2007 Industry News Coverage (Archive)
Below is a comprehensive monthly review of the news and other media's coverage of CVE. A brief summary of each news item is listed with its title, author (if identified), date, and media source.
Processor Magazine, October 5, 2007
CVE was mentioned in the "Product Releases" article in Processor Magazine on October 5, 2007. CVE is mentioned in the "Security" section of the article regarding Secure Elements' C5 Compliance Platform 3.3, which "…is the first product to work with NIST SCAP content to help federal government agencies meet the OMB Mandate. It also helps with compliance with NIST ISAP/SCAP initiative for auditing security configurations using OVAL, XCCDF, CPE, CVSS, CCE, and CVE."
Secure Elements Web Site, September 18, 2007
CVE was mentioned in a September 18, 2007 news release from Secure Elements, Inc. entitled "Secure Elements Announces New Version of IT Audit and Compliance Platform." CVE is mentioned in the portion of the release that describes how Secure Elements' C5 Compliance Platform Version 3.3 adds enhanced NIST SCAP FISMA reporting: "For federal government agencies, C5 is the first enterprise solution that works directly with the NIST SCAP content to help them meet the OMB Mandate for secure desktop configurations as well as incorporating all of the latest standards as defined by the NIST ISAP/SCAP initiative for auditing security configurations utilizing OVAL, XCCDF, CPE, CVSS, CCE and CVE."
NetworkWorld, September 25, 2007
CVE was mentioned in an article entitled "Service-oriented security" in NetworkWorld on September 25, 2007. CVE is mentioned when the author discusses Security Content Automation Protocol (SCAP). The author states: "The basic premise is that the only way we'll ever get a handle on the operational challenges of security management is to automate as many of the processes as possible. SCAP pulls information from a number of standardized information sources, including (warning: acronym soup ahead): the eXtensible Configuration Checklist Description Format (XCCDF), the Open Vulnerability Assessment Language (OVAL), Common Vulnerability Scoring System, (CVSS) and Common Vulnerabilities and Exposures (CVE) database." The article was written by Andreas M. Antonopoulos.
Computerworld, August 2, 2007
CVE was mentioned in an August 1, 2007 article entitled "Black Hat: NSA guru lauds security intelligence sharing" in Computerworld. The article, which was written by Matt Hines, originally appeared in InfoWorld on August 1, 2007.
eWeek, August 1, 2007
CVE was mentioned in an article entitled "SCAP Beta Will Boost Enterprise Compliance Efforts" in eWeek on August 1, 2007. The article describes how the U.S. National Institute of Standards and Technology's Security Content Automation Protocol (SCAP) "…could streamline the way civilian organizations enable automated vulnerability management."
CVE is mentioned when the author states: "SCAP uses data feeds from the NVD (National Vulnerability Database), which is defined and maintained by the National Institute of Standards and Technology, better known as NIST. SCAP is an open standard, and the NVD is available license-free. SCAP uses information from six open standards, including CVE (Common Vulnerability and Exposures) and CCE (Common Configuration Enumeration ), both overseen by MITRE, along with data provided by the XCCDF (eXtensible Configuration Checklist Description Format), a standard XML expression for specifying checklists and reporting results from those checklists."
National Institute of Standards and Technology (NIST) is a member of the CVE Editorial Board and CVE and NVD are both sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. The article was written by Cameron Sturdevant.
BankInfoSecurity.com, August 2007
CVE Compatibility Lead Robert A. Martin conducted a 10-minute podcast interview with BankInfoSecurity.com about CVE, CWE, and Making Security Measurable at Black Hat Briefings 2007. It is one of nine interviews from the event available at http://www.bankinfosecurity.com/podcasts.php?podcastID=53 (sign-up is required), or you may play or download the podcast now from the CVE Web site.
InfoWorld, August 1, 2007
CVE was mentioned in an August 1, 2007 article entitled "NSA guru lauds security intelligence sharing" in InfoWorld. The main topic of the article was the keynote speech by National Security Agency Vulnerability Analysis and Operations Group Chief Tony Stager at Black Hat Briefings 2007 about how "U.S. government initiatives aimed at fostering the sharing of security intelligence throughout the federal space are helping to establish the community atmosphere and best practices necessary to help those agencies — and private enterprises — improve their network and applications defenses…" that mentioned CVE and the Common Weakness Enumeration (CWE).
CVE is mentioned in the article when the author states: "Robert Martin, head of Mitre's CVE (Common Vulnerability [and] Exposures) compatibility effort and a contributor to the CWE initiative, said that momentum is building behind his organization's guidelines and helping many government and private entities to better understand and share their own practices. "With all these different pieces that are coming together, we are standardizing the basic concepts of security themselves as well as methods for reviewing and improving computing and networking systems," said Martin. "I see a future where a tapestry of tools, procedures, and processes are built over time that recognize and address the common problems that exist among all these constituencies." Martin said that Mitre's efforts to add new security policy frameworks will continue to improve as they mature and even more parties begin to contribute their intelligence to the initiatives."
The article was written by Matt Hines.
SC Magazine, July 2007
CVE was mentioned in a product review group test in SC Magazine entitled "Vulnerability Assessment 2007" that used inclusion of CVE as a review element: "We especially favored those products that take advantage of the common vulnerabilities and exposures (CVE) to define vulnerabilities unambiguously." CVE was also included as a product feature in the individual review for Core Security Technologies' CORE Impact 6.0 automated penetration testing tool. Core Security Technologies and its CORE Impact 6.0 are listed in the CVE-Compatible Products and Services section.
TechTarget.com, July 2007
CVE was the main topic of a question answered by Ed Skoudis on July 17, 2007 in the "Ask The Security Expert" column on TechTarget.com entitled "Can the list of Common Vulnerabilities and Exposures protect applications?" In his response the author describes what CVE is and isn't, explains the value of common names for security vulnerabilities, discusses the variety of vulnerabilities included on the CVE List, and suggests that organizations use CVE when deploying software so they "can be aware of their flaws."
ZDNET Security Blogs Web Site, July 6, 2007
CVE was mentioned briefly in a July 6, 2007 guest editorial by Dave Aitel entitled "The tip of the 0day iceberg" on the ZDNET Security Blogs Web site. CVE is mentioned in the opening paragraph when the author states: "The story of modern computer security can never be told — it's the story of the unknown. Right now, most people treat vulnerabilities as a constant stream of one-offs. In many real ways, the entire [CVE List] is the tip of an iceberg." The article also included a link to the CVE Web site.
Dark Reading, May 30, 2007
CVE was mentioned in a May 30, 2007 article entitled "Bug Disclosures Decline" on Dark Reading. CVE is mentioned at the beginning of the article when the author states: "Researchers say the number of bugs reported so far this year has increased by about 5 percent, versus the 40- to 60-percent spike seen in 2006. Mitre, which officially tracks publicly reported bugs under the Common Vulnerability and Exposures (CVE) program, has seen only a 5 percent increase through April, with 2,245 vulnerabilities reported, versus the 60 percent jump last year at the same time, with 2,143."
The article also includes numerous quotes about the rate of disclosures from CVE List Editor Steve Christey, including that: "In the past couple of years, it seems like there's been a huge increase of independent researchers who use basic techniques to find simple vulnerabilities in software that's not very popular. Maybe we've reached a critical mass in which there are finally enough independent researchers to provide basic evaluations of most software that's available on the Internet." The author also notes that Christey says that there is "typically a sharp increase in bug disclosures when researchers first start working on a new class of products, which typically are loaded with easy-to-find bugs." Christey then continues: "We haven't seen a new product class dominate the landscape since file format vulnerabilities in image or document processing products. There hasn't been a real 'fad' since file-format vulnerabilities, but ActiveX controls show some potential. The numbers could jump again once researchers start hammering away at software that hasn't yet been widely deployed."
The author then concludes the article with a final quote by Christey: "I'm a little surprised [by the rate of vulnerability disclosures so far this year], but after the growth rates of the recent past, there's always hope that the bleeding will slow down. If there's one thing I've learned in this business, it's to expect the unexpected. Numbers ebb and flow all the time."
The article was written by Kelly Jackson Higgins.
Government Computer News, May 22, 2007
CVE was mentioned in a May 22, 2007 article entitled "NIST releases FISMA security control tools" in Government Computer News. The main topic of the article is the U.S. National Institute of Standards and Technology's Security Content Automation Protocol (SCAP), which according to the article is "intended to help make the step from FISMA compliance to operational IT security." SCAP, an expansion of the U.S. National Vulnerability Database (NVD) that is built upon and synchronized with the CVE List, is an "automated checklist that using a collection of recognized standards for naming software flaws and configuration problems in specific products. It can help test for the presence of vulnerabilities and rank them according to severity of impact. The checklist files are mapped to NIST specifications for compliance with the Federal Information Security Management Act, so that the output can be used to document FISMA compliance."
CVE is mentioned when the author states that "SCAP currently uses six open standards for enumerating, evaluating and measuring the impact of software problems and reporting the results," and includes CVE as the first standard: "Common Vulnerabilities and Exposures, CVE, from MITRE Corp.; standard identifiers and dictionary for security vulnerabilities related to software flaws." The other five standards are: Open Vulnerability and Assessment Language (OVAL), a standard XML for security testing procedures and reporting; Common Configuration Enumeration (CCE), standard identifiers and a dictionary for system security configuration issues; Common Platform Enumeration (CPE), standard identifiers and a dictionary for platform and product naming; Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; and Common Vulnerability Scoring System (CVSS), a standard for conveying and scoring the impact of vulnerabilities.
National Institute of Standards and Technology (NIST) is a member of the CVE Editorial Board and CVE, NVD, and OVAL are all sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. The article was written by William Jackson.
Network World, April 30, 2007
CVE was mentioned throughout an April 30, 2007 op-ed article entitled "How to find your security holes: Check your network for CVEs" by NetClarity, Inc. founder and CTO Gary S. Miliefsky in Network World. The author, who refers to CVE as a standard and uses the term "CVEs" when referring to vulnerabilities, states that last year alone hackers caused over a billion dollars in damages and that it is "crucial today to prevent vulnerabilities across the enterprise and remove these CVEs — these security holes in your desktops, laptops and servers. Knowing what they are, where they are on your network, and how to remove them is more important than sniffing packets and listening for burglars. According to US-CERT, 95% of downtime and IT related compliance issues are a direct result of an exploit against a CVE."
The author suggests using the SANS Top Twenty consensus list of the most critical software vulnerabilities that are identified by CVE-ID to see which vulnerabilities should be fixed immediately and the U.S. National Institute of Standards and Technology's National Vulnerability Database (NVD) that is built upon CVE-IDs to search for vulnerabilities and fix information by vendor or OS and product name(s).
The author concludes the article by stating that: "Removing critical CVEs is considered due care. Frequent and consistently scheduled security audits for CVEs and their removal is the only prudent thing to do as a proactive information security manager. Now is the time to find and fix your CVEs so you can be more productive and suffer less downtime and successful hacker attacks. If you remove all of your CVEs you'll be as close to 100% secure as possible."
The Register, March 29, 2007
CVE was mentioned in a March 29, 2007 article entitled "Developers' secure-coding skill put to the test" on The Register about the National Secure Programming Skills Assessment Examination that will allow government and industrial employers to measure how well their programmers know how to avoid security errors in code they write. The author mentions CVE as follows: "Much of the problem is because computer programmers are not trained in secure programming methods in college courses, said Steve Christey, editor of the Common Vulnerability and Exposures (CVE) Project at MITRE." The author also quotes a written statement by Christey, who states: "Most educational institutions have failed to teach the most fundamental skills in making secure products. There needs to be a revolution." The article, which was written by Robert Lemos, also notes that the "[NSPSA] exam will be piloted in August in Washington D.C. and then rolled out worldwide during the remainder of 2007."
SecurityFocus, March 28, 2007
CVE was mentioned in a March 28, 2007 article entitled "Groups team to test secure-coding skill" on SecurityFocus about the National Secure Programming Skills Assessment Examination that will allow government and industrial employers to measure how well their programmers know how to avoid security errors in code they write. The author mentions CVE as follows: "Much of the problem is because computer programmers are not trained in secure programming methods in college courses, said Steve Christey, editor of the Common Vulnerability and Exposures (CVE) Project at MITRE." The author also quotes a written statement by Christey, who states: "Most educational institutions have failed to teach the most fundamental skills in making secure products. There needs to be a revolution." The article, which was written by Robert Lemos, also notes that the "[NSPSA] exam will be piloted in August in Washington D.C. and then rolled out worldwide during the remainder of 2007."
TechTarget.com, March 27, 2007
CVE was mentioned in a March 27, 2007 article entitled "SANS: New exam program about more secure code" on TechTarget.com about the National Secure Programming Skills Assessment Examination that will allow government and industrial employers to measure how well their programmers know how to avoid security errors in code they write. The author describes CVE as "[a program that] monitors all security vulnerabilities on behalf of the federal government" and includes a quote by CVE List Editor Steve Christey that the exam program was long overdue: "After reviewing more than 7,000 vulnerabilities in 2006 alone, one thing becomes crystal clear: Most of these vulnerabilities could be found very easily, using techniques that require very little expertise. In my CVE work, I regularly interact with vendors who are surprised to hear of vulnerabilities in their products. They react with the classic stages of shock, denial, anger, bargaining, and finally, acceptance." The article was written by Bill Brenner.
InformationWeek, March 26, 2007
CVE was mentioned in a March 26, 2007 article entitled "Coalition Aims To Nip Software Bugs In The Bud" in InformationWeek about the National Secure Programming Skills Assessment Examination that will allow government and industrial employers to measure how well their programmers know how to avoid security errors in code they write. CVE is mentioned in a quote from a written statement by CVE List Editor Steve Christey, who states: "After reviewing more than 7,000 vulnerabilities in 2006 alone, one thing becomes crystal clear. Most of these vulnerabilities could be found very easily, using techniques that require very little expertise. In my CVE work, I regularly interact with vendors who are surprised to hear of vulnerabilities in their products. They react with the classic stages of shock, denial, anger, bargaining, and finally, acceptance." A second quote mentions that most colleges and universities don't teach programmers how to write secure code: "There needs to be a revolution. Secure programming examinations will help everyone draw the line in the sand, to say 'No more,' and to set minimum expectations for the everyday developer." The article was written by Sharon Gaudin.
Washington Post Web Site, March 26, 2007
CVE was mentioned in a March 26, 2007 blog article entitled "Security Fix: They Say They Want a Revolution" on WashingtonPost.com about the National Secure Programming Skills Assessment Examination that will allow government and industrial employers to measure how well their programmers know how to avoid security errors in code they write. CVE is mentioned as follows: "Educational institutions churn out computer science degrees to fresh faced graduates bursting with new ideas and skills to match, but how well do they hammer home the need to write software securely? Judging from the massive number of software vulnerabilities found each year, not very well at all. MITRE Corp., a nonprofit company maintaining one of the most authoritative catalogs of software security vulnerabilities, tracked more than 7,000 software security flaws in 2006, many of them Web application holes. Steve Christy, editor of MITRE's common vulnerability enumeration (CVE) database, said most of those bugs could have been found and squashed "very easily, using techniques that require very little expertise."
Government Computer News, March 19, 2007
CVE was mentioned in a March 19, 2007 article entitled "All for one, but not one for all" in Government Computer News. The main focus of the article is a National Security Agency (NSA) study of the effectiveness of vulnerability assessment tools, which found that "Organizations trying to automate the process of testing software for vulnerabilities have no choice but to deploy a multitude of tools." The author quotes Kris Britton, technical director at NSA's Center for Assured Software, in describing the results: "No tool stands out as an uber-tool. Each [of the point solution tools] has its strengths and weaknesses."
CVE is mentioned in a discussion about how agreement on what a software weakness is will help the industry in its "quest to find a comprehensive, automated systems analysis of vulnerabilities." The author states: "Mitre Corp. has made some progress on developing a common language for software vulnerabilities, with its initial list of common vulnerabilities and exposures, (CVE) and more recently, the common weakness enumeration (CWE)." He also notes that "CVE includes a list of 20,000 vulnerabilities; CWE includes 600 categories of vulnerabilities." CVE is also mentioned in a quote by Ryan Berg, chief scientist at Ounce Labs, who states: "CVE is a database of vulnerabilities definitions and descriptions [and] CWE is an effort at coming up with a common taxonomy for describing what a particular vulnerability is." CWE, which is based in part on CVE, is mentioned again in a quote by Mike Kass, software assurance project leader at the National Institute of Standards and Technology, who states that the point of CWE is to "enable more effective discussion, description, selection, and use of software security tools. [Still] There is little overlap among tools regarding what they claim to catch in the CWE. This creates questions for purchasers of tools regarding the tool's purported effectiveness and usefulness." The author also notes that "More than 50 vendors are participating in the [CWE] effort." The article was written by Peter A. Buxbaum.
Crosstalk, March 2007
CVE was mentioned in an article about MITRE's Common Weakness Enumeration (CWE) initiative entitled "Being Explicit About Security Weaknesses" in the March 2007 issue of CrossTalk, The Journal of Defense Engineering. The article describes the creation of the CWE initiative and the sources used to develop the initial concept, related efforts, how CWE is a community effort and a list of current members, how the drafts of the CWE dictionary are being developed, an example of a CWE entry, the CWE Compatibility and CWE Effectiveness program, and the additional impact and transition opportunities tied to CWE.
CVE is mentioned as one of the main sources for the creation of CWE: " ... as part of MITRE's participation in the DHS-sponsored NIST SAMATE effort, MITRE investigated the possibility of leveraging the Common Vulnerabilities and Exposures (CVE) initiative's experience in analyzing more than 20,000 real-world vulnerabilities reported and discussed by industry and academia. As part of the creation of the CVE List [cve.mitre.org/cve] that is used as the source of vulnerabilities for the National Vulnerability Database [nvd.nist.gov], MITRE's CVE initiative during the last six years has developed a preliminary classification and categorization of vulnerabilities, attacks, faults, and other concepts that can be used to help define this arena."
CVE is mentioned again in the concluding sections as one of the synergies possible from the development of CWE: "Mapping of CWEs to CVEs ... would help bridge the gap between the potential sources of vulnerabilities and examples of their observed instances providing concrete information for better understanding the CWEs and providing some validation of the CWEs themselves." The article was written by CVE Compatibility Lead and CWE Program Manager Robert A. Martin.
NetClarity Web Site, February 6, 2007
CVE was mentioned in a February 6, 2007 press release from NetClarity, Inc. entitled "NetClarity's Auditor and Protection Product Lines Certified by The Tolly Group" and issued at "RSA Conference 2007" mentions CVE as a main element of the product evaluation: "The Tolly Group's analysis concluded that all of these products are "Up to Spec" when evaluated for finding and remediating Common Vulnerabilities and Exposures (CVEs), which are the root cause of network security problems." The release also refers to CVE as a standard and uses the term "CVEs" when referring to vulnerabilities.
SC Magazine, February 6, 2007
CVE was cited in the description of SC Magazine's "Editor's Choice Professional Award" to the NSA's Information Assurance Directorate's Vulnerability Analysis and Operations (VAO) Group for its work in the past year with the U.S. Air Force and Microsoft Corporation to "examine and provide security-setting recommendations for Microsoft's new Vista operating system" and to promote the use of standards. CVE was mentioned as follows: "The VAO Group is also shaping the development of security standards for vulnerability naming and identification, such as the Open Vulnerability and Assessment Language (OVAL), Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) standards." The "2007 SC Magazine Awards" were presented on February 6, 2007 at the Hilton San Francisco in San Francisco, California, USA.
Dr. Dobbs Journal, February 2, 2007
CVE identifiers were used to identify the vulnerabilities discussed in an article entitled "Programming Language Format String Vulnerabilities" in the February 2, 2007 edition of Dr. Dobbs Journal. The article, which discusses vulnerabilities in C, C++, Perl, PHP, Java, Python, and Ruby, also references a 2002 paper on Perl format string vulnerabilities by CVE List Editor Steve Christey. The article was written by Hal Burch and Robert C. Seacord.
Network World, February 2, 2007
CVE was mentioned in a February 2, 2007 article entitled "Inside the X-Force" about Internet Security Systems' X-Force research and development team in Network World. CVE is cited as one of the resources X-Force uses for vulnerability research. The article mentions CVE again when it quotes CVE List editor Steve Christey, who states: "With vulnerability-information management as a discipline, you're taking this mountain of vulnerability data and trying to make it relevant to everyday IT and the security consumer." IBM Internet Security Systems is a member of the CVE Editorial Board and its two X-Force and 5 other products are registered as Officially CVE-Compatible.
Network World, January 17, 2007
CVE was mentioned in a January 17, 2007 article entitled "The 7 best practices for network security in 2007" in Network World. CVE was mentioned in the third section entitled "Run frequent information security self-assessments," in which the author states: "...Common Vulnerabilities and Exposures (CVE) [is] eight years old this year and accepted worldwide as the de facto international standard for vulnerability tracking on all computers and networking equipment. How many machines on your network have one of the top 20 CVEs? You can find the list here and then find more details at the National Vulnerability Database hosted by NIST." The article was written by Gary Miliefsky.
SecurityFocus, January 17, 2007
CVE was mentioned in a January 17, 2007 article entitled "Vulnerability tallies surged in 2006" on SecurityFocus. The article is about a report on trends in the types of CVEs: "a report released in October by the Common Vulnerabilities and Exposures (CVE) Project found that the top-three categories of flaws were specific to Web programs and accounted for 45 percent of the bugs reported in the first nine months of the year."
The author also includes a quote by CVE List Editor Steve Christey about researchers searching for possible security vulnerabilities: "Many people are doing 'grep and gripe' research. They are doing a regular expression search, looking for patterns. If they get a match they will report it to the public, but sometimes what ends up happening is they are reporting false positives." Christey further states: "You have an emerging levels of sophistication for vulnerability researchers. You have a lot of people who are able to find the low-hanging fruit. But for major software, it seems to be getting more difficult for top researchers to find these issues--they have to work harder, spend more time, spend more resources, (and) do more complex research."
SecurityFocus is a member of the CVE Editorial Board. The article was written by Robert Lemos.
CSOonline.com, January 1, 2007
CVE was mentioned throughout a January 1, 2007 article entitled "The Chilling Effect" on CSOonline.com about "how the Web makes creating software vulnerabilities easier, disclosing them more difficult and discovering them possibly illegal." The author refers to CVE as "the definitive dictionary of all confirmed software bugs."
CVE is mentioned again when the author quotes CVE List Editor Steve Christey on vulnerability disclosure: "Disclosure is one of the main ethical debates in computer security. There are so many perspectives, so many competing interests, that it can be exhausting to try and get some movement forward." The author then uses CVE Identifiers to illustrate responsible disclosure: "Three vulnerabilities that followed the responsible disclosure process recently are CVE-2006-3873, a buffer overflow in an Internet Explorer DLL file; CVE-2006-3961, a buffer overflow in an Active X control in a McAfee product; and CVE-2006-4565, a buffer overflow in the Firefox browser and Thunderbird e-mail program. It's not surprising that all three are buffer overflows. With shrink-wrapped software, buffer overflows have been for years the predominant vulnerability discovered and exploited."
The author also discusses the trends in the types of CVEs: "The speed with which Web vulnerabilities have risen to dominate the vulnerability discussion is startling. Between 2004 and 2006, buffer overflows dropped from the number-one reported class of vulnerability to number four. Counter to that, Web vulnerabilities shot past buffer overflows to take the top three spots. The number-one reported vulnerability, cross-site scripting (XSS) comprised one in five of all CVE-reported bugs in 2006." As part of this discussion the author again quotes Steve Christey: "Every input and every button you can press is a potential place to attack. And because so much data is moving you can lose complete control. Many of these vulnerabilities work by mixing code where you expect to mix it. It creates flexibility but it also creates an opportunity for hacking."
Steve Christey is again quoted in the final section of the article about the future of Web vulnerabilities: "Just as with shrink-wrapped software five years ago, there are no security contacts and response teams for Web vulnerabilities. In some ways, it's the same thing over again. If the dynamic Web follows the same pattern, it will get worse before it gets better, but at least we're not at square one." The author goes on to state that "Christey says his hope rests in part on an efficacious public that demands better software and a more secure Internet, something he says hasn't materialized yet."
The article was written by Scott Berinato.