News & Events

April 17, 2014

1 Product from Altex-Soft Now Registered as Officially "CVE-Compatible"

cve compatible imageOne additional information security product has achieved the final stage of MITRE's formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 161 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

Altex-Soft - Altex-Soft Ovaldb

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

CVE-IDs Included in Annual "Secunia Vulnerability Review 2014"

CVE-IDs are included in annual "Secunia Vulnerability Review 2014" report by Secunia that "analyzes the evolution of software security from a global endpoint perspective. It presents data on vulnerabilities and the availability of patches, and correlates this information with the market share of programs to map the security threats to IT infrastructures." The report also explains what CVE is and how common identifiers improve security.

How CVE-IDs are used in the report is explained as follows: "CVE has become a de facto industry standard used to uniquely identify vulnerabilities which have achieved wide acceptance in the security industry. Using CVEs as vulnerability identifiers allows correlating information about vulnerabilities between different security products and services. CVE information is assigned in Secunia Advisories. The intention of CVE identifiers is, however, not to provide reliable vulnerability counts, but is instead a very useful, unique identifier for identifying one or more vulnerabilities and correlating them between different sources. The problem in using CVE identifiers for counting vulnerabilities is that CVE abstraction rules may merge vulnerabilities of the same type in the same product versions into a single CVE, resulting in one CVE sometimes covering multiple vulnerabilities. This may result in lower vulnerability counts than expected when basing statistics on the CVE identifiers."

The report is available for download at http://secunia.com/vulnerability-review/index.html.

CVE Mentioned in Article about Vulnerability Statistics on NetworkWorld.com

CVE is mentioned in a March 26, 2014 article entitled "Biased software vulnerability stats praising Microsoft were 101% misleading" on NetworkWorld.com. The main topic of the article is a review of the "Secunia Vulnerability Review 2014" report.

CVE is mentioned when the author references the talk about the impact of the uncertainty in vulnerability statistics entitled "Buying into the Bias: Why Vulnerability Statistics Suck" at Black Hat Briefings 2013 that was co-presented by CVE List Editor Steve Christey and Brian Martin of the Open Security Foundation in Las Vegas, NV, on July 31, 2013.

The author states: "If a vulnerability report is misleading, then I can only imagine the amount of aggravation it causes some people, such as the gentlemen who presented "Buying Into the Bias: Why Vulnerability Statistics Suck" at Black Hat 2013. At that time, Jericho, the content manager of the Open Source Vulnerability Database (OSVDB), and Steve Christie, the editor of the Common Vulnerabilities and Exposures (CVE) list, announced, "Most of these statistical analyses are faulty or just pure hogwash. They use the easily-available, but drastically misunderstood data to craft irrelevant questions based on wild assumptions, while never figuring out (or even asking us about) the limitations of the data. This leads to a wide variety of bias that typically goes unchallenged, that ultimately forms statistics that make headlines and, far worse, are used for budget and spending." During their presentation, they added, "As maintainers of two well-known vulnerability information repositories, we're sick of hearing about sloppy research after it's been released, and we're not going to take it any more." The author then discusses Brian Martin's (aka Jericho's) review of the Secunia report.

CVE Mentioned in Article about Vulnerability Statistics on NetworkWorld.com

CVE is mentioned in a March 21, 2014 article entitled "When software development produces a lemon, make lemonade" on GCN.com. CVE is mentioned when the author states: "the Secure Development Lifecycle (SDL) that grew out of the Microsoft initiative has helped to change the way developers think about software security. The SDL process now shows up as a requirement in government procurements, and the National Security Agency says it has made an impact on OS security. "A fundamental goal of the SDL process is to reduce the attack surface," NSA said in an evaluation of Windows 7 security for the Defense Department and the intelligence community. "Since adoption of the SDL process, the number of Common Vulnerabilities and Exposures on Microsoft products in the National Vulnerability Database has declined." "A preliminary System and Network Analysis Center analysis has determined that the new Windows 7 security features, coupled with the use of the SDL process throughout the development cycle, has assisted in the delivery of a more secure product," the assessment concluded. We still are a long way from being as secure as we want to be or can be. But there has been progress."

April 4, 2014

Proximis Makes Declaration of CVE Compatibility

Proximis declared that its Apache CouchDB JSON Database is CVE-Compatible. For additional information about this and other CVE-Compatible products, visit the CVE-Compatible Products and Services section.

March 17, 2014

1 Product from NSFOCUS Now Registered as Officially "CVE-Compatible"

cve compatible imageOne additional information security product has achieved the final stage of MITRE's formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 160 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

NSFOCUS Information Technology Co., Ltd. - Next-Generation Firewall (NF)

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

Codenomicon, Ltd. Makes Declaration of CVE Compatibility

Codenomicon, Ltd. declared that its binary vulnerability scanner, Codenomicon Appcheck, is CVE-Compatible. For additional information about this and other CVE-Compatible products, visit the CVE-Compatible Products and Services section.

February 21, 2014

Technical Guidance for Handling the New CVE-ID Syntax Now Available

A new Technical Guidance for Handling the New CVE-ID Syntax page is now available on the CVE Web site. The new page provides technical guidance and test data for developers and consumers for tools, web sites, and other capabilities that use CVE Identifiers (CVE-IDs), including the following: considerations for input and output formats, considerations for extraction or parsing, extraction and conversion methods for CVE-IDs, an example conversion algorithm for incoming IDs, and CVE-ID Test Data for Implementers available for download in a ZIP file.

Feedback about this page and/or the test data is welcome at cve-id-change@mitre.org.

February 6, 2014

ViewTrust Technology, Inc. Makes Declaration of CVE Compatibility

ViewTrust Technology, Inc. declared that its aggregation capability, Analytic Continuous Monitoring Engine (ACE), is CVE-Compatible. For additional information about this and other CVE-Compatible products, visit the CVE-Compatible Products and Services section.

January 15, 2014

New CVE-ID Format in Effect as of January 1, 2014

The new syntax for CVE Identifiers (CVE-IDs) took effect on January 1, 2014.

The new CVE-ID syntax is variable length and includes:

CVE prefix + Year + Arbitrary Digits

IMPORTANT: The variable length arbitrary digits will begin at four (4) fixed digits and expand with arbitrary digits only when needed in a calendar year, for example, CVE-YYYY-NNNN and if needed CVE-YYYY-NNNNN, CVE-YYYY-NNNNNNN, and so on. This also means there will be no changes needed to previously assigned CVE-IDs, which all include 4 digits.

Visit the CVE-ID Syntax Change page for additional information, and send any comments or concerns to cve-id-change@mitre.org.

CVE-ID Syntax Change Infographic Available for Reposting

An infographic explaining the Previous (i.e., "old") CVE-ID Syntax versus the New CVE-ID Syntax that is in effect as of January 1, 2014 is available for reposting.

CVE-ID Syntax Change

Please feel free to re-post this infographic. We would like the syntax change announcement to reach the widest possible audience.

Hillstone Networks Makes Declaration of CVE Compatibility

Hillstone Networks declared that its Hillstone Networks Intrusion Protection System is CVE-Compatible. For additional information about this and other CVE-Compatible products, visit the CVE-Compatible Products and Services section.

 
Page Last Updated: April 17, 2014