One additional information security product has achieved the final stage of MITRE’s formal 
|
|
News & EventsMay 11, 2012
1 Product from Beijing Venustech Now Registered as Officially "CVE-Compatible"
The following product is now registered as officially "CVE-Compatible":
Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems. For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services. New CVE Editorial Board Member Damir Rajnovic of Cisco Systems, Inc. has joined the CVE Editorial Board. Andy Balinsky of NIST also remains as a Board member. Registration Now Open for Security Automation Developer Days 2012 on July 9-13 MITRE Corporation will host the fourth Security Automation Developer Days conference on July 9-13, 2012, at MITRE in Bedford, Massachusetts, USA. This five-day conference is technical in nature and will focus on the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP). The purpose of the event is for the community to discuss SCAP — and those existing standards upon which it is based including Open Vulnerability and Assessment Language (OVAL®), Common Configuration Enumeration (CCE™), Common Platform Enumeration (CPE™), Extensible Configuration Checklist Description Format (XCCDF) — in technical detail and to derive solutions that benefit all concerned parties. All current and emerging SCAP standards are addressed at this workshop. MITRE first hosted Developer Days in 2005 and has been running them annually ever since. The model for these technical exchanges has since been adopted as the format used by the Security Automation community. An agenda will be available soon. For registration, lodging, and other conference details, please visit: https://register.mitre.org/devdays/. May 7, 2012
CVE List Surpasses 50,000 CVE Identifiers The CVE Web site now contains 50,062 unique information security issues with publicly known names. CVE, which began in 1999 with just 321 common names on the CVE List, is considered the international standard for public software vulnerability names. Information security professionals and product vendors from around the world use CVE Identifiers (CVE-IDs) as a standard method for identifying vulnerabilities, and for cross-linking among products, services, and other repositories that use the identifiers. The widespread adoption of CVE in enterprise security is illustrated by the numerous CVE-Compatible Products and Services in use throughout industry, government, and academia for vulnerability management, vulnerability alerting, intrusion detection, and patch management. Major OS vendors and other organizations from around the world also include CVE-IDs in their security alerts to ensure that the international community benefits by having the identifiers as soon as a problem is announced. In addition, CVE-IDs have been used to identify vulnerabilities in the SANS Top Cyber Security Risks threat list since its inception in 2000. CVE has also inspired new efforts. MITRE’s Common Weakness Enumeration (CWE™) dictionary of software weakness types is based in part on the CVE List, and its Open Vulnerability and Assessment Language (OVAL®) effort uses CVE-IDs for its standardized OVAL Vulnerability Definitions that test systems for the presence of CVEs. In addition, the U.S. National Vulnerability Database (NVD) of CVE fix information that is synchronized with and based on the CVE List also includes Security Content Automation Protocol (SCAP) content. SCAP employs community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and CVE is one of the eight existing open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. And in 2011, the International Telecommunication Union’s (ITU-T) Cybersecurity Rapporteur Group, which is the telecom/information system standards body within the treaty-based 150-year-old intergovernmental organization, adopted CVE as a part of its new "Global Cybersecurity Information Exchange techniques (X.CYBEX)" by issuing Recommendation ITU-T X.1520 Common Vulnerabilities and Exposures (CVE), that is based upon CVE’s current Compatibility Requirements, and any future changes to the document will be reflected in subsequent updates to X.CVE. Each of the 50,000+ identifiers on the CVE List includes the following: CVE Identifier number (i.e., "CVE-1999-0067"); brief description of the security vulnerability; and pertinent references such as vulnerability reports and advisories or OVAL-ID. Visit the CVE List page to download the complete list in various formats or to look-up an individual identifier. Fix information and enhanced searching of CVE is available from NVD. April 13, 2012
1 Product from Sangfor Technologies Co., Ltd. Now Registered as Officially "CVE-Compatible"
The following product is now registered as officially "CVE-Compatible":
Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems. For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services. April 5, 2012
MITRE Hosts CVE/Making Security Measurable Booth at InfoSec World 2012 MITRE hosted a CVE/Making Security Measurable booth at InfoSec World Conference & Expo 2012 at Disney’s Contemporary Resort in Orlando, Florida, USA, on April 2-4, 2012. Attendees learned how information security data standards such as CVE, CCE, CPE, CWE, CAPEC, MAEC, CybOX, CEE, OVAL, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures. Visit the CVE Calendar for information on this and other events. March 22, 2012
2 Products from 2 Organizations Now Registered as Officially "CVE-Compatible"
The following products are now registered as officially "CVE-Compatible":
Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems. For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services. MITRE to Host CVE/Making Security Measurable Booth at InfoSec World 2012, April 2-4 MITRE will host a CVE/Making Security Measurable booth at InfoSec World Conference & Expo 2012 at Disney’s Contemporary Resort in Orlando, Florida, USA, on April 2-4, 2012. Attendees will learn how information security data standards such as CVE, CCE, CPE, CWE, CAPEC, MAEC, CybOX, CEE, OVAL, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures. Members of the CVE Team will be in attendance. Please stop by Booth 513 and say hello! Visit the CVE Calendar for information on this and other events. March 8, 2012
Photos from CVE/Making Security Measurable Booth at RSA 2012 MITRE hosted a CVE/Making Security Measurable booth at RSA Conference 2012 at the Moscone Center in San Francisco, California, USA, on February 27 – March 2, 2012. Attendees learned how information security data standards such as CVE, CCE, CPE, CWE, CAPEC, CWSS, CybOX, MAEC, CEE, OVAL, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures. Making Security Measurable booth photos:
Visit the CVE Calendar for information on this and other events. February 27, 2012
1 Product from CXSecurity Now Registered as Officially "CVE-Compatible"
The following product is now registered as officially "CVE-Compatible":
Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems. For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services. February 13, 2012
1 Product from Application Security Now Registered as Officially "CVE-Compatible"
The following product is now registered as officially "CVE-Compatible":
Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems. For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services. NGSSecure Makes 10 Declarations of CVE Compatibility NGSSecure, a Division of NCC Group UK PLC, declared that its enterprise class vulnerability management software product, NGS Auditor, and its standalone vulnerability assessment software products, NGS OraScan, NGS DominoScan II, NGS SQuirreL for DB2, NGS SQuirreL for SQL Server, NGS SQuirreL for Oracle, NGS SQuirreL for Informix, NGS SQuirreL for Sybase ASE, NGS SQuirreL for MySQL, and NGS Typhon III, are CVE-Compatible. For additional information about these and other CVE-Compatible products, visit the CVE-Compatible Products and Services section. Sangfor Technologies Makes Declaration of CVE Compatibility Sangfor Technologies Co., Ltd. declared that its Next-Generation Application Firewall is CVE-Compatible. For additional information about this and other CVE-Compatible products, visit the CVE-Compatible Products and Services section. CVE/Making Security Measurable Booth at RSA 2012, February 27 – March 2 MITRE is scheduled to host an CVE/Making Security Measurable booth at RSA Conference 2012 at the Moscone Center in San Francisco, California, USA, on February 27 – March 2, 2012. Attendees will learn how information security data standards such as CVE, CCE, CPE, CWE, CAPEC, CWSS, CybOX, MAEC, CEE, OVAL, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures. Members of the CVE Team will be in attendance. Please stop by Booth 2617 and say hello! Visit the CVE Calendar for information on this and other events. CVE Mentioned in Article about Updates to Guidelines for Adopting and Using Security Content Automation Protocol (SCAP) on GCN CVE is mentioned in a January 9, 2012 article entitled "Getting the most out of automated IT security management" on Government Computer News.com. The main topic of the article is the National Institute of Standards and Technology (NIST) updating its guidelines for using Security Content Automation Protocol (SCAP) "for checking and validating security settings on IT systems" by releasing "Special Publication 800-117, Guide to Adopting and Using the Security Content Automation Protocol Version 1.2, Revision 1." CVE is mentioned when the author explains how SCAP combines several existing community standards created and maintained by several different organizations "including MITRE Corp., the National Security Agency, and the Forum for Incident Response and Security Teams", and that the "specifications making up SCAP are divided into languages, reporting formats, enumerations, measurement and scoring systems, and integrity protection." The author then lists the 11 SCAP components, with CVE included under Enumerations. The other MITRE initiatives listed are Common Platform Enumeration (CPE) and Common Configuration Enumeration (CCE), also under Enumerations, and under Languages, Open Vulnerability and Assessment Language (OVAL). The article concludes with a summary of the updates to the guidelines. January 24, 2012
NETpeas, SA Makes Declaration of CVE Compatibility NETpeas, SA declared that its cloud-based, multi-engines vulnerability management service, COREvidence, will be CVE-Compatible. For additional information about this and other CVE-Compatible products, visit the CVE-Compatible Products and Services section. January 13, 2012
New CVE Editorial Board Member Harold Booth of National Institute of Standards and Technology (NIST) has joined the CVE Editorial Board. Peter Mell of NIST also remains as a Board member. January 4, 2012
1 Product from TrustSign Now Registered as Officially "CVE-Compatible"
The following product is now registered as officially "CVE-Compatible":
Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems. For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services. CXSecurity Makes Declaration of CVE Compatibility CXSecurity declared that its vulnerability database World Laboratory of Bugtraq (WLB), is CVE-Compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services section. MITRE Announces Initial "Making Security Measurable" Calendar of Events for 2012 MITRE has announced its initial Making Security Measurable calendar of events for 2012. Details regarding MITRE’s scheduled participation at these events are noted on the CVE Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.
Other events may be added throughout the year. Visit the CVE Calendar for information or contact cve@mitre.org to have MITRE present a briefing or participate in a panel discussion about CVE, CCE, CPE, CAPEC, CybOX, CWE, MAEC, CEE, OVAL, Software Assurance, and/or Making Security Measurable at your event. |
|||||||||||||||||||||||
