|
|
News & EventsJuly 1, 2009
CounterSnipe Makes Declaration of CVE Compatibility CounterSnipe LLC declared that its network knowledge-based intrusion prevention system, CounterSnipe, is CVE-Compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services section. CVE Scheduled to Participate in ‘Making Security Measurable’ Booth at Black Hat Briefings 2009 on July 29-30 CVE is scheduled to participate in a Making Security Measurable booth at Black Hat Briefings 2009 on July 29-30, 2009 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA. Stop by Booth 70 and learn how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures. Visit the CVE Calendar for information on this and other events. MITRE Hosts Security Automation Developer Days 2009 MITRE hosted the first-ever Security Content Developer Days 2009 on June 8-12, 2009, at MITRE in Bedford, Massachusetts, USA. This free five-day conference was technical in nature and focused on the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP). The purpose of the event was for the community to discuss SCAP in technical detail and to derive solutions that benefit all concerned parties. Discussion topics include NIST SP 800-126, SCAP content management, lifecycle, validation, and remediation; OVAL®, XCCDF, emerging specifications, and perceived gaps in standards coverage; ontology; and use cases. CCE was also mentioned. For additional information visit the Developer Days page on the Making Security Measurable Web site. June 3, 2009
CVE Mentioned in Article about SCAP in Computerworld CVE was mentioned in an article entitled "How SCAP Brought Sanity to Vulnerability Management" in Computerworld on May 11, 2009. The main topic of the article is the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP). CVE is mentioned when the author explains that "SCAP is part of the Information Security Automation Program and is made up of a collection of existing standards. These standards include some that many of us are already familiar with, such as the Common Vulnerabilities and Exposures (CVE) and the Common Vulnerability Scoring System (CVSS). Additionally, it includes the Common Platform Enumeration (CPE), a standard to describe a specific hardware, OS and software configuration. This is helpful for enumerating assets, giving you your baseline information to apply all of this data; the Common Configuration Enumeration (CCE), very similar to CVE but dealing with misconfiguration issues; the Open Vulnerability and Assessment Language (OVAL) to provide schemas that describe the inventory of a computer, the configuration on that computer and a report of what vulnerabilities were found on that computer; and Extensible Configuration Checklist Description Format (XCCDF), a description language to help you apply your technical policies and standards to your scanning tools." The author also provides an example of SCAP in action: "Let’s see how this helps me in building a real solution. As a head of a vulnerability management program as discussed earlier, I am sitting on data from application security assessment tools, host and network scanners, and database vulnerability and configuration scanners. In reality, this includes multiple products and services for application security, as well as multiple tools for host and network assessments. I set out by taking advantage of APIs when available from the assessment tool providers as well as XML data feeds. Utilizing the code I’ve just written to automate the movement of the data, I now need to map this information to a normalized schema, taking advantage of the SCAP standards. This is a big deal! I now have a common way to describe the vulnerabilities. I can eliminate duplicates that reference the same CVE on the same platforms." CVE Mentioned in Article about SCAP in Government Computer News CVE was mentioned in an article entitled "Draft guidelines issued for using SCAP to automate security validation" in Government Computer News on May 7, 2009. The main topic of the article is the U.S. National Institute of Standards and Technology’s (NIST) Special Publication 800-117: Guide to Adopting and Using the Security Content Automation Protocol that specifies how enterprises can use its Security Content Automation Protocol (SCAP), and a revised version of its testing requirements that security products using SCAP must meet to achieve SCAP validation entitled Draft NIST Interagency Report 7511: Security Content Automation Protocol Validation Program Test Requirements, Revision 1. CVE is mentioned in the article as one of the six open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results: "Common Vulnerabilities and Exposures, a dictionary of names for publicly known security-related software flaws." The other five standards are Open Vulnerability and Assessment Language (OVAL), Common Configuration Enumeration (CCE), Common Platform Enumeration (CPE), Extensible Configuration Checklist Description Format (XCCDF), and Common Vulnerability Scoring System (CVSS). CVE is mentioned a second time when discussing NIST’s recommended guidelines for using SCAP: "Organizations should use SCAP for vulnerability measurement and scoring. SCAP enables quantitative and repeatable measurement and scoring of software flaw vulnerabilities across systems through the combination of the Common Vulnerability Scoring System (CVSS), CVE, and CPE." Comments on draft guidelines 800-117 are due to NIST by June 12, 2009 and should sent to 800-117comments@nist.gov and include "Comments SP 800-117" in the subject line. May 20, 2009
MITRE to Host Security Automation Developer Days, June 8-12 MITRE is scheduled to host the first-ever Security Automation Developer Days 2009 on June 8-12, 2009, at MITRE in Bedford, Massachusetts, USA. This free five-day conference will be technical in nature and focus on the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP). The purpose of the event is for the community to discuss SCAP in technical detail and to derive solutions that benefit all concerned parties. Currently scheduled discussion topics include NIST SP 800-126, SCAP content management, lifecycle, validation, and remediation; OVAL®, XCCDF, emerging specifications, and perceived gaps in standards coverage; ontology; and use cases. CVE will also be mentioned. Review the conference agenda. For additional information or to register visit http://www.mitre.org/register/scap/. May 1, 2009
Beijing Topsec Co., Ltd. Posts CVE Compatibility Questionnaire Beijing Topsec Co., Ltd. achieved the second phase of the CVE Compatibility Process by submitting a CVE Compatibility Questionnaire for Topsec Intrusion Protection System (TopIDP). In Phase 2 of the compatibility process the organization’s completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible." For additional information and to review the complete list of all products and services participating in the compatibility program, visit the CVE-Compatible Products and Services section. SoftRun, Inc. Posts CVE Compatibility Questionnaire SoftRun, Inc. achieved the second phase of the CVE Compatibility Process by submitting a CVE Compatibility Questionnaire for Inciter Vulnerability Manager. In Phase 2 of the compatibility process the organization’s completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible." For additional information and to review the complete list of all products and services participating in the compatibility program, visit the CVE-Compatible Products and Services section. iPolicy Networks Makes Two Declarations of CVE Compatibility iPolicy Networks (Security Product Division of Tech Mahindra Ltd.) has declared that its iPolicy Security Manager and its iPolicy Intrusion Prevention Firewall are CVE-Compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products and Services section. H3C Technologies Co., Ltd. Makes Two Declarations of CVE Compatibility H3C Technologies Co., Ltd. has declared that its SecPath T Series IPS and its SecBlade IPS will be CVE-Compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products and Services section. MITRE Hosts "Making Security Measurable" Booth at RSA 2009 MITRE hosted a Making Security Measurable booth at RSA 2009 at the Moscone Center in San Francisco, California, USA, on April 20-24, 2009. Booth photos:
Visit the CVE Calendarfor information on this and other events. Information Systems Security Association (ISSA) Awards MITRE as "Outstanding Organization of the Year 2008"
MITRE was nominated for the award by the ISSA Northern Virginia Chapter for its role as a long-time supporter of the association and the information security profession, and for the development of publicly available solutions to thwart cybercrime, such as its "honeyclient" open-source package that proactively monitors Internet servers for fast-running, malicious programs designed to infect user systems. "We see it as part of our public service mission to support the information security profession, including sharing knowledge we’ve developed to safeguard data and protect it from misuse," said Al Grasso, MITRE president and chief executive. "Recognition by ISSA tells us we’re meeting this critical responsibility." In the past decade, MITRE has developed four of the six security standards that comprise the National Institute of Standards and Technology’s Security Content Automation Protocol, or SCAP. The four standards — Common Vulnerabilities and Exposures (CVE®); Open Vulnerability and Assessment Language (OVAL®); Common Platform Enumeration (CPE™); and Common Configuration Enumeration (CCE™) — are also part of MITRE’s "Making Security Measurable" effort. April 1, 2009
MITRE to Host "Making Security Measurable" Booth at RSA 2009 MITRE is scheduled to host a Making Security Measurable booth at RSA 2009 at the Moscone Center in San Francisco, California, USA, on April 20-24, 2009. Please stop by Booth 2411 and say hello! CVE/Making Security Measurable Briefing Presented at DHS/DoD/NIST SwA Forum CVE Compatibility Lead and CWE Program Manager Robert A. Martin presented a briefing about CVE/Making Security Measurable to the DHS/DoD/NIST SwA Forum on March 10-12, 2009 at MITRE Corporation in McLean, Virginia, USA. Visit the CVE Calendar for information on this and other events. March 11, 2009
Beijing Topsec Co., Ltd. Makes Declaration of CVE Compatibility Beijing Topsec Co., Ltd. has declared that its Topsec Intrusion Protection System (TopIDP) is CVE-Compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services section. MITRE Hosts "Making Security Measurable" Booth at InfoSec World 2009 MITRE hosted a Making Security Measurable booth at MIS Training Institute’s (MISTI) InfoSec World Conference & Expo 2009 at the Disney Coronado Springs Resort, in Orlando, Florida, USA, on March 9-10, 2009. Visit the CVE Calendar for information on this and other events. February 26, 2009
CVE List Surpasses 35,000 CVE Identifiers The CVE Web site now contains 35,160 unique information security issues with publicly known names. CVE, which began in 1999 with just 321 common names on the CVE List, is considered the international standard for public software vulnerability names. Information security professionals and product vendors from around the world use CVE Identifiers (CVE-IDs) as a standard method for identifying vulnerabilities, and for cross-linking among products, services, and other repositories that use the identifiers. The widespread adoption of CVE in enterprise security is illustrated by the numerous CVE-Compatible Products and Services in use throughout industry, government, and academia for vulnerability management, vulnerability alerting, intrusion detection, and patch management. Major OS vendors and other organizations from around the world also include CVE-IDs in their security alerts to ensure that the international community benefits by having the identifiers as soon as a problem is announced. CVE-IDs are also used to uniquely identify vulnerabilities in public watch lists such as the SANS Top 20 Most Critical Internet Security Vulnerabilities and OWASP Top 10 Web Application Security Issues. CVE has also inspired new efforts. MITRE’s Common Weakness Enumeration (CWE) dictionary of software weakness types is based in part on the CVE List, and its Open Vulnerability and Assessment Language (OVAL) effort uses CVE-IDs for its standardized OVAL Vulnerability Definitions that test systems for the presence of CVEs. In addition, the U.S. National Vulnerability Database (NVD) of CVE fix information that is synchronized with and based on the CVE List also includes Security Content Automation Protocol (SCAP) content. SCAP employs community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and CVE is one of the six existing open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. Each of the 35,000+ identifiers on the CVE List includes the following: CVE Identifier number (i.e., "CVE-1999-0067"); indication of "entry" or "candidate" status; brief description of the security vulnerability; and pertinent references such as vulnerability reports and advisories or OVAL-ID. Visit the CVE List page to download the complete list in various formats or to look-up an individual identifier. Fix information and enhanced searching of CVE is available from NVD. February 25, 2009
CVE Mentioned in Top Twenty Most Critical Security Controls Document CVE was mentioned in Draft 1.0 of the "Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance" consensus list released by a consortium of federal agencies and private organizations on February 23, 2009. The document, which uses "knowledge of actual attacks and defines controls that would have stopped those attacks from being successful," includes 15 critical controls that are subject to automated measurement and validation and an additional 5 critical controls that are not. CVE is mentioned as follows in a section about why the list is so important for chief information security officers (CISOs), chief information officers (CIOs), federal inspectors general, and auditors: "This effort also takes advantage of the success and insights from the development and usage of standardized concepts for identifying, communicating, and documenting security-relevant characteristics/data. These standards include the following: common identification of vulnerabilities (Common Vulnerabilities and Exposures-CVE), definition of secure configurations (Common Configuration Enumeration-CCE), inventory of systems and platforms (Common Platform Enumeration-CPE), vulnerability severity (Common Vulnerability Scoring System-CVSS) and identification of application weaknesses (Common Weaknesses Enumeration-CWE). These standards have emerged over the last decade through collaborative research and deliberation between government, academia and industry. While still evolving, several of these efforts in standardization have made their way into commercial solutions and government, industry, and academic usage. Perhaps most visible of these has been the Federal Desktop Core Configuration (FDCC) which leveraged the Security Content Automation Program (SCAP)." The draft is available for public review and comment at www.sans.org/cag, www.csis.org, and www.gilligangroupinc.com until March 23, 2009. SoftRun, Inc. Makes Declaration of CVE Compatibility SoftRun, Inc. has declared that its vulnerability assessment and remediation tool, Inciter Vulnerability Manager, is CVE-Compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services section. MITRE to Host "Making Security Measurable" Booth at InfoSec World 2009, March 9-10 MITRE is scheduled to host a Making Security Measurable booth at MIS Training Institute’s (MISTI) InfoSec World Conference & Expo 2009 at the Disney Coronado Springs Resort, in Orlando, Florida, USA, on March 9-10, 2009. Please stop by booth 531 and say hello. Visit the CVE Calendar for information on this and other events. February 11, 2009
MITRE Hosts "Making Security Measurable" Booth at 2009 Information Assurance Symposium MITRE hosted a Making Security Measurable booth at the 2009 Information Assurance Symposium at the Sheraton Dallas International Conference and Exposition Center, in Dallas, Texas, USA, on February 3-6, 2009. The symposium is designed to bring together industry, government, and military information assurance professionals with "the latest Information Assurance (IA) products and solutions available to secure voice and data networks." Visit the CVE Calendar for information on this and other events. January 21, 2009
MITRE to Host "Making Security Measurable" Booth at 2009 Information Assurance Symposium, February 3-6 MITRE is scheduled to host a Making Security Measurable booth at the 2009 Information Assurance Symposium at the Sheraton Dallas International Conference and Exposition Center, in Dallas, Texas, USA, on February 3-6, 2009. The symposium is designed to bring together industry, government, and military information assurance professionals with "the latest Information Assurance (IA) products and solutions available to secure voice and data networks." Please stop by booth 301 and say hello. Visit the CVE Calendar for information on this and other events. January 7, 2009
MITRE Announces Initial "Making Security Measurable" Calendar of Events for 2009 MITRE has announced its initial Making Security Measurable calendar of events for 2009. Details regarding MITRE’s scheduled participation at these events are noted on the CVE Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.
Other events may be added throughout the year. Visit the CVE Calendar for information or contact cve@mitre.org to have MITRE present a briefing or participate in a panel discussion about CVE, CCE, CPE, CAPEC, CWE, CEE, CRF, OVAL, and/or Making Security Measurable at your event. Information-technology Promotion Agency, Japan (IPA) Makes Two Declarations of CVE Compatibility Information-technology Promotion Agency, Japan (IPA) has declared that its online Vulnerability Countermeasure Information Database (JVN iPedia), and its Filtered Vulnerability Countermeasure Information Tool (MyJVN) notification service, are CVE-Compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services section. |
||||||
MITRE Corporation was recognized as "