calendar of Events for 2008
MITRE has announced its initial Making Security Measurable calendar of events for the first half of 2008. Details regarding MITRE’s scheduled participation at these events are noted on the CVE Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.
Other events will be added throughout the year. Visit the CVE Calendar for information or contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, CCE, CME, CEE, CPE, CWE, CAPEC, CRF, OVAL, and/or Making Security Measurable at your event.
INFOSEC Technology Co., Ltd. Makes Declaration of CVE Compatibility
INFOSEC Technology Co., Ltd. declared that its TESS TMS (Threats Management System) is CVE-Compatible. For additional information about this and other CVE-compatible products, visit CVE-Compatible Products and Services.
CVE Identifiers Included in Annual Update of "SANS Top Twenty" List of Internet Security Threats
The 2007 Annual Update to the Twenty Most Critical Internet Security Vulnerabilities, a SANS/FBI consensus list of the most critical problem areas in Internet security, was released on November 28, 2007 and now includes 275 CVE Identifiers. The list uses CVE Identifiers to uniquely identify the vulnerabilities it describes. This will help system administrators use CVE-Compatible Products and Services to help make their systems and networks more secure.
The annual update includes six major categories: (1) Client-Side Vulnerabilities in Web Browsers, Office Software, Email Clients, Media Players; (2) Server-Side Vulnerabilities in Web Applications, Windows Services, Unix and Mac OS Services, Backup Software, Anti-virus Software, Management Servers, Database Software; (3) Security Policy and Personnel - Excessive User Rights and Unauthorized Devices, Phishing/Spear Phishing, Unencrypted Laptops and Removable Media; (4) Application Abuse in Instant Messaging and Peer-to-Peer Programs; (5) Network Devices - VoIP Servers and Phones; and (6) Zero Day Attacks.
SANS is a member of the CVE Editorial Board and its education and training materials are listed in the CVE-Compatible Products and Services section.
CVE Compatibility Requirements Document Updated
The "Requirements and Recommendations for CVE Compatibility" document has been updated to add information aggregators as a new category of tool/service, separate the advisory repositories and vulnerability databases from one category of tool/service into two separate categories, and to update the candidate- and version-related requirements. Comments or questions on these changes are welcome at cve@mitre.org.
MITRE to Host "Making Security Measurable" Booth at 2008 Information Assurance Workshop, January 28 - February 1
MITRE is scheduled to host a Making Security Measurable exhibitor booth at the 2008 Information Assurance Workshop on January 28 - February 1, 2008 at the Philadelphia Marriott Downtown in Philadelphia, Pennsylvania, USA.
The conference will expose the CVE, CCE, CPE, CME, CAPEC, CWE, OVAL, and Making Security Measurable efforts to information security professionals from government and industry. Visit the CVE Calendar for information on this and other events.