Name of Your Organization:
Netcraft Ltd
Web Site:
www.netcraft.com
Compatible Capability:
Audited by Netcraft
Capability home page:
https://audited.netcraft.com/audited
General Capability Questions
Product Accessibility <CR_2.4>
Provide a short description of how and where
your capability is made available to your customers and the public (required):
Mappings are made between vulnerability issues detected by the Audited by Netcraft service and CVE dictionary names. The mappings are in the form of a CVE link in an HTML (or PDF) report.
Mapping Questions
Map Currency Indication <CR_5.1>
Describe how and where your capability indicates
the most recent CVE version used to create or update its mappings (required):
The version of the CVE database used is printed at the bottom of the
report. Reference to this is made in the documentation.
"* CVE names refer to the CVE database dated 2009-10-04."
Map Currency Update Approach <CR_5.2>
Indicate how often you plan on updating the mappings
to reflect new CVE versions and describe your approach to keeping reasonably
current with CVE versions when mapping them to your repository (required):
Updates to the CVE database are downloaded on a daily basis from the National Vulnerability Database feeds at http://nvd.nist.gov/download.cfm. The full database is fetched every 7 days. Our software automatically updates its own database of vulnerability information using the downloaded CVE database.
Map Currency Update Time <CR_5.3>
Describe how and where you explain to your customers the timeframe they
should expect an update of your capability's mappings to reflect newly
available CVE content (required):
This is described in the CVE link (a link in the document Navigation Bar)
https://audited.netcraft.com/netexam/cve
Map Content Selection Criteria <CR_5.4>
Describe the criteria used for determining the relevance of a given
CVE Identifier to your Capability (required):
New vulnerability tests are added to the Audited by Netcraft service on a regular basis. Each new vulnerability will include a CVE Identifier (if one has been assigned to the vulnerabilty in question). The references for the given CVE Identifier will be checked to ensure that the CVE Identifier is correct.
Map Currency Update Mechanism <CR_5.4>
Describe the mechanism used for reviewing CVE for content changes (required):
Updates to the CVE database are downloaded on a daily basis from the National Vulnerability Database feeds at http://nvd.nist.gov/download.cfm.
"nvdcve-2.0-modified.xml includes all recently published and recently updated vulnerabilities"
Map Content Source <CR_5.5>
Describe the source of your CVE content (required):
New vulnerabilities (together with their corresponding CVE Identifiers) are sourced from security-related mailing lists and feeds, security-focused web-sites, discussion groups, vendor announcements, advisories and bulletins, and our own security research.
Documentation Questions
CVE and Compatibility Documentation<CR_4.1>
Provide a copy, or directions to its location,
of where your documentation describes CVE and CVE compatibility for
your customers (required):
A link is provided in the Navigation Bar at the top of the page:
https://audited.netcraft.com/netexam/cve
The user of the service gets an HTML or PDF report with a link to the appropriate CVE definition at MITRE. The only documentation that is required is a small entry in our Help file and a link to this page:
Fig 1. Screen shot of CVE Name mapping example (note link to MITRE cvename.cgi in browser status bar)
Documentation of Finding Elements Using CVE Names <CR_4.2>
Provide a copy, or directions to its location, of
where your documentation describes the specific details of how your
customers can use CVE names to find the individual security elements
within your capability's repository (required):
https://audited.netcraft.com/netexam/cve
Any vulnerabilities which are discovered and for which a CVE entry exists are highlighted in the vulnerability table of the report, together with a link to the appropriate CVE entry. See fig1 above.
Documentation of Finding CVE Names Using Elements
<CR_4.3>
Provide a copy, or directions to its location, of
where your documentation describes the process a user would follow to
find the CVE names associated with individual security elements within
your capability's repository (required):
As you can see in fig 1. The user simply has to click on the CVE name.
Documentation Indexing of CVE-Related Material
<CR_4.4>
If your documentation includes an index, provide a copy of the items
and resources that you have listed under "CVE" in your index.
Alternately, provide directions to where these "CVE" items are posted
on your web site (recommended):
No index is provided in the service.
Service Questions
Service Coverage Determination Using CVE Names <CR_A.3.1>
Give detailed examples and explanations of the different ways
that a user can use CVE names to find out which security elements
are tested or detected by the service (i.e. by asking, by providing
a list, by examining a coverage map, or by some other
mechanism) (required):
A user may ask (by email, phone, fax etc.) if a CVE name is detected by the service.
Finding CVE Names in Service Reports Using Elements <CR_A.3.2>
Give detailed examples and explanations of how, for reports that
identify individual security elements, the user can determine the
associated CVE names for the individual security elements in the
report (required):
A link is provided in the report that maps a detected vulnerability to a CVE name. See fig 1.
Service's Product Utilization Details <CR_A.3.4>
Please provide the name and version number of any product that the
service allows users to have direct access to if that product
identifies security elements (recommended):
The service does not allow clients to have direct access to the underlying vulnerability scanner.
Online Capability Questions
Finding Online Capability Tasks Using CVE Names <CR_A.4.1>
Give detailed examples and explanations of how a "find" or "search"
function is available to the user to locate tasks in the online
capability by looking for their associated CVE name or through an
online mapping that links each element of the capability with its
associated CVE name(s) (required):
The find function of the browser can be used. See fig 1. for report layout of CVE mapping.
Online Capability Interface Template Usage <CR_A.4.1.1>
Provide a detailed description of how someone can use your "URL
template" to interface to your capability's search function
(recommended):
By design we do not include input forms in the report. The find function is sufficient.
Finding CVE Names Using Online Capability Elements <CR_A.4.2>
Give detailed examples and explanations of how, for reports that
identify individual security elements, the online capability allows
the user to determine the associated CVE names for the individual
security elements in the report.
(required):
The CVE name is used as the link to MITRE (see fig 1.) attachment
Media Questions
Electronic Document Format Info <CR_B.3.1>
Provide details about the different electronic document formats that
you provide and describe how they can be searched for specific
CVE-related text (required):
HTML - Use find function of browser
PDF - Use find function of PDF viewer
Spreadsheet downloadable - Use search function of spreadsheet tool
Printable format - Use word processor word search
Electronic Document Listing of CVE Names <CR_B.3.2>
If one of the capability's standard electronic documents
only lists security elements by their short names or titles provide
example documents that demonstrate how the associated CVE names are
listed for each individual security element (required):
See fig 1. example
Electronic Document Element to CVE Name Mapping <CR_B.3.3>
Provide example documents that demonstrate the mapping from
the capability's individual elements to the respective CVE
name(s) (recommended):
See fig 1. example
Graphical User Interface (GUI)
Finding Elements Using CVE Names Through the GUI <CR_B.4.1>
Give detailed examples and explanations of how the
GUI provides a "find" or "search" function for the
user to identify your capability's elements by looking for their associated
CVE name(s) (required):
Simply by using the find function of the browser.
GUI Element to CVE Name Mapping <CR_B.4.2>
Briefly describe how the associated CVE names are
listed for the individual security elements or discuss how the user
can use the mapping between CVE entries and the capability's elements,
also describe the format of the mapping (required):
They are listed as a links. See fig 1.
GUI Export Electronic Document Format Info <CR_B.4.3>
Provide details about the different electronic document formats that
you provide for exporting or accessing CVE-related data and describe
how they can be searched for specific CVE-related text (recommended):
Exported in CSV format for spreadsheet analysis. Use of spreadsheet search function can be used for searching.
Similarly a printable version is provided
Questions for Signature
Statement of Compatibility <CR_2.7>
Have an authorized individual sign and date the
following Compatibility Statement (required):
"As an authorized representative of my organization I agree
that we will abide by all of the mandatory CVE Compatibility Requirements
as well as all of the additional mandatory CVE Compatibility Requirements
that are appropriate for our specific type of capability."
Name: Colin Phipps
Title: Internet Services Manager
Statement of Accuracy <CR_3.4>
Have an authorized individual sign and date the
following accuracy Statement (recommended):
"As an authorized representative of my organization and to
the best of my knowledge, there are no errors in the mapping between
our capability's Repository and the CVE entries our capability identifies."
Name: Colin Phipps
Title: Internet Services Manager
|
