 |
Robert A. Martin, CVE Compatibility Lead, and John Hermano, Vulnerability Assessment Product Manager, Trend Micro, Inc., in a special ceremony at MITRE. |
|
|
2004 News & Events (Archive)
December 22, 2004
Gentoo Foundation Makes CVE Compatibility Declaration Gentoo Foundation has declared that its Gentoo Linux Security Advisories will be CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page. KDware Ltd. Makes CVE Compatibility Declaration KDware Ltd., has declared that its incident management tool, Incident MiND, will be CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page. CVE Mentioned in Article about Developers Preventing Security Problems in eWeek CVE was mentioned in a December 2004 article in eWeek Magazine entitled "An Applications View on Security." The main topic of the article is a discussion about developers preventing security problems and that "three application firewall vendors—Teros Inc., NetContinuum Inc. and Imperva Inc.—threw down a challenge to other security vendors to submit their products to independent testing by International Computer Security Association Labs (a division of TruSecure Corp.) to determine their effectiveness against application-level attacks." CVE was mentioned in a quote by Gary Miliefsky, CEO of PredatorWatch Inc., who states: "Most developers don't make adequate use of the Common Vulnerabilities and Exposures data at cve.mitre.org. I was speaking to a group the other night, and I said, 'Raise your hand if you know what a CVE is.' No one raised their hand. A developer needs to know when a product is opening a port or using any other resource what vulnerabilities it's opening.'" PredatorWatch, Inc. is listed on the CVE-Compatible Products and Services page and its PredatorWatch Auditor 128 and Update Service, PredatorWatch Auditor 16 and Update Service, and PredatorWatch Auditor Enterprise and Update Service each recently received official "Certificates of CVE Compatibility" at MITRE's compatibility awards ceremony on November 18, 2004 at the CSI Computer Security Conference in Washington, D.C., USA. CVE Mentioned in Article about OVAL in Information Security Magazine CVE was mentioned in an article entitled "'Big O' For Testing" in the December 2004 issue of Information Security Magazine. In the article the author describes MITRE Corporation's OVAL project and states: "The Open Vulnerability Assessment Language (OVAL) project, headed by nonprofit MITRE and funded by the Department of Homeland Security's U.S.-CERT, is being developed as a standardized process by which security tool creators, operating system vendors and security professionals test systems for exploitable vulnerabilities. XML-based OVAL leverages MITRE's Common Vulnerabilities and Exposures (CVE) Initiative . . . [and] gives security managers the ability to test for a particular CVE vulnerability in OVAL-compliant applications and platforms. OVAL will tell testers whether vulnerable software is installed and, if so, whether it has a vulnerable configuration." MITRE's OVAL Web site is listed on the CVE-Compatible Products and Services page and OVAL-IDs are included as references in CVE names when applicable. CVE Mentioned in Product Review Article in Network Computing CVE was mentioned briefly in a December 7, 2004 product test article in Network Computing's Security Pipeline entitled "Test Run: PredatorWatch's Auditor 128." CVE was mentioned in the second paragraph of the review, in which the author states: "To identify vulnerabilities and test compliance to HIPAA, Sarbanes-Oxley, ISO-17799 and other regulations, [PredatorWatch] Auditor uses the CVE (Common Vulnerabilities and Exposures) dictionary of known threats." PredatorWatch, Inc. and PredatorWatch Auditor 128 and Update Service are listed on the CVE-Compatible Products and Services page, along with and its PredatorWatch Auditor 16 and Update Service and PredatorWatch Auditor Enterprise and Update Service. All three of these products are listed as officially CVE-Compatible.
December 8, 2004
netVigilance, Inc. Makes CVE Compatibility Declaration netVigilance, Inc. has declared that its network scanning appliance, EagleBox, is CVE-compatible. In addition, netVigilance, Inc.'s SecureScout NX, SecureScout SP, and SecureScout Perimeter are also listed on the CVE-Compatible Products and Services page. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products and Services page. Privacyware Makes CVE Compatibility Declaration Privacyware has declared that its host-based intrusion prevention product for Microsoft Web Servers, ThreatSentry, will be CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page. ReddShell Corporation Makes CVE Compatibility Declaration ReddShell Corporation has declared that its vulnerability assessment and management tool, SECUREScan, will be CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page. Xacta Corporation Makes CVE Compatibility Declaration Xacta Corporation has declared that its risk management capability, Xacta IA Manager, will be CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page. "Certificate of CVE Compatibility" Awarded to Trend Micro, Inc. Trend Micro, Inc. was recently presented with a "Certificate of CVE Compatibility" for its Trend Micro Vulnerability Assessment product. MITRE held an awards ceremony at CSI's Computer Security Conference in Washington, D.C., USA on November 18th to award compatibility certificates to 10 organizations for 20 information security products or services. Trend Micro received its certificate in a special ceremony on December 2nd at MITRE in Bedford, Massachusetts. Trend Micro, Inc. and its Trend Micro Vulnerability Assessment product are listed on the CVE-Compatible Products and Services page. Seven "Certificates of CVE Compatibility" Awarded to Internet Security Services, Inc. Internet Security Services, Inc. (ISS) was awarded "Certificates of CVE Compatibility" for 7 products at an awards ceremony at CSI's Computer Security Conference in Washington, D.C., USA on November 18, 2004. The products receiving compatibility certificates included X-Force Database, X-Force Alerts and Advisories, Internet Scanner, System Scanner, RealSecure Network 10/100 and Network Gigabit, RealSecure Server Sensor, and SiteProtector. ISS was one of 10 of the most recent organizations to achieve the final phase of MITRE's formal CVE Compatibility Process and to have their information security products and services registered as officially "CVE-compatible." The awards, 20 in all, were presented at the ceremony by Lawrence C. Hale, Deputy Director of the National Cyber Security Division, U.S. Computer Emergency Readiness Team (US-CERT) at the U.S. Department of Homeland Security.
Internet Security Services, Inc. and its X-Force Database, X-Force Alerts and Advisories, Internet Scanner, System Scanner, RealSecure Network 10/100 and Network Gigabit, RealSecure Server Sensor, and SiteProtector are listed on the CVE-Compatible Products and Services page. Two "Certificates of CVE Compatibility" Awarded to Symantec Corporation Symantec Corporation was awarded "Certificates of CVE Compatibility" for its DeepSight Alert Services and its SecurityFocus Vulnerability Database at an awards ceremony at CSI's Computer Security Conference in Washington, D.C., USA on November 18, 2004. Symantec was one of 10 of the most recent organizations to achieve the final phase of MITRE's formal CVE Compatibility Process and to have their information security products and services registered as officially "CVE-compatible." The awards, 20 in all, were presented at the ceremony by Lawrence C. Hale, Deputy Director of the National Cyber Security Division, U.S. Computer Emergency Readiness Team (US-CERT) at the U.S. Department of Homeland Security.
Symantec Corporation and its DeepSight Alert Services and SecurityFocus Vulnerability Database are listed on the CVE-Compatible Products and Services page. CVE Included in Article Advocating Proactive Network Security on ZDNet CVE was mentioned throughout a November 30, 2004 article on ZDNet entitled "A guide to proactive network security." In the article the author uses CVE names as a synonym for computer vulnerabilities: ". . . a single enterprise can spend thousands on firewalls, VPNs, antivirus and IDS systems, while the real network security culprits, "Common Vulnerabilities and Exposures" (CVEs), go largely undetected. CVEs are essentially holes in applications that can be attacked by hackers and cyber terrorists to steal information or bring down networks. CVEs are a real problem and according to the 2004 E-Crime Survey are the systemic cause of over 90 percent of all network security breaches." The author advocates a number of steps to proactive network security including developing and employing a security policy, locking down mobile devices, turning on wireless encryption, using and patching routers, using firewalls, downloading and installing commercial-grade security tools, disabling potentially exploitable browser objects, constantly keeping up with the latest threats, and closing known vulnerabilities. The author states: "But preventing the attack with a vulnerability management system to eliminate CVEs is the most important component [of proactive network security]." Regarding closing known vulnerabilities the author states: "Known weaknesses in systems are called Common Vulnerabilities and Exposures (CVEs), compiled and documented by the MITRE organization. These vulnerabilities should be eliminated from every system on your network by applying patches or taking other actions, as required. Technology is available to automatically detect and eliminate CVEs. More information is detailed at the cve.mitre.org Web site." CVE Mentioned in PredatorWatch, Inc. Press Release CVE was mentioned in a November 5, 2004 press release by PredatorWatch, Inc. about its Auditor 128 product entitled "PredatorWatch Launches World's Most Comprehensive Enterprise Security Management Appliance for Small- to Mid-Sized Networks." CVE is mentioned in the second paragraph of the release, which states: "A single business can spend hundreds or even thousands of dollars on countermeasures such as intrusion detection systems, firewalls and anti-virus software, while the real network security culprits are common vulnerabilities and exposures (CVEs). CVEs, anything that can be exploited on any computer, are the systemic cause of over 95% of all network security breaches." CVE is also mentioned in a quote by a PredatorWatch customer, Stephen Irish, executive vice president, Enterprise Bank and Trust Company, who states: ". . . the company's technology helps ensure newly deployed servers are locked down and allows us to remain up-to-date on the latest vulnerabilities and exposures on the CVE List. The technology also detects and diagnoses potential security flaws that could cause our bank to be at risk and non-compliant with GLBA and FDIC requirements." PredatorWatch, Inc. is listed on the CVE-Compatible Products and Services page and its PredatorWatch Auditor 128 and Update Service, PredatorWatch Auditor 16 and Update Service, and PredatorWatch Auditor Enterprise and Update Service each recently received official "Certificates of CVE Compatibility" at MITRE's compatibility awards ceremony on November 18th at the CSI Computer Security Conference in Washington, D.C., USA.
November 23, 2004
MITRE Presents CVE Compatibility Certificates in Awards Ceremony at CSI Computer Security Conference MITRE held an awards ceremony on Monday evening, November 18th at Computer Security Institute's (CSI) 31st Annual Computer Security Conference and Exhibition in Washington, D.C., USA, to present "Certificates of CVE Compatibility" to the 10 most recent organizations to achieve the final phase of MITRE's formal CVE Compatibility Process and whose 20 information security products or services are now officially "CVE-compatible." The awards were presented by Lawrence C. Hale, Deputy Director of the National Cyber Security Division, U.S. Computer Emergency Readiness Team (US-CERT) at the U.S. Department of Homeland Security. Organizations participating in the ceremony included Citadel Security Software Inc.; eEye Digital Security; Internet Security Systems, Inc.; nCircle Network Security, Inc.; PredatorWatch, Inc.; SAINT Corporation; and Symantec Corporation. Organizations receiving certificates but unable to participate in the ceremony were DragonSoft Security Associates, Inc.; Trend Micro, Inc.; and Venus Information Technology, Inc.
For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services pages. Citadel Security Software Inc. Issues Press Release Announcing Receipt of "Certificate of Compatibility for Full CVE Compliance" CVE compatibility was the main topic of a November 9, 2004 press release by Citadel Security Software Inc. entitled "Citadel Security Software's Hercules Awarded Certificate of Compatibility for Full CVE Compliance." In the release Citadel announces that its ". . . [Automated Vulnerability Remediation] solution, Hercules, has been certified as fully compliant and compatible with the Common Vulnerabilities and Exposures (CVE) Initiative." The release included a quote by Carl Banzhof, CTO of Citadel Security Software, who states: "Prior to this award ceremony, only 14 products or services from 10 organizations had achieved the final phase of MITRE's formal CVE Compatibility Process and become officially CVE-compatible. We are proud to be the first automated vulnerability remediation solution to meet the CVE compatibility requirements. By achieving full CVE compatibility for Hercules, our customers now have better vulnerability coverage, easier interoperability and enhanced security across the enterprise." The release also included a quote by Kent Landfield, a CVE Editorial Board member since 1999 and Security Group Director for Citadel, who states: "The CVE Initiative brings consistency and interoperability to the security and computing community. The CVE Compatibility Process is a formal evaluation of submitted information security products and services. The testing and certification process assures products meet the criteria set out by the CVE Initiative to prove they are CVE-compatible."
Citadel Security Software Inc. and Hercules are listed on the CVE-Compatible Products and Services page. DragonSoft Security Associates, Inc. Issues Press Release Announcing Recognition for CVE Compatibility CVE compatibility was the main topic of a November 9, 2004 press release by DragonSoft Security Associates, Inc. entitled "ASIA Vulnerability Assessment Leader DragonSoft Awarded CVE-Compatibility Certificate." In the release DragonSoft announces that "DragonSoft is the first and only Taiwan security developer [to receive a Certificate of Official CVE Compatibility] among 125 security vendors in the world" and that receipt of the certificate is a major milestone for DragonSoft. DragonSoft Security Associates, Inc. and DragonSoft Secure Scanner are listed on the CVE-Compatible Products and Services page. eEye Digital Security Issues Press Release Announcing Receipt of Certificate of CVE Compatibility CVE compatibility was the main topic of a November 9, 2004 press release by eEye Digital Security entitled "Vulnerability Management Leader eEye Digital Security Awarded CVE-Compatibility by MITRE Corporation." In the release eEye announces that "its industry-leading network security scanner Retina has been awarded compatibility with the Common Vulnerabilities and Exposures (CVE) . . ." The release also includes a quote by Firas Raouf, eEye's Chief Operating Officer, who states: "Retina's recognition as one of the first network security scanners to achieve CVE-compatibility demonstrates eEye's commitment to interoperability throughout the security industry. Our world-class research team has discovered more critical security vulnerabilities than any other, so we understand the compelling need for naming standards to effectively communicate these vulnerabilities to the security community."
eEye Digital Security and Retina Network Security Scanner are listed on the CVE-Compatible Products and Services page. nCircle Network Security, Inc. Issues Press Release Announcing Receipt of Certificate of CVE Compatibility CVE compatibility was the main topic of a November 9, 2004 press release by nCircle Network Security, Inc. entitled "nCircle Recognized for Common Vulnerabilities Exposure Compatibility." In the release nCircle announces that it "has been formally recognized for Common Vulnerabilities Exposure (CVE) compatibility for its IP360 Vulnerability Management System." The release further states: "The award, presented to nCircle this week during the CSI Computer Security Conference in Washington, DC, recognizes security products that have incorporated MITRE Corporation's CVE names in its vulnerability search databases and other information security products and services." The release also includes a quote by Tim Keanini, Chief Technical Officer at nCircle, who states: "nCircle actively supports standardization efforts in the security market, including the CVE's common lexicon for the vulnerability namespace. We are committed to ensuring nCircle's IP360 product continues to support CVE names, and provides customers with the best tools for vulnerability management."
nCircle Network Security, Inc. and its IP360 Vulnerability Management System are listed on the CVE-Compatible Products and Services page. SAINT Corporation Issues Press Release Announcing Receipt of "Certificate of CVE Compatibility" for SAINTbox and WebSAINT CVE compatibility was the main topic of a November 9, 2004 press release by SAINT Corporation entitled "SAINTbox and WebSAINT Are Certified CVE-Compatible." In the release SAINT announces that "On Monday, November 8th, MITRE Corporation awarded their CVE (Common Vulnerabilities and Exposures) Certificate of Compatibility to two SAINT Corporation products: SAINTbox and WebSAINT. During an awards ceremony at the 31st Annual Computer Security Conference and Exhibition in Washington, D.C., SAINT Corporation was honored for their work in this effort and passing the final and most rigorous phase of the compatibility process. " Also included in the release is a quote by Sam Kline, SAINT's Chief Development Engineer, who states: "We are pleased to be adding SAINTbox and WebSAINT to our growing suite of CVE-compatible tools. The CVE naming standard fills an important need in today's security community, and maintaining accurate references in all of our products has always been and will remain a high priority for us."
SAINT Corporation and its SAINTbox and WebSAINT products are listed on the CVE-Compatible Products and Services page. DragonSoft Security Associates, Inc. Makes CVE Compatibility Declaration DragonSoft Security Associates, Inc. has declared that its DragonSoft Vulnerability Database is CVE-compatible. In addition, DragonSoft's DragonSoft Secure Scanner is also listed on the CVE-Compatible Products and Services page. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products and Services page. Three Example Procurement Documents Added to CVE Web Site Three example procurement documents have been added to the CVE Documents page to assist government agencies and other organizations with including CVE in the development of their request for proposals, statements of work, and other procurement requirements for the purchase of software applications as well for the acquisition of specific network and system assessment and remediation tools. The following three example documents are available in Microsoft Word format:
Please contact cve@mitre.org with any questions or for more information. CVE Presents Briefing at New England Information Security Group Meeting Robert A. Martin, CVE Compatibility Lead, presented a briefing about CVE and OVAL on November 18, 2004 entitled "Standards for Enabling Automation in Information Security" at the November Meeting of the New England Information Security Group in Boston, MA, USA. The presentation was successful and exposed CVE and OVAL to an audience of "individuals and organizations interested in securing their technical infrastructure." The group provides a venue to distribute information and educate the general membership on security products, techniques, and/or related issues. Visit the CVE Calendar page for information about this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, and/or other vulnerability management topics at your event. MITRE Hosts CVE/OVAL Booth at LISA 2004 MITRE hosted a CVE/OVAL exhibitor booth at LISA 2004, November 17-18, 2004, in Atlanta, Georgia, USA. The conference was successful and exposed CVE and OVAL to system and network administrators from industry, academia, and government. Visit the CVE Calendar page for information about this and other upcoming events. MITRE Hosts CVE/OVAL Booth at the CSI Computer Security Conference MITRE hosted an CVE/OVAL exhibitor booth at the Computer Security Institute's (CSI) 31st Annual Computer Security Conference and Exhibition, November 8 - 10, 2004 in Washington, D.C., USA. The conference was successful and exposed CVE and OVAL to information security and network professionals from industry, academia, and government. See photos below:
Visit the CVE Calendar page for information about this and other upcoming events.
November 8, 2004
20 Additional Information Security Products/Services Now Registered as Officially "CVE-Compatible" 
Twenty information security products and services from nine organizations are the latest to achieve the final stage of MITRE's formal CVE Compatibility Process and are now officially "CVE-compatible." Each product is now eligible to use the CVE-Compatible Product/Service logo, and their completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaires are posted as part of their product listings on the CVE-Compatible Products and Services page on the CVE Web site. Fourteen products from were previously declared officially compatible in February. The following products are now registered as officially "CVE-Compatible":
Use of the official CVE-Compatible logo by these organizations will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises. The compatibility process questionnaires will help end-users compare how different products satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems. An awards ceremony was held tonight in the Vendor Track Presentation Theater at the Computer Security Institute's (CSI) 31st Annual Computer Security Conference and Exhibition, November 8, 2004, at the Marriott Wardman Park Hotel, in Washington, D.C., USA, to present Certificates of CVE Compatibility to the organizations that have achieved this final phase. Lawrence C. Hale, the Deputy Director of the National Cyber Security Division, U.S. Computer Emergency Readiness Team (US-CERT) at the Department of Homeland Security, presented the awards. Organizations participating in the ceremony included Citadel Security Software Inc.; eEye Digital Security; Internet Security Systems, Inc.; nCircle Network Security, Inc.; PredatorWatch, Inc.; SAINT Corporation; and Symantec Corporation. For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services pages. MITRE Hosts CVE/OVAL Booth at FIAC 2004 MITRE hosted a CVE/OVAL exhibitor booth at the Federal Information Assurance Conference (FIAC) 2004, October 26 - 27, 2004, at the University of Maryland University College in Adelphi, Maryland, USA. The conference was successful and exposed CVE and OVAL to network and systems administrators, security practitioners, acquisition and procurement officials, systems security officers, federal managers, accreditors, and certifiers from numerous agencies of the U.S. federal government. Visit the CVE Calendar page for information about this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, and/or other vulnerability management topics at your event. Conference Photos of CVE Booth at the SANS Network Security 2004 MITRE hosted an CVE/OVAL exhibitor booth at SANS Network Security 2004, September 30 - October 1, 2004 in Las Vegas, Nevada, USA. See photos below.
October 20, 2004
CVE Compatibility Milestone: 200 Products and Services Now Listed! The CVE Initiative achieved a major milestone with 202 information security products and services now listed in the CVE-Compatible Products and Services section of the CVE Web site. These 200 products have been declared CVE-compatible or are in the process of being made compatible by 125 organizations from industry, government, and academia from around the world. Of these, 14 products/services from 10 organizations have achieved the final phase of MITRE's formal CVE Compatibility Process and are now officially CVE-compatible. These are indicated in the CVE-Compatible Products and Services section with the CVE-Compatible product/service logo. "CVE-compatible" means that a product or service uses CVE names in a way that allows it to cross-link with other repositories that also use CVE names, as documented in the CVE compatibility requirements. Each item listed on the CVE Web site includes a link to the organization's homepage, the product or service name, type of product, link to the product homepage, and a notation of the specific point in the CVE Compatibility Process each product or service has reached. Many organizations have multiple products and services listed. For additional usability, they are also listed by product type, product name, organization, and country. Product types include vulnerability databases; security archives and advisories; vulnerability assessment and remediation; intrusion detection, management, monitoring, and response; incident management; data and event correlation; educational materials; and firewalls. Visit the CVE-Compatible Products and Services page to review information about CVE compatibility, and on all 200 information security products and services. PredatorWatch, Inc. Makes CVE Compatibility Declarations PredatorWatch, Inc. has declared that its vulnerability assessment appliance and update service for small to medium enterprises, PredatorWatch Auditor 16 and Update Service; its vulnerability assessment appliance and update service for small mobile networks, PredatorWatch Auditor 128 and Update Service; and its vulnerability assessment appliance and update service for large networks, PredatorWatch Auditor Enterprise and Update Service; are CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products and Services page. ThreatGuard, Inc. Makes CVE Compatibility Declaration ThreatGuard, Inc. has declared that its vulnerability management system, ThreatBox Network Security Appliance, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page. Backbone Security.com, Inc. Makes CVE Compatibility Declaration Backbone Security.com, Inc. has declared that its network appliance and managed service, Ribcage 2100, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page.
October 13, 2004
5-Year Anniversary Q&A with CVE Co-Founder David Mann
From a vendor perspective, what's the value of CVE to the information security community? Mann: At BindView, we really tried to focus on things that would provide a direct business value for our customers. In terms of information security solutions, the business needs that our customers mentioned most often were to decrease their operational costs, manage their IT environment at an acceptable level of risk, and meet their regulatory obligations. CVE clearly delivered on the first of these goals by allowing users to more quickly correlate vulnerability information. By enabling automated data correlation and better clarity for emerging threat information, CVE also enables organizations to do a better job of managing risk. Moving forward, I believe it will be important to clarify how CVE helps with regulatory compliance—for example, FISMA, DISTCAP, HIPAA—which should be easier as CVE grows to cover configuration errors. What's the biggest difference from what you first imagined for CVE to what it is today? Mann: By far it is the difficulty in defining what a vulnerability actually is. While CVE identifiers have immediate value for end users, I think one of the big achievements of the effort have been Steve Christey's "Content Decisions", which try to define how to count issues. Perhaps a good analogy is the development of the Dewey Decimal system for organizing and cataloging book. Actually, I think the vulnerability cataloging problem is even harder than dealing with books. What are your thoughts on the success of CVE within the community, for instance with the number of CVE-compatible products, number of organizations including CVE names in their advisories, and so on? Mann: It's gratifying, humbling and at times, and frustrating. A mentor once advised me to look for problems, not solutions. CVE was definitely born out of operational pains that Steve and I and others were trying to solve for MITRE's Security Committee. So, when I see CVE numbers in advisories or see the growing list of compatible products, it confirms to me that the problems we were wrestling with were shared by others in the security community. We were just fortunate enough to state the problem in the right forum and context. The idea of assigning unique identifiers quickly took on a life of its own. The frustrating aspect of this is that the continued growth of CVE is also an indication that the vulnerability management problem is still with us and arguably, continuing to get more complicated and difficult to manage. Biggest surprise for you from CVE? Mann: I get surprised every time I see a CVE identifier in print. I still remember a hallway conversation with Jim Williams, who was one of the senior people in my department (and who has since retired) [at MITRE]. I was describing some of the problems that we were running into in our vulnerability management efforts. More accurately, I was ranting and raving about "how things should be" in a more perfect world. Jim told me about a conference that was coming up and encouraged us to write up a paper and to submit it. I mean, he really, really encouraged us. Now when I see CVE identifiers, I always think of Jim and am reminded of the impact that a mentor can have. It's quite a leap from a hallway rant session to a commonly used standard. Jim easily could have nodded politely and changed the subject. Instead, he invested a bit of time, energy and encouragement and it had very surprising results. What are your thoughts on the future of CVE? Mann: The discipline of vulnerability management has been evolving in the past four years and so I think CVE will need to evolve with it. Most obviously, traditional network-based vulnerability assessment has largely been replaced with hybrid solutions that require credentials on the end system being tested. This move goes hand-in-hand with a greater emphasis on configuration settings (called "exposures" in CVE-speak), which require credentialed-based solutions. At the same time, the whole patch management market has emerged, again using credentialed mechanisms with a more narrow focus. Vulnerability management has thus grown to include all three of these: vulnerabilities (software flaws), patches, and configuration management. For CVE to continue its relevance in this larger vulnerability management context, it must grow to include all three. It's a challenging problem. From a business point of view, I should add that regulatory compliance will continue to refocus vulnerability management efforts more on configuration and patch issues. Another area of potential growth is the issue of directories. Increasingly, the conceptual objects that security managers need to lock-down aren't defined by the OS. Instead, they are defined by the directory, or worse, by some overlap between the OS and the directory. For example, the concept of "effective rights" tries to define what rights a user has based both on the setting in the OS and on the setting in the domain. This will force CVE to consider the question of moving from OS level vulnerabilities and exposures and to include directory level vulnerabilities. Again, regulatory compliance is going to be a driver in this regard, as it demands that organizations account for what their users can and can't do. CVE Names Included in Consensus List of "Top Twenty" Internet Security Threats The recently updated Twenty Most Critical Internet Security Vulnerabilities, a SANS/FBI consensus list of the most critical problem areas in Internet security, was released on October 8, 2004. The list includes CVE names with both entry and candidate status to uniquely identify the vulnerabilities it describes. This will help system administrators use CVE-compatible products and services to help make their networks more secure. In addition, the introduction page includes a note that describes what CVE is, provides a link to the CVE Web site, and states: "The CVE and CAN numbers reflect the top priority vulnerabilities that should be checked for each item [on the consensus list]." SANS is a member of the CVE Editorial Board and its education and training materials are listed on the CVE-Compatible Products and Services page. NetMon2, LLC Makes CVE Compatibility Declaration NetMon2, LLC has declared that its security information management/security event monitoring (SIM/SEM) product, NetMonSecure, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page. Senior Advisory Council Holds Meeting The CVE Senior Advisory Council held a meeting on Wednesday, October 6, 2004. The discussion focused on the two major operational parts of security management; achieving and maintaining secure systems and responding to attacks on our systems and how the CVE and OVAL initiatives have enabled change in each of these processes. The DISA/STRATCOM IA Vulnerability Alert Management (IAVM) Strategy and Contracts were discussed as well as the new consolidated Air Force Microsoft Contract. The requirement for CVE and OVAL is present in each of these contract activities. The current status of the NSA XCCDF (Extensible Configuration Checklist Description Format) effort and the use of OVAL as an external checking method for XCCDF was discussed as well as the integration of OVAL and XCCDF into the CISecurity Tools. Finally, the new DHS/NCSD Common Malware Enumeration (CME) was presented. The meeting also included status updates on the CVE Initiative, including the recent release of a new version of CVE and upcoming compatible product certificate awards; status updates on the OVAL effort, including a discussion of the working group to discuss modifications to the System Characteristics Schema and OVAL Results Schema. MITRE established the advisory council to help guide CVE and OVAL and to ensure the initiatives receive appropriate funding, and to help us all understand potential relationships with other ongoing activities, share information, and promote synergy across the security community. The advisory council is composed of senior executives from offices across the U.S. federal government who are responsible for information assurance on government networks and systems. You may also view a list of the advisory council members or read a copy of the council charter. MITRE to Host CVE/OVAL Booth at CSI's 31st Annual Computer Security Conference and Exhibition MITRE is scheduled to host a CVE/OVAL exhibitor booth at the Computer Security Institute's (CSI) 31st Annual Computer Security Conference and Exhibition, November 8 - 10, 2004, at the Marriott Wardman Park Hotel, in Washington, D.C., USA. The conference will expose CVE and OVAL to information security and network professionals from industry, academia, and government. In addition, organizations with CVE-Compatible Products and Services will also be exhibiting. Visit the CVE Calendar page for information about this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, and/or other vulnerability management topics at your event. MITRE Hosts CVE/OVAL Booth at SANS Network Security 2004 MITRE hosted a CVE/OVAL exhibitor booth at SANS Network Security 2004, September 30 - October 1, 2004, at the Riviera Hotel in Las Vegas, Nevada, USA. The conference was successful and exposed CVE and OVAL to a diverse audience of network professionals and information security specialists from industry, academia, and government. Visit the CVE Calendar page for information about this and other upcoming events.
October 4, 2004
Industry Luminaries Discuss 5 Years of CVE An important aspect of CVE from the outset was cyber security community participation and endorsement. Below are some comments from industry luminaries regarding the value of CVE to the community and the part it has played within the industry these last five years. "CVE has met and exceeded our expectations. I think it demonstrated its greatest value when it helped foster community-wide consensus on the SANS Top 20 Internet Security Threats." - Allan Paller, Director of Research, The SANS Institute "The CVE standard has been, and continues to be, crucial to the effective protection of every organization's critical digital assets. As a founding member of the CVE Editorial Board in 1999 and one of the first organizations to make a declaration of CVE compatibility, ISS congratulates CVE on its five-year anniversary and wishes the initiative ongoing success." - Peter Allor, Director X-Force Intelligence, Internet Security Systems, Inc. "The CVE naming standard is an important information security initiative providing a common reference for the entire vulnerability lifecycle including discovery, identification, and remediation of vulnerabilities. As a leading provider of vulnerability management solutions, Qualys has strongly supported CVE since its inception and applauds the MITRE leadership for this critical effort and its value to the security industry as well as our customers." - Gerhard Eschelbeck, CTO & VP Engineering, Qualys, Inc. "CVE benefits the community because it provides accurate information on which they can base their security decisions. That is why Red Hat is using the CVE standard in our official 'security roadmap' for Red Hat Enterprise Linux, and why we have so fully endorsed the initiative by joining the CVE Editorial Board and by making compatibility declarations for our Apache Vulnerability Database and Red Hat Security Advisories. Our security advisories were also recently recognized as one of the first products to be certified officially CVE-compatible. At Red Hat our underlying goal is to advance industry security standards and simplify security for our customers, which is why we will continue to contribute to the CVE group's valuable efforts and congratulate them on their current milestone." - Mark Cox, Senior Director of Engineering, Red Hat, Inc. "CVE has enhanced security industry-wide by improving the inter-operability of security products for customers with its common names. Tenable recognizes the importance and value of such standards for end users, which is why three of our products along with Nessus Scanner have CVE compatibility declarations. We believe the continued success of CVE will only be beneficial for our customers." - Ron Gula, President and CTO, Tenable Network Security, Inc. In an October 1999 article in Network World magazine about the launch of CVE, Steve Northcutt of SANS said: "... when CVE hits the point of 1,000 entries, it will be a powerful tool." At the five-year mark there are now 7,268 names posted on the CVE site. "CVE is the standard for identifying vulnerabilities and exposures. With over 7,200 names, nothing else is close. Most of the major tools in the vulnerability space support CVE. The CVE List is a trusted tool for network administrators and security professionals worldwide." - Steve Northcutt, Director of Training and Certification, The SANS Institute Grupo S21sec Gestión S.A. Makes CVE Compatibility Declaration Grupo S21sec Gestión S.A. has declared that its vulnerability notification service and database, Vulnera, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page. MITRE to Host CVE/OVAL Booth at FIAC 2004 MITRE is scheduled to host a CVE/OVAL exhibitor booth at Federal Information Assurance Conference (FIAC) 2004, October 26 - 27, 2004, at the Inn and Conference Center, University of Maryland University College, in Adelphi, Maryland, USA. The conference will expose CVE and OVAL to network and systems administrators, security practitioners, acquisition and procurement officials, systems security officers, federal managers, accreditors, and certifiers from numerous agencies of the U.S. federal government. In addition, organizations with CVE-Compatible Products and Services will also be exhibiting. Visit the CVE Calendar page for information about this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, and/or other vulnerability management topics at your event.
September 22, 2004
5-Year Anniversary Q&A with CVE Co-Founder Steve Christey
What's the biggest difference from what you first imagined for CVE to what it is today? Christey: The first thing that comes to mind is the scale and scope of the effort. In the very beginning, [CVE co-founder] Dave Mann and I just wanted to make it easier to link some tools and advisories together to help with internal MITRE security operations. We were thinking about a couple hundred vulnerabilities from a couple data sources. Now, there are a couple hundred new issues announced PER MONTH, plus we've seen the growth of vulnerability databases, information services, and correlation tools, which barely existed 5 years ago, if at all. And the speed of information exchange is much faster, too. In hindsight, we were actually kind of provincial in our original view, but then again, we couldn't predict the future. We didn't anticipate that CVE would become a global resource that would apply across a wider variety of tools and information sources. It constantly keeps us on our toes. What achievement on the project are you most proud of? Christey: This answer might seem trite, but it's the truth. It's gratifying to know that CVE has helped make many people's jobs easier and, directly or indirectly, help improve the state of information security. This has been demonstrated in many ways over the years. A recent example that comes to mind is the award ceremony for CVE compatible products that we held at the RSA Conference in February 2004. All of the vendors made statements about how CVE had helped them and their customers. Talking with them face-to-face and hearing what they had to say somehow made CVE more "real," which I sometimes forget when I'm just clacking away on the keyboard in my office. Any time people tell us how CVE has helped them is rewarding. It's also very nice to see large-scale comparisons and trend analyses taking place. These were too resource-intensive to conduct before CVE. This benefit was part of our original vision, but it's only become a reality in the last year or two. Personally, I'm also proud of being able to share my experiences and knowledge with others in the industry. And I'm proud of the team effort that's gone into CVE, from the contributing individuals in MITRE, to the CVE Editorial Board, to our sponsors over the years, and to all the other community members who've supported it in myriad ways, big and small. CVE is a community-based initiative, and it shows. Biggest surprise for you working on CVE? Christey: There have been a few surprises along the way, such as when we started to receive inquiries about CVE compatibility from the marketing directors for security tool vendors. That told us that it wasn't just the technical people who were starting to take CVE seriously. Another surprise occurred when some Linux vendors told me how using CVE had helped them to coordinate bug fixes even before they became public! There are many other surprises, but the biggest one is probably how much CVE has grown and how much it's being used, even in non-English speaking countries. Surprise, however, is the norm for CVE. We are surprised on a regular basis, and that's a big part of what keeps things interesting, even after 5 years. Your most difficult challenge working on the project? Christey: Being all things to all people. As previously mentioned, the scope of CVE is much wider than we had originally anticipated. There are certain sub-communities whose needs could be met by extending CVE in certain ways. We are sensitive to those needs and are doing what we can to address them. Technically speaking, I think that properly documenting CVE's content decisions—and applying them appropriately—is a significant challenge as well. Vulnerability information is highly volatile, and the quality and quantity of information varies widely and changes over time. This makes it very difficult to be consistent within CVE (and any vulnerability repository faces these challenges, too). CVE's content decisions help to mitigate these problems, but they are more of a "state of mind" than a pre-canned set of rules. Clearly specified content decisions are my personal albatross. What's in the future for CVE? Christey: In the next year, the effort with the widest community impact will involve a single, one-time-only change to the CVE numbering scheme, which will begin sometime in 2005. There are a few reasons for this, but the biggest reason is the fact that the "CAN-yyyy-nnnn" identifier eventually gets changed to a "CVE-yyyy-nnnn" identifier, and this makes for a lot of maintenance headaches and confusion. We are very aware that we can't make this change lightly, and we can only do it once, so we want to do it right and minimize the amount of work required for this one-time change. We're still working on the details, but we expect to announce the specifics soon, and we will be sure to give vendors and consumers plenty of warning before the change takes place. I previously mentioned certain sub-communities that could be better served by CVE. In the future, we expect to extend CVE (or at least the concept of it) to handle system configuration issues and intrusion detection "events." These are obviously security-relevant, but they don't necessarily fit the concept of "vulnerability" and they don't necessarily translate well into a flat namespace like we've been able to use for vulnerabilities. MITRE's OVAL project is already working in the area of system configuration, but we'd like to have CVE names assigned for the most common issues. We are also continually working to improve CVE's timeliness and comprehensiveness. Technical CVE users no doubt have noticed our improvements in the past 6 months, but we're going to be even better. Of course, the number of vulnerabilities on the list continues to grow each week, and adding them while maintaining the veracity of what's included in a CVE name is significant work. Soon enough we'll be at 8,000, and it'll keep growing from there. What else is in the future for CVE? Well, we'll have to wait and see. If there's one thing I've learned on this project, it's to expect the unexpected. CVE Main Topic of PatchAdvisor, Inc. News Release CVE was the main topic of a news release by PatchAdvisor, Inc., entitled "PatchAdvisor, Inc. Announces MITRE-CVE Compatibility." The release states: "[PatchAdvisor] has announced that its products are now compatible with MITRE Corporation’s Common Vulnerabilities and Exposures ("CVE") dictionary. CVE names are used by information security product/service vendors and researchers as a standard method for identifying vulnerabilities and for cross-linking with other repositories. Each CVE name includes the following: the CVE identifier number (i.e., "CVE-1999-0067"); indication of "entry" or "candidate" status; brief description of the security vulnerability or exposure; and any pertinent references (i.e., vulnerability reports and advisories or OVAL-ID). "We are very enthusiastic about our inclusion in the CVE compatibility program" says Jeff Fay, PatchAdvisor's CEO. "The ability to standardize the intelligence that we map to our customers’ assets is a crucial element in defining PatchAdvisor's role in the vulnerability and patch management market space." The release also stated: "Visit the CVE-Compatible Products and Services page, http://cve.mitre.org/, to find out about the [196] products that use CVE names, or see Organizations with CVE Names in Advisories for a list of the [57] organizations to-date that are including or have included CVE names in their advisories." PatchAdvisor is listed on the CVE-Compatible Products and Services page.
September 13, 2004
CVE Celebrates 5 Years! CVE began five years ago this month with 321 entries and 19 information security community organizations participating on an Editorial Board. Since then, CVE has truly become an industry standard. The CVE List has grown to 7,191 total names and the CVE Editorial Board to 35 organizations and 49 members. In addition, more than 120 organizations have made declarations of CVE compatibility for nearly 200 products and services, and 57 organizations are including CVE names in their security advisories. CVE names are also used on the FBI/SANS Top Twenty List of the Most Critical Internet Security Vulnerabilities list, and on similar threat lists by the Open Web Application Security Project; Internet Security Systems, Inc.; Qualys Inc.; and Sintelli Limited. In 2002, the USA National Institute of Standards and Technology (NIST) released two documents recommending the use of CVE by U.S. agencies: "NIST Special Publication (SP) 800-51, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme" and "NIST Special Publication 800-40, Procedures for Handling Security Patches" in which CVE is mentioned throughout. In June 2004, the U.S. Defense Information Systems Agency (DISA) issued a task order for information assurance applications that requires the use of products that use CVE names. Growth of the CVE List Growth of CVE-Compatible Products CVE has also been used as the basis for entirely new services. NIST's ICAT Metabase, which is a searchable index of vulnerabilities with links to patch information, is built on CVE names. CVE Change Logs is a tool created by CERIAS/Purdue University that monitors additions and changes to the CVE List and allows you to obtain daily or monthly reports. MITRE's Open Vulnerability Assessment Language (OVAL) is the common language for security experts to discuss the technical details of how to identify the presence of vulnerabilities on computer systems using XML definitions that are each based on a CVE name. Our Anniversary Celebration Please join us as our 5-year anniversary celebration continues throughout the month with special news articles on the CVE Web site and culminates with a CVE booth September 29 - October 30 at SANS Network Security 2004, followed by booths at other industry events throughout the fall. We welcome any comments or feedback about CVE at cve@mitre.org. MITRE to Host CVE/OVAL Booth at SANS Network Security 2004 MITRE is scheduled to host a CVE/OVAL exhibitor booth at SANS Network Security 2004, September 30 - October 1, 2004, at the Riviera Hotel in Las Vegas, Nevada, USA. The conference will expose CVE and OVAL to a diverse audience of network professionals and information security specialists from industry, academia, and government. In addition, organizations with CVE-Compatible Products and Services will also be exhibiting. Visit the CVE Calendar page for information about this and other upcoming events. Contact cve@mitre.org to have CVE present a briefing or participate in a panel discussion about CVE, OVAL, and/or other vulnerability management topics at your event. CVE Main Topic of Article in Spanish-Language Security Information and Communications Magazine CVE was the main topic of an article entitled "CVE and Its Impact on the Management of Vulnerabilities" in the September 2004 issue of Security Information and Communications (SIC) magazine. Written by CVE Compatibility Lead Robert A. Martin, the article describes what CVE is and isn't and explains how vulnerability management can be enhanced using the CVE naming scheme and the adoption of CVE-compatible products and services.
September 1, 2004
New CVE Version Released, Now in XML Format CVE Version 20040901 has just been released. CVE names are listed with entry or candidate status. 480 new entries have been added, for a total of 3,052 names with official entry status now available. In addition, 4,139 names with candidate status are pending approval by the CVE Editorial Board. This means there are now 7,191 unique information security issues with publicly known names available on the CVE Web site. A report is available to identify the differences between this version and the previous version, 20030402. CVE names are unique, common identifiers for publicly known information security vulnerabilities. Each CVE name includes the following: the CVE identifier number (i.e., "CVE-1999-0067"); indication of "entry" or "candidate" status; brief description of the security vulnerability or exposure; and any pertinent references (i.e., vulnerability reports and advisories or OVAL-ID). CVE names are used by information security product/service vendors and researchers as a standard method for identifying vulnerabilities and for cross-linking with other repositories that also use CVE names. In addition, CVE names are now available in Extensible Markup Language (XML) format. You may download the CVE Entries, CVE Candidates, or All CVE names (entries and candidates) in XML. Support for HTML, text, or comma-separated formats will also continue. CVE is publicly available and free to use. Use Get CVE to view, search, or download CVE. Computec.ch Makes CVE Compatibility Declaration Computec.ch has declared that its vulnerability assessment tool, Attack Tool Kit (ATK), is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page.
August 26, 2004
Eight Organizations Reference CVE Names in Security Advisories The following eight organizations recently referenced CVE names with entry or candidate (CAN) status in their security advisories: Hong Kong CERT, Indian CERT, French CERT, Poland CERT, Slovenian CERT, OpenSSL, Pine Digital Security, and Netherlands CERT. Hong Kong CERT (HKCERT) issued a security advisory in August 18, 2004 that identified CAN-2004-0629. Other advisories also include CVE names. Indian CERT (CERT-IN) issued a security advisory in August 11, 2004 that identified CAN-2004-0203. Other advisories also include CVE names. French CERT (CERTA) issued a security advisory in August 5, 2004 that identified CAN-2004-0368. Other advisories also include CVE names. Poland CERT (CERT Polska) issued a security advisory in August 5, 2004 that identified CAN-2004-0415. Other advisories also include CVE names. Slovenian CERT (SI-CERT) issued a security advisory in August 2004 that identified CAN-2004-0549. Other advisories also include CVE names. OpenSSL issued a security advisory in March 17, 2004 that identified CAN-2004-0079 and CAN-2004-0112. Other advisories also include CVE names. Pine Digital Security issued a security update on February 4, 2004 that identified CAN-2004-0114. Netherlands CERT (SURFnet-CERT) issued a security advisory in February 2, 2004 that identified CAN-2003-01025, CAN-2003-01026, and CAN-2003-01027. Other advisories also include CVE names. See Organizations with CVE Names in Vulnerability Advisories for a complete list of organizations that are including or have included CVE names with entry or candidate status in their security advisories.
August 5, 2004
CVE Included in Article about Early Warnings for CIRT's in Network World Security Newsletter CVE was mentioned in an article entitled "CIRT management: Rapid alerts" in the July 15, 2004 issue of Network World Fusion's Network World Security Newsletter. The main topic of the article is what the author calls the "three important aspects of early warnings" in Computer Incident Response Team (CIRT) management: "notification of vulnerabilities, notification of threats and notification of incidents." CVE is included in the "Vulnerabilities" section of the article, in which the author states: "Finally, regular readers will recall that the Common Vulnerabilities and Exposures (CVE) dictionary (http://cve.mitre.org/) is a superb compendium of standardized names for vulnerabilities and exposures. MITRE writes, "CVE aspires to describe and name all publicly known facts about computer systems that could allow somebody to violate a reasonable security policy for that system. http://cve.mitre.org/about/terminology.html." The author further states: "MITRE also uses the term "exposure" and defines it as "security-related facts that may not be considered to be vulnerabilities by everyone." You can download the CVE in various formats or you can use the ICAT Metabase (http://icat.nist.gov/icat.cfm) to search the CVE for various subsets of vulnerabilities (e.g., by product, version, type, and so on). At the time of this writing (late June) there were 6,663 vulnerabilities in the CVE. As a side note, of these, 1,383 involved buffer overflows (about one-fifth)." National Institute of Standards and Technology's (NIST) ICAT database is listed on the CVE-Compatible Products and Services page, and NIST is a member of the CVE Editorial Board. Application Security, Inc. Makes CVE Compatibility Declaration Application Security, Inc. has declared that its vulnerability assessment tool, AppDetective for Oracle Application Server, is CVE-compatible. In addition, eight other Application Security products are listed on the CVE-Compatible Products and Services page. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products and Services page. PatchAdvisor, Inc. Makes CVE Compatibility Declaration PatchAdvisor, Inc. has declared that its patch management tool, PatchAdvisor Enterprise, will be CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page. Two Organizations Reference CVE Names in Security Advisories Two organizations recently referenced CVE names with entry or candidate (CAN) status in their security advisories: NoMachine and FedoraNEWS.ORG. NoMachine issued a security advisory on March 22, 2004 that identified CAN-2004-0112. Other NoMachine advisories also include CVE names. FedoraNEWS.ORG issued a security update on March 3, 2004 that identified CAN-2003-0989, CAN-2004-0057, and CAN-2004-0055. Other FedoraNEWS.ORG updates also include CVE names. See Organizations with CVE Names in Vulnerability Advisories for a complete list of organizations that are including or have included CVE names with entry or candidate status in their security advisories. CVE Mentioned in Article about Software Vulnerabilities in Australian Financial Review CVE was mentioned in an article entitled "Putting a name to evil and its Trojan offspring" in the July 27, 2004 issue of Australian Financial Review. The author states: "CVE serves a number of purposes. The mission statement is to catalogue information technology security risks, allotting a unique identifier to each one. A few years back, the same virus, or Trojan, was often identified by half a dozen different names, depending on which security Web site you visited. Under the CVE regime, each unique species has a registration number. It makes it a lot easier for network administrators to see whether there are 10 threats out there, or 10 variants of a threat, or a single threat with 10 names." In the article, the author calls CVE a standard and describes what it is; mentions the number of CVE names, including those with entry and those with candidate status; notes that CVE is funded by the U.S. Department of Homeland Security; and provides a link to the CVE Web site. The article is available for purchase on the Australian Financial Review Web site. CVE Mentioned in Article about Vulnerabilities on Techworld Web Site CVE was mentioned in a June 24, 2004 article entitled "Mac OS X security myth exposed — And thousands of other products and OSes given security rundown" on Techworld, the "UK's infrastructure and network knowledge center." CVE is mentioned in a paragraph about three efforts to list known vulnerabilities: "[Secunia Security Advisories database] allows enterprises to gather exact information on specific products, by collating advisories from a large number of third-party security firms. [Other organizations include] the Open Source Vulnerability Database (OSVDB) and the Common Vulnerabilities and Exposures (CVE) [List], which provides common names for publicly known vulnerabilities." Both the Open Source Vulnerability Database and the Secunia Security Advisories database are listed on the CVE-Compatible Products and Services page. CVE Names Included in Article on Mac News Network CVE names were included in a June 7, 2004 article entitled "Apple fixes URI exploits with security update" on the Mac News Network. The article referenced CAN-2004-0538 and CAN-2004-0539, and included links to the pages for these two CVE names on the CVE Web site.
July 15, 2004
7,000+ CVE Names Now Available on the CVE Web Site! The CVE Web site now contains 7,040 unique information security issues with publicly known names. Of these, 2,572 have CVE entry status and 4,468 have candidate status pending approval by the CVE Editorial Board. CVE names are used by information security product/service vendors and researchers as a standard method for identifying vulnerabilities and for cross-linking with other repositories that also use CVE names. CVE names are unique, common identifiers for publicly known information security vulnerabilities. Each CVE name includes the following: the CVE identifier number (i.e., "CVE-1999-0067"); indication of "entry" or "candidate" status; brief description of the security vulnerability or exposure; and any pertinent references (i.e., vulnerability reports and advisories or OVAL-ID). Visit the CVE-Compatible Products and Services page to find out about the 193 products that use CVE names, or see Organizations with CVE Names in Advisories for a list of the 47 organizations to-date that are including or have included CVE names in their advisories. Clear North Technologies Makes CVE Compatibility Declaration Clear North Technologies has declared that its vulnerability assessment service, Penetration Study, is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services page. CVE Main Topic of Article in Security Horizon Magazine CVE was the main topic of an article entitled "A CVE-Based Security Management Model" in the Summer 2004 issue of Security Horizon magazine. Written by CVE Compatibility Lead Robert A. Martin, the article describes what CVE is and isn't and explains how vulnerability management can be enhanced using the CVE naming scheme. The article also describes how CVE compatibility enables enterprise security through the use of shared CVE names, and how using CVE-compatible products and services improves how an organization responds to security advisories. A graphical representation of a CVE-enabled process is also included.
July 1, 2004
CVE & OVAL Included as Requirement in U.S. Defense Information Systems Agency Task Order for Information Assurance Applications CVE and MITRE's Open Vulnerability Assessment Language (OVAL) project were included as requirements in a recent U.S. Defense Information Systems Agency (DISA) task order to DigitalNet, Inc. for information assurance applications. OVAL is the common language for security experts to discuss the technical details of how to identify the presence of vulnerabilities on computer systems using Community Forum-developed XML definitions, each of which are based on a CVE name. An article about the task order was published on June 23, 2004 in Government Computer News, which stated: "For the task order, the team will provide the United States Strategic Command with a set of applications that will scan systems for potential vulnerabilities . . . [and] . . . flag incorrect system configurations." According to the task order itself, the "specific CVE and OVAL requirements" are: (1) "Provide a tool for "The ENTERPRISE" to notify their organization of specific vulnerabilities using Common Vulnerability Exposure (CVE) [names] and Open Vulnerability Assessment Language (OVAL) [definitions]," and (2) "Accept configuration and vulnerability-related checking requirements provided by DoD expressed on OVAL eXtensible Markup Language (XML) when available." | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Five
years ago MITRE Senior Engineer David Mann co-founded CVE with current
Editor of the 
Five
years ago Senior MITRE Information Security Engineer Steve Christey