Name of Your Organization:

Openware / The Alterna Group S.A.

Web Site:

www.openware.biz

Compatible Capability:

ATTAKA

Capability home page:

http://www.openware.biz/en/productoattaka

1) Product Accessibility <CR_2.4>

Provide a short description of how and where your capability is made available to your customers and the public (required):

Attaka is a 24/7 available service through a web based platform. It is a paid service for those companies which want to assess their Internet exposed servers’ vulnerabilities and track their remediation.

4) Map Currency Indication <CR_5.1>

Describe how and where your capability indicates the most recent CVE version used to create or update its mappings (required):

CVE names associated with our security elements are updated each week by an automatic process.

In order to check the date when our Vulnerability Database you have to follow this steps:

1. Log in to our product.
2. Click on the menu bar item called Help
3. Click on "Vulnerability" section on the left panel, at the end of this section you are going to find the last time when our Vulnerability Database was updated (red circled).

5) Map Currency Update Approach <CR_5.2>

Indicate how often you plan on updating the mappings to reflect new CVE versions and describe your approach to keeping reasonably current with CVE versions when mapping them to your repository (recommended):

These CVE References are directly linked to Nessus’ webpage, because that there’s no need to updated any CVE Database of our own.

6) Map Currency Update Time <CR_5.3>

Describe how and where you explain to your customers the timeframe they should expect an update of your capability's mappings to reflect a newly released CVE version (recommended):

Each week when Nessus’ Vulnerabilities are updated CVE references are updated.

7) CVE and Compatibility Documentation<CR_4.1>

Provide a copy, or directions to its location, of where your documentation describes CVE and CVE compatibility for your customers (required):

To see our documentation about CVE MITRE and Compatibility you have to follow these instructions:

1. Log in to our product.
2. Click on the menu bar item called Help
3. Click on "CVE MITRE Compatibility" section on the left panel.

8) Documentation of Finding Elements Using CVE Names <CR_4.2>

Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CVE names to find the individual security elements within your capability's repository (required):

Our customers can look up by many reference types, including CVE MITRE, to read about that you have to follow these steps:

1. Log in to our product.
2. Click on the menu bar item called Help. A pop up will be open.
3. Click on "Vulnerabilities" section and then check "Search Vulnerabilities" on the left panel. You’ll find how to search for a specific reference ID.

9) Documentation of Finding CVE Names Using Elements <CR_4.3>

Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CVE names associated with individual security elements within your capability's repository (required):

Our customers can look up by OW-ID (Our own vulnerability identification coding) and obtain associated CVE names to it, to read about that you have to follow these steps:

1. Log in to our product.
2. Click on the menu bar item called Help. A pop up will be open.
3. Click on "Vulnerabilities" and you will found out in Vulnerability List subsection a description about what information is brought by our platform including CVE names associated.

10) Documentation Indexing of CVE-Related Material <CR_4.4>

If your documentation includes an index, provide a copy of the items and resources that you have listed under "CVE" in your index. Alternately, provide directions to where these "CVE" items are posted on your web site (recommended):

Our online help product support has got an index to indicate where it is the information about our product’s CVE MITRE Compatibility support. You can see it in the left panel of its main window. Here you are an screenshot of it, we have circled it.

11) Candidates Versus Entries Indication <CR_6.1>

If CVE candidates are supported or used, explain how you indicate that candidates are not accepted CVE entries (required):

Candidates CVE name can be identify by their CAN prefix, for those entries entered after 19 October 2005 can be checked clicking on their CVE name that fire up a new Web browser instance with CVE MITRE reference page information. This function is available in every CVE name on the system.

12) Candidates Versus Entries Explanation <CR_6.2>

If CVE candidates are supported or used, explain where and how the difference between candidates and entries is explained to your customers (recommended):

We have got a section on our online help to explain customers how CVE names status can be identified. Plus we offered additional information linking our customer to http://cve.mitre.org/about/index.html.

This are the steps to find this information:

1. Log in to our product.
2. Click on the menu bar item called Help
3. Click on "CVE MITRE Compatibility" section on the left panel, on this section you are going to find a subsection "How CVE Works" (red circled).

13) Candidate to Entry Promotion <CR_6.3>

If CVE candidates are supported or used, explain your policy for changing candidates into entries within your capability and describe where and how this is communicated to your customers (recommended):

We do not have a CVE name updating status policy because every CVE name in our system is referencing to CVE MITRE webpage because we believe it is the most reliable and updated source for our users.

Type-Specific Capability Questions

15) Finding Tasks Using CVE Names <CR_A.2.1>

Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CVE name (required):

This are the steps to find this information:

1. Search based on a CVE name in the Security vulnerability knowledge base:

Main Screen > Vulnerability List More Icon

2. Locate the task associated to the CVE name and expand it to find out details about how to remediate.

16) Finding CVE Names Using Elements in Reports <CR_A.2.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CVE names for the individual security elements in the report (required):

We are going to explain through screenshots how to find a discovered vulnerability and its corresponding associated CVE names:

1. Open up a Vulnerability Assessment Report clicking on the glass icon:

Main Screen > Glass Icon

2. Expand an IP Address Technical Analysis

3. Go to "Appendix: Detected Vulnerabilities" sub-section and you will find all vulnerabilities founded on that IP Address and its associated CVE names. Plus, you can click on the CVE names and open their associated information on CVE MITRE Web Page.

21) Service Coverage Determination Using CVE Names <CR_A.3.1>

Give detailed examples and explanations of the different ways that a user can use CVE names to find out which security elements are tested or detected by the service (i.e. by asking, by providing a list, by examining a coverage map, or by some other mechanism) (required):

The following instructions show you how to look for a specific CVE name to find out which security vulnerability / element has been discovered:

1. Open up a Vulnerability Assessment Report clicking on the glass icon:

Main Screen > Glass Icon

2. Execute the printing view of the vulnerability assessment report.

3. Click on Expand button and press the "Find" function on your web browser, usually its shortcut it is CTRL + F and type the desired CVE name.

22) Finding CVE Names in Service Reports Using Elements <CR_A.3.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the user can determine the associated CVE names for the individual security elements in the report (required):

The following instructions show you how to look for a discovered vulnerability and its corresponding associated CVE names:

ON THE VULNERABILITY ASSESSMENT REPORT

1. Open up a Vulnerability Assessment Report clicking on the glass icon:

Main Screen > Glass Icon

2. Expand an IP Address Technical Analysis

3. Go to "Appendix: Detected Vulnerabilities" sub-section and you will find all vulnerabilities founded on that IP Address and its associated CVE names. Plus, you can click on the CVE names and open their associated information on CVE MITRE Web Page.

ON THE VULNERABILITY ASSESSMENT REMEDIATION TOOL

1. Open up a Vulnerability Assessment Remediation Tool clicking on the tool icon:

Main Screen > Tool Icon

2. Click on any Vulnerability title and a pop up windows will display its CVE name(s) associated. Furthermore, you are able to see CVE name’s description clicking on it.

24) Finding Online Capability Tasks Using CVE Names <CR_A.4.1>

Give detailed examples and explanations of how a "find" or "search" function is available to the user to locate tasks in the online capability by looking for their associated CVE name or through an online mapping that links each element of the capability with its associated CVE name(s) (required):

We are going to explain through screenshots how to browse our Vulnerability Repository and find out how tasks can be search and solve by CVE names:

1. Search based on a CVE name in the Security vulnerability knowledge base:

Main Screen > Vulnerability List More Icon

2. Locate the task associated to the CVE name and expand it to find out details about how to remediate.

27) Finding CVE Names Using Online Capability Elements <CR_A.4.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the online capability allows the user to determine the associated CVE names for the individual security elements in the report. (required):

See question 15 and 22. Remember, in each procedure documented in the previous questions you can check CVE name information clicking on them and a web browser with corresponding CVE information in MITRE website will appear.

28) Online Capability Element to CVE Name Mapping <CR_A.4.3>

If details for individual security elements are not provided, give examples and explanations of how a user can obtain a mapping that links each element with its associated CVE name(s), otherwise enter N/A (required):

For non-listed security elements you can look up in our database to find those ones with are associated with none or many CVE names. Just follow these instructions:

1. Go to Main Screen > Vulnerability List More Icon

2. Search based on a CVE name in the Security vulnerability knowledge base:

Note: You can type the CVE name in one of the following formats:

Format Example
CVE-YYYY-NNNN CVE-2004-0122
CAN-YYYY-NNNN CAN-2004-1064
YYYY-NNNN 2004-0122

2. Locate the task associated to the CVE name and expand it to find out details about how to remediate.

29) Electronic Document Format Info <CR_B.3.1>

Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CVE-related text (required):

Nowadays Attaka provides output in HTM Format which is searchable via the browser.

30) Electronic Document Listing of CVE Names <CR_B.3.2>

If one of the capability's standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CVE names are listed for each individual security element (required):

On our Vulnerability Assessment Report each security element are linked to its / their CVE names on the Appendix sub-section of every IP Address scanned where information about the security element are full explained.

31) Electronic Document Element to CVE Name Mapping <CR_B.3.3>

Provide example documents that demonstrate the mapping from the capability's individual elements to the respective CVE name(s) (recommended):

The CVE name is highly featured next to the OW-ID (Our own ID) on each query's web page (red circled). Examples:

VULNERABILITY ASSESSMENT REPORT:

VULNERABILITY SEARCH:

REMEDIATION SCREEN:

32) Finding Elements Using CVE Names Through the GUI <CR_B.4.1>

Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability's elements by looking for their associated CVE name(s) (required):

The following instructions show you how to look for a specific CVE name to find out which security vulnerability / element has been discovered:

1. Open up a Vulnerability Assessment Report clicking on the glass icon:

Main Screen > Glass Icon

2. Execute the printing view of the vulnerability assessment report.

3. Locate a Vulnerability ID. For example: 545, Microsoft Frontpage exploits

4. Click on Expand button and press the "Find" function on your web browser, usually its shortcut it is CTRL + F and type the desired CVE name.

33) GUI Element to CVE Name Mapping <CR_B.4.2>

Briefly describe how the associated CVE names are listed for the individual security elements or discuss how the user can use the mapping between CVE entries and the capability's elements, also describe the format of the mapping (required):

Nowadays, Attaka provides a HTML formatted vulnerability assessment report and access to the full text of the report in text format inside the product interface. Future formats include direct PDF, ODT (OpenOffice Word Processor Format) and XML, to be implemented. The HTML format can be searched for any text string, including a string containing a CVE name.

34) GUI Export Electronic Document Format Info <CR_B.4.3>

Provide details about the different electronic document formats that you provide for exporting or accessing CVE-related data and describe how they can be searched for specific CVE-related text (recommended):

We only provide for exporting our reports to PDF through external tools, we have documented that process at Help > Report > PDF Report Printing. After generate the PDF document you can look up for CVE-related text using your favourite PDF reader.

35) Statement of Compatibility <CR_2.7>

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CVE Compatibility Requirements as well as all of the additional mandatory CVE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Federico Javier Seineldin

Title: CEO & Founder

36) Statement of Accuracy <CR_3.4>

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability's Repository and the CVE entries our capability identifies."

Name: Federico Javier Seineldin

Title: CEO & Founder

37) Statement on False-Positives and False-Negatives <CR_A.2.8 and/or CR_A.3.5>

FOR TOOLS ONLY - Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):

"As an authorized representative of my organization and to the best of my knowledge, normally when our capability reports a specific security element, it is generally correct and normally when an event occurs that is related to a specific security element our capability generally reports it."

Name: Federico Javier Seineldin

Title: CEO & Founder