Enterprise Security Enabled by CVE
CVE compatibility enables enterprise security through the use of shared CVE names, changing the way organizations use security tools, services, and data sources to address their operational security posture.
A CVE-Enabled Process
In a CVE-enabled process, CVE-compatible vulnerability services, databases, Web sites, and tools can cross-link with other compatible tools and data sources. In this example, an organization is able to detect an ongoing attack with its CVE-compatible IDS system (A). In a CVE-compatible IDS, specific vulnerabilities that are susceptible to the detected attack are provided as part of the attack report. This information can then be compared against the latest vulnerability scan by your CVE-compatible scanner (B) to determine whether your enterprise has one of the vulnerabilities or exposures that can be exploited by the attack. If it does, you can then access a CVE-compatible site with patches and workarounds for known vulnerabilities at the vendor of the software product, or you can use the services of a vulnerability Web site, which lets you identify (C) the location of the fix for a CVE entry (D), if one exists.
Identifying your risk
Using CVE-compatible products also allows you to improve how your organization responds to security advisories. If the advisory is CVE-compatible, you can see if your scanners check for this threat and then determine whether your IDS has the appropriate attack signatures. If you build or maintain systems for customers, the CVE compatibility of advisories will help you to directly identify any fixes from the vendors of the commercial software products in those systems (if the vendor fix site is CVE-compatible). The result is a much more structured and predictable process for handling advisories than most organizations currently possess.
Refer to the CVE-Compatible Products/Services page for an up-to-date list of compatible vulnerability/exposure alerts, intrusion detection tools, vulnerability databases, vulnerability assessment tools, risk management tools, integrated product suites, and educational and research materials.