News & Events (Archive)
December 21, 2010
MITRE Presents Making Security Measurable Briefing at ITU-T Security Workshop
CVE Compatibility Lead and CWE/CAPEC Program Manager Robert A. Martin presented a briefing about Making Security Measurable entitled "Vendor Neutral Security Measurement & Management with Standards" at ITU-T security workshop "Addressing Security Challenges on a Global Scale" on December 6-7, 2010 in Geneva, Switzerland.
Visit the CVE Calendar for information on this and other events.
December 2, 2010
1 Product from Jump Network Technology Now Registered as Officially "CVE-Compatible"
One additional information security product has achieved the final stage of MITRE’s formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 111 products to-date have been recognized as officially compatible.
The following product is now registered as officially "CVE-Compatible":
| Xi’an Jiaotong University Jump Network Technology Co., Ltd. | - | Jump NVAS |
Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.
For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.
MITRE to Present Making Security Measurable Briefing at ITU-T Security Workshop, December 6-7
CVE Compatibility Lead and CWE/CAPEC Program Manager Robert A. Martin will present a briefing about Making Security Measurable entitled "Vendor Neutral Security Measurement & Management with Standards" at ITU-T security workshop "Addressing Security Challenges on a Global Scale" on December 6-7, 2010 in Geneva, Switzerland.
Visit the CVE Calendar for information on this and other events.
November 18, 2010
2 Products from 2 Organizations Now Registered as Officially "CVE-Compatible"
Two additional information security products and services have achieved the final stage of MITRE’s formal CVE Compatibility Process and are now officially "CVE-Compatible." The products and services are now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for each product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 110 products to-date have been recognized as officially compatible.
The following products are now registered as officially "CVE-Compatible":
| Offensive Security | - | Exploit Database |
| Xi’an Jiaotong University Jump Network Technology Co., Ltd. | - | JumpIPS |
Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.
For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.
CVE/Making Security Measurable Briefing at Rethinking Cyber Security: A Systems-Based Approach Conference
CVE Compatibility Lead and CWE Program Manager Robert A. Martin presented a briefing about CVE/Making Security Measurable and the Common Weakness Enumeration (CWE) at Rethinking Cyber Security: A Systems-Based Approach Conference on November 16-17, 2010 in Charlottesville, Virginia, USA.
Visit the CVE Calendar for information on this and other events.
November 3, 2010
3 Products from 2 Organizations Now Registered as Officially "CVE-Compatible"
Three additional information security products and services have achieved the final stage of MITRE’s formal CVE Compatibility Process and are now officially "CVE-Compatible." The products and services are now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for each product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 108 products to-date have been recognized as officially compatible.
The following products are now registered as officially "CVE-Compatible":
| Rapid7 LLC | - | Metasploit Express |
| - | Metasploit Pro | |
| INFOSEC Technology Co., Ltd. | - | TESS TMS (Threats Management System) |
Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.
For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.
Numara Software, Inc. Makes Three Declarations of CVE Compatibility
Numara Software, Inc. declared that its Numara Vulnerability Manager, Numara Patch Manager, and Numara Compliance Manager are CVE-Compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products and Services section.
Serkan Özkan Makes Declaration of CVE Compatibility
Serkan Özkan declared that its vulnerability database, CVEDetails.com, is CVE-Compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services section.
CVE/Making Security Measurable Briefing at Rethinking Cyber Security: A Systems-Based Approach Conference, November 16-17
CVE Compatibility Lead and CWE Program Manager Robert A. Martin will present a briefing about CVE/Making Security Measurable and the Common Weakness Enumeration (CWE) at Rethinking Cyber Security: A Systems-Based Approach Conference on November 16-17, 2010 in Charlottesville, Virginia, USA.
Visit the CVE Calendar for information on this and other events.
October 12, 2010
1 Product from Lexsi Now Registered as Officially "CVE-Compatible"
One additional information security product has achieved the final stage of MITRE’s formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 105 products to-date have been recognized as officially compatible.
The following product is now registered as officially "CVE-Compatible":
| Lexsi | - | CSI Vulnerability Database |
Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.
For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.
Positive Technologies Makes Declaration of CVE Compatibility
Positive Technologies declared that its MaxPatrol Vulnerabilities and Compliance Management System is CVE-Compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services section.
CVE and CVSS Briefings and Making Security Measurable Booth at IT Security Automation Conference 2010
CVE Editor and Technical Lead Steve Christey presented a briefing about CVE and a briefing about CVSS at the U.S. National Institute of Standards and Technology’s (NIST) 6th Annual IT Security Automation Conference on September 27-29, 2010 in Baltimore, Maryland, USA. Also, MITRE hosted a CVE/Making Security Measurable booth and presented briefings and/or participated on discussion panels about the Making Security Measurable, CCE, CPE, OVAL, XCCDF, ARF, CWE, CAPEC, and MAEC efforts.
Visit the CVE Calendar for information on this and other events.
CVE a Topic of SCAP Discussion Panel and Making Security Measurable Booth at HSNI 2010
MITRE participated in a SCAP Panel Discussion about CVE, CCE, CPE, OVAL, XCCDF, and OCIL, and hosted a Making Security Measurable table booth, at Homeland Security for Networked Industries (HSNI) 2010 Conference and Expo on September 20-21, 2010 in Washington, D.C., USA.
Visit the CVE Calendar for information on this and other events.
September 8, 2010
1 Product from Beijing Venustech Security Inc. Now Registered as Officially "CVE-Compatible"
One additional information security product has achieved the final stage of MITRE’s formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 104 products to-date have been recognized as officially compatible.
The following product is now registered as officially "CVE-Compatible":
| Beijing Venustech Security Inc. | - | Venusense Threat Detection and Intelligent Analysis System |
Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.
For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.
September 1, 2010
CVE and CVSS Briefings and Making Security Measurable Booth at IT Security Automation Conference 2010, September 27-29
CVE Editor and Technical Lead Steve Christey will present a briefing about CVE and a briefing about CVSS at the U.S. National Institute of Standards and Technology’s (NIST) 6th Annual IT Security Automation Conference on September 27-29, 2010 in Baltimore, Maryland, USA. Also, MITRE will host a CVE/Making Security Measurable booth and present briefings and/or participate on discussion panels about the Making Security Measurable, CCE, CPE, OVAL, XCCDF, ARF, CWE, CAPEC, and MAEC efforts.
NIST’s Security Content Automation Protocol (SCAP) employs existing community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and CVE is one of the six open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. The other five standards are Common Configuration Enumeration (CCE), standard identifiers and a dictionary for system security configuration issues; Common Platform Enumeration (CPE), standard identifiers and a dictionary for platform and product naming; Open Vulnerability and Assessment Language (OVAL), a standard XML for security testing procedures and reporting; Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; and Common Vulnerability Scoring System (CVSS), a standard for conveying and scoring the impact of vulnerabilities.
Visit the CVE Calendar for information on this and other events.
CVE a Topic of SCAP Discussion Panel and Making Security Measurable Booth at HSNI 2010, September 20-21
MITRE will participate in a SCAP Panel Discussion about CVE, CCE, CPE, OVAL, XCCDF, and OCIL, and host a Making Security Measurable table booth, at Homeland Security for Networked Industries (HSNI) 2010 Conference and Expo on September 20-21, 2010 in Washington, D.C., USA.
Visit the CVE Calendar for information on this and other events.
Making Security Measurable and Software Assurance Briefing at GFIRST National Conference
MITRE’s Making Security Measurable, CWE, CAPEC, and MAEC efforts were key parts of a briefing entitled "Software Assurance: Mitigating Risks to Improve Incident Management" that was presented at the 6th Annual GFIRST National Conference in San Antonio, Texas, USA on August 17, 2010 by Director for Software Assurance at DHS , Joe Jarzombek, Deputy Operations Manager at US-CERT, Thomas Millar, CWE/CAPEC Program Manager Robert A. Martin, and CAPEC/CWE Co-Founder and Architect Sean Barnum. The conference itself ran August 15-20.
Visit the CVE Calendar for information on this and other events.
August 13, 2010
2 Products and Services from NOWCOM.co., Ltd. Now Registered as Officially "CVE-Compatible"
Two additional information security products and services have achieved the final stage of MITRE’s formal CVE Compatibility Process and are now officially "CVE-Compatible." The products and services are now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for each product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 103 products to-date have been recognized as officially compatible.
The following products are now registered as officially "CVE-Compatible":
| NOWCOM.co., Ltd. | - | SNIPER IPS |
| - | SecureCast |
Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.
For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.
Beijing Venustech Security Inc. Makes Declaration of CVE Compatibility
Beijing Venustech Security Inc. declared that its Venusense Threat Detection and Intelligent Analysis System is CVE-Compatible.For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services section.
CVE Mentioned in Article about Securing VoIP in Hakin9
CVE was mentioned in article entitled "Securing Voice over Internet Protocol" in the June 2010 issue of Hakin9. CVE is mentioned in a section on "Hardening Your VoIP Against Attack" in which the author states: "Consistent repair of your Common Vulnerabilities and Exposures (CVEs) is the litmus test that all information security professionals will be judged by regarding how successfully they are protecting their VoIP networks. Repairing vulnerabilities also helps you stay in compliance with related regulations, including GLBA, HIPAA, 21 CFR FDA 11, E-Sign and SOX-404. CVE Management is the key to hardening your VoIP and removing defects from your computers and networking equipment." CVE is also mentioned a section on "Possible VoIP Attacks" in which the author describes specific examples of the "types of attacks on your VoIP that [vulnerabilities named by] CVEs can make it vulnerable to".
CVE/Making Security Measurable Booth at Black Hat Briefings 2010
CVE is participated in a Making Security Measurable booth at Black Hat Briefings 2010 on July 28-29, 2010 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA. Attendees learned how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.
Visit the CVE Calendar for information on this and other events.
July 8, 2010
1 Product from Legendsec Technology Now Registered as Officially "CVE-Compatible"
One additional information security product and services has achieved the final stage of MITRE’s formal CVE Compatibility Process and is now officially "CVE-Compatible." The products is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 101 products to-date have been recognized as officially compatible.
The following product is now registered as officially "CVE-Compatible":
| Legendsec Technology Co. Ltd. | - | Legendsec SecIDS 3600 Intrusion Detection System |
Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.
For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.
Novell, Inc. Makes Declaration of CVE Compatibility
Novell, Inc. declared that its Novell/SUSE Linux Security Updates database is CVE-Compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services section.
XMCO Partners Makes Declaration of CVE Compatibility
XMCO Partners declared that its vulnerability database and notification service, CERT-XMCO, is CVE-Compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services section.
CVE/Making Security Measurable Booth at Black Hat Briefings 2010 on July 28-29
CVE is scheduled to participate in a Making Security Measurable booth at Black Hat Briefings 2010 on July 28-29, 2010 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA.
Stop by Booth 65 and learn how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.
Visit the CVE Calendar for information on this and other events.
June 23, 2010
JPCERT/CC Becomes CVE Numbering Authority
Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) has become a CVE Numbering Authority (CNA). JPCERT/CC will begin releasing Japan Vulnerability Notes (JVN) and JVN iPedia entries that contain reserved CVE Identifier numbers.
Steve Christey, Editor of the CVE List, said, "We are pleased that important vulnerabilities in Japanese products will be announced with CVE numbers, thanks to the Japanese CERT’s new role as a CNA. This will help Japanese consumers to better manage vulnerabilities within their networks. JPCERT/CC’s active participation in the CVE Initiative demonstrates how international relationships can improve how vulnerability information is shared across the globe."
Reference maps for JVN and JVNDB identifiers are available to link these identifiers to their associated CVE Identifier numbers.
JPCERT/CC works with the Information-technology Promotion Agency (IPA) under the Information Security Early Warning Partnership in Japan.
For additional information about CNAs, and to review the complete list of organizations participating, visit the CVE Numbering Authorities page.
CVE Mentioned in SAFECode White Paper about Software Integrity Practices
CVE was mentioned in a June 2010 white paper published by the Software Assurance Forum for Excellence in Code (SAFECode) entitled "An Overview of Software Integrity Practices: An Assurance-Based Approach to Minimizing Risks in the Software Supply Chain."
CVE is mentioned in a section on Vulnerability Response in which the author’s state: "In today’s world, vendors must push for a more formal understanding of how well their suppliers are equipped with the capability to collect input on vulnerabilities from researchers, customers or sources and turn around a meaningful impact analysis and appropriate remedies in the short timeframes involved. The fact is that the handling of such vulnerabilities will likely become a joint responsibility in the face of downstream visibility to customers. No one can afford to be surprised about a supplier’s potential immaturity in handling these challenges in the middle of a situation. Suppliers provide common terminology for these discussions by using now-default references to well-known specifications like Common Vulnerabilities and Exposures (CVE) and Common Vulnerability Scoring System (the CVSS). Each party should identify contact personnel and review timing and escalation paths as appropriate to be prepared to provide a prompt response."
MITRE Hosts Security Automation Developer Days Conference 2010
MITRE hosted the second Security Automation Developer Days Conference 2010 at MITRE in Bedford, Massachusetts, USA on June 14-16, 2010. The purpose of this three-day event is for the community to discuss all current and emerging Security Content Automation Protocol (SCAP) standards in technical detail and to derive solutions that benefit all concerned parties. A brief technical overview of software assurance efforts sponsored by the U.S. Department of Homeland Security was also provided on the third day of the conference.
For additional information visit https://msm.mitre.org/participation/devdays.html#2010.
May 20, 2010
MITRE to Host Security Automation Developer Days Conference 2010, June 14-16
MITRE is scheduled to host the second Security Automation Developer Days Conference 2010 at MITRE in Bedford, Massachusetts, USA on June 14-16, 2010. The purpose of the three-day event is for the community to discuss all current and emerging Security Content Automation Protocol (SCAP) standards in technical detail and to derive solutions that benefit all concerned parties.
The U.S. National Institute of Standards and Technology’s (NIST) SCAP employs existing community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and CVE is one of the six open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. The other five standards are Open Vulnerability and Assessment Language (OVAL), a standard XML for security testing procedures and reporting; Common Configuration Enumeration (CCE), standard identifiers and a dictionary for system security configuration issues; Common Platform Enumeration (CPE), standard identifiers and a dictionary for platform and product naming; Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; and Common Vulnerability Scoring System (CVSS), a standard for conveying and scoring the impact of vulnerabilities.
A brief technical overview of software assurance efforts sponsored by the U.S. Department of Homeland Security will also be provided on the third day of the conference.
For conference details and to register, visit: https://register.mitre.org/devdays/.
Legendsec Technology Co. Ltd. Makes Declaration of CVE Compatibility
Legendsec Technology Co. Ltd. declared that its Legendsec SecIDS 3600 Intrusion Detection System is CVE-Compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services section.
May 10, 2010
Three Products and Services from Three Organizations Now Registered as Officially "CVE-Compatible"
Three additional information security products and services have achieved the final stage of MITRE’s formal CVE Compatibility Process and are now officially "CVE-Compatible." The products and services are now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for each product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 100 products to-date have been recognized as officially compatible.
The following products are now registered as officially "CVE-Compatible":
| Beijing Venustech Security Inc. | - | Venusense Intrusion Prevention System |
| Globant | - | ATTAKA |
| Legendsec Technology Co. Ltd. | - | Legendsec SecIPS 3600 Intrusion Prevention System |
Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.
For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.
CVE Briefing at 2010 FS-ISAC, FSTC, BITS Annual Summit
CVE Technical Lead Steve Christey presented a briefing about CVE and Common Vulnerability Scoring System (CVSS) at 2010 FS-ISAC, FSTC, BITS Annual Summit in St. Pete Beach, Florida, USA. Open Vulnerability and Assessment Language (OVAL) and Common Weakness Enumeration (CWE) were also mentioned as topics.
Visit the CVE Calendar for information on this and other events.
CVE Briefing at SOURCE Boston Conference
CVE Technical Lead Steve Christey presented a briefing about CVE at SOURCE Boston Conference on April 21-23, 2010 in Boston, Massachusetts, USA. In addition, Christey and CWE/CAPEC Program Manager Robert A. Martin participated on a Common Weakness Enumeration (CWE) and Common Attack Pattern Enumeration and Classification (CAPEC) panel discussion.
Visit the CVE Calendar for information on this and other events.
MITRE Hosts Making Security Measurable Booth at InfoSec World 2010
MITRE hosted a Making Security Measurable booth at MIS Training Institute’s (MISTI) InfoSec World Conference & Expo 2010 at the Disney Coronado Springs Resort, in Orlando, Florida, USA, on April 19-21, 2010.
Visit the CVE Calendar for information on this and other events.
April 7, 2010
Photos from "CVE 10-Year Anniversary Celebration & BOF" at RSA 2010
MITRE held a CVE 10-Year Anniversary Birds of a Feather (BOF) entitled Thanking the Community at RSA 2010 on March 3, 2010 that was attended by past and present CVE Editorial Board Members, CVE-Compatible Product Vendors, and others. See photos below:
See "CVE Celebrates 10 Years!" for a summary of how CVE became the international standard for public software vulnerability identifiers.
MITRE to Host "Making Security Measurable" Booth at InfoSec World 2010, April 19-21
MITRE is scheduled to host a Making Security Measurable booth at MIS Training Institute’s (MISTI) InfoSec World Conference & Expo 2010 at the Disney Coronado Springs Resort, in Orlando, Florida, USA, on April 19-21, 2010. Please stop by booth 319 and say hello!
Visit the CVE Calendar for information on this and other events.
CVE Briefing at SOURCE Boston Conference, April 21-23
CVE Technical Lead Steve Christey is scheduled to present a briefing about CVE at SOURCE Boston Conference on April 21-23, 2010 in Boston, Massachusetts, USA.
In addition, Christey and CWE/CAPEC Program Manager Robert A. Martin are scheduled to participate on a Common Weakness Enumeration (CWE) and Common Attack Pattern Enumeration and Classification (CAPEC) panel discussion.
Visit the CVE Calendar for information on this and other events.
Photos from Making Security Measurable Booth at RSA 2010
MITRE hosted a Making Security Measurable booth at RSA 2010 at the Moscone Center in San Francisco, California, USA, on March 1-5, 2010. See photos below:
Visit the CVE Calendar for information on this and other events.
RedSeal Systems, Inc. Makes Declaration of CVE Compatibility
RedSeal Systems, Inc. declared that its security posture management and near real-time risk management product, RedSeal Vulnerability Advisor, is CVE-Compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services section.
March 11, 2010
MITRE Hosts "CVE 10-Year Anniversary Celebration & BOF" at RSA 2010
MITRE held a "CVE 10-Year Anniversary Birds of a Feather (BOF)" session at RSA 2010 on March 3, 2010. The event — attended by past and present CVE Editorial Board Members, CVE-Compatible Product Vendors, and others — included brief presentations to thank the community for helping to make CVE one of the first-ever international information security standards and for its ongoing and continuing success.
MITRE Hosts Making Security Measurable Booth at RSA 2010
MITRE hosted a Making Security Measurable booth at RSA 2010 at the Moscone Center in San Francisco, California, USA, on March 1-5, 2010. Attendees learned how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.
Visit the CVE Calendar for information on this and other events.
MITRE Presents Making Security Measurable Briefing at DHS/DoD/NIST SwA Forum
CVE Compatibility Lead Robert A. Martin presented a briefing about Making Security Measurable to the DHS/DoD/NIST SwA Forum on March 9-12, 2010 at MITRE Corporation in McLean, Virginia, USA.
Visit the CVE Calendar for information on this and other events. Contact cve@mitre.org to have OVAL present a briefing or participate in a panel discussion about CVE, CCE, CPE, CAPEC, CWE, CEE, MAEC, OVAL, and/or Making Security Measurable at your event.
February 11, 2010
MITRE to Host Making Security Measurable Booth at RSA 2010, March 1-5
MITRE is scheduled to host a Making Security Measurable booth at RSA 2010 at the Moscone Center in San Francisco, California, USA, on March 1-5, 2010. Please stop by Booth 2617 and say hello!
Visit the CVE Calendar for information on this and other events.
MITRE to Present Making Security Measurable Briefing at DHS/DoD/NIST SwA Forum, March 9-12
CVE Compatibility Lead Robert A. Martin is scheduled to present a briefing about Making Security Measurable to the DHS/DoD/NIST SwA Forum on March 9-12, 2010 at MITRE Corporation in McLean, Virginia, USA.
Visit the CVE Calendar for information on this and other events.
MITRE Hosts Making Security Measurable Booth at the 2010 Information Assurance Symposium
MITRE hosted a Making Security Measurable booth at the 2010 Information Assurance Symposium in Nashville, Tennessee, USA, on February 2-5, 2010. The symposium is designed to bring together industry, government, and military information assurance professionals with "the latest Information Assurance (IA) products and solutions available to secure voice and data networks."
Visit the CVE Calendar for information on this and other events.
January 15, 2010
CVE List Surpasses 40,000 CVE Identifiers
The CVE Web site now contains 40,022 unique information security issues with publicly known names. CVE, which began in 1999 with just 321 common names on the CVE List, is considered the international standard for public software vulnerability names. Information security professionals and product vendors from around the world use CVE Identifiers (CVE IDs) as a standard method for identifying vulnerabilities, and for cross-linking among products, services, and other repositories that use the identifiers.
The widespread adoption of CVE in enterprise security is illustrated by the numerous CVE-Compatible Products and Services in use throughout industry, government, and academia for vulnerability management, vulnerability alerting, intrusion detection, and patch management. Major OS vendors and other organizations from around the world also include CVE IDs in their security alerts to ensure that the international community benefits by having the identifiers as soon as a problem is announced. CVE IDs are also used to uniquely identify vulnerabilities in public watch lists such as the SANS Top 20 Most Critical Internet Security Vulnerabilities and OWASP Top 10 Web Application Security Issues.
CVE has also inspired new efforts. MITRE’s Common Weakness Enumeration (CWE) dictionary of software weakness types is based in part on the CVE List, and its Open Vulnerability and Assessment Language (OVAL) effort uses CVE IDs for its standardized OVAL Vulnerability Definitions that test systems for the presence of CVEs. In addition, the U.S. National Vulnerability Database (NVD) of CVE fix information that is synchronized with and based on the CVE List also includes Security Content Automation Protocol (SCAP) content. SCAP employs community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and CVE is one of the six existing open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results.
Each of the 40,000+ identifiers on the CVE List includes the following: CVE Identifier number (i.e., "CVE-1999-0067"); indication of "entry" or "candidate" status; brief description of the security vulnerability; and pertinent references such as vulnerability reports and advisories or OVAL-ID. Visit the CVE List page to download the complete list in various formats or to look-up an individual identifier. Fix information and enhanced searching of CVE is available from NVD.
January 8, 2010
Three Products and Services from Two Organizations Now Registered as Officially "CVE-Compatible"
Three additional information security products and services have achieved the final stage of MITRE’s formal CVE Compatibility Process and are now officially "CVE-Compatible." The products and services are now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for each product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 93 products to-date have been recognized as officially compatible.
The following products are now registered as officially "CVE-Compatible":
Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.
For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.
DBAPPSecurity Limited Makes Five Declarations of CVE Compatibility
DBAPPSecurity Limited declared that its Web application vulnerabilities scanner, MatriXay; Database Vulnerability Scanner; Web Application Firewall; intrusion monitoring and response service, Database Auditor; and intrusion monitoring and response service, Web Monitor, are CVE-Compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products and Services section.
Security Automation Is Main Focus of DoD’s IAnewsletter
"Security Automation: A New Approach to Managing and Protecting Critical Information" is the main topic of the Winter 2010 issue of the Department of Defense’s (DoD) Information Assurance Technology Analysis Center’s (IATAC) IAnewsletter.
According to the newsletter, a security automation strategy will enable automation of "many security and configuration management, compliance, and network defense functions and give our [DoD] system administrators and network defenders a chance to succeed." Specific articles topics include: An Introduction to Security Automation; Security Automation: A New Approach Managing and Protecting Critical Information; Security Content Automation Protocol; Secure Configuration Management (SCM); DoD Activities Underway to Mature SCAP Standards; Why Industry Needs Federal Government Leadership to Gain the Benefits of Security Automation; and Practicing Standards-Based Security Assessment and Management.
In addition, MITRE’s CVE, CCE, CPE, and OVAL information assurance data standards are mentioned throughout the issue, especially with regard to how they are utilized by the National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP) to help enable automated, standards-based security assessment and management.
The newsletter is free to download from the IATAC Web site.
MITRE Announces Initial "Making Security Measurable" Calendar of Events for 2010
MITRE has announced its initial Making Security Measurable calendar of events for 2010. Details regarding MITRE’s scheduled participation at these events are noted on the CVE Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.
- 2010 Information Assurance Symposium, February 2-5, 2010
- RSA Conference 2010, March 1-5, 2010
- InfoSec World Conference & Expo 2010, April 19-21, 2010
- Black Hat Briefings 2010, July 28-29, 2010
Other events may be added throughout the year. Visit the CVE Calendar for information or contact cve@mitre.org to have MITRE present a briefing or participate in a panel discussion about CVE, CCE, CPE, CAPEC, CWE, MAEC, CEE, OVAL, and/or Making Security Measurable at your event.
