Industry News Coverage (Archive)
Below is a comprehensive monthly review of the news and other media’s coverage of CVE. A brief summary of each news item is listed with its title, author (if identified), date, and media source.
Hakin9, June 2010
CVE was mentioned in article entitled "Securing Voice over Internet Protocol" in the June 2010 issue of Hakin9. CVE is mentioned in a section on "Hardening Your VoIP Against Attack" in which the author states: "Consistent repair of your Common Vulnerabilities and Exposures (CVEs) is the litmus test that all information security professionals will be judged by regarding how successfully they are protecting their VoIP networks. Repairing vulnerabilities also helps you stay in compliance with related regulations, including GLBA, HIPAA, 21 CFR FDA 11, E-Sign and SOX-404. CVE Management is the key to hardening your VoIP and removing defects from your computers and networking equipment." CVE is also mentioned a section on "Possible VoIP Attacks" in which the author describes specific examples of the "types of attacks on your VoIP that [vulnerabilities named by] CVEs can make it vulnerable to".
SAFECode Web Site, June 2010
CVE was mentioned in a June 2010 white paper published by the Software Assurance Forum for Excellence in Code (SAFECode) entitled "An Overview of Software Integrity Practices: An Assurance-Based Approach to Minimizing Risks in the Software Supply Chain."
CVE is mentioned in a section on Vulnerability Response in which the author’s state: "In today’s world, vendors must push for a more formal understanding of how well their suppliers are equipped with the capability to collect input on vulnerabilities from researchers, customers or sources and turn around a meaningful impact analysis and appropriate remedies in the short timeframes involved. The fact is that the handling of such vulnerabilities will likely become a joint responsibility in the face of downstream visibility to customers. No one can afford to be surprised about a supplier’s potential immaturity in handling these challenges in the middle of a situation. Suppliers provide common terminology for these discussions by using now-default references to well-known specifications like Common Vulnerabilities and Exposures (CVE) and Common Vulnerability Scoring System (the CVSS). Each party should identify contact personnel and review timing and escalation paths as appropriate to be prepared to provide a prompt response."
IAnewsletter, Winter 2010
"Security Automation: A New Approach to Managing and Protecting Critical Information" is the main topic of the Winter 2010 issue of the Department of Defense’s (DoD) Information Assurance Technology Analysis Center’s (IATAC) IAnewsletter.
According to the newsletter, a security automation strategy will enable automation of "many security and configuration management, compliance, and network defense functions and give our [DoD] system administrators and network defenders a chance to succeed." Specific articles topics include: An Introduction to Security Automation; Security Automation: A New Approach Managing and Protecting Critical Information; Security Content Automation Protocol; Secure Configuration Management (SCM); DoD Activities Underway to Mature SCAP Standards; Why Industry Needs Federal Government Leadership to Gain the Benefits of Security Automation; and Practicing Standards-Based Security Assessment and Management.
In addition, MITRE’s CVE, CCE, CPE, and OVAL information assurance data standards are mentioned throughout the issue, especially with regard to how they are utilized by the National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP) to help enable automated, standards-based security assessment and management.
The newsletter is free to download from the IATAC Web site.