This email newsletter is designed to bring recent news about CVE,
such as new versions, upcoming conferences, new Web site features,
etc. right to your emailbox. Common Vulnerabilities and Exposures
(CVE) is the standard for information security vulnerability
names. CVE content results from the collaborative efforts of the
CVE Editorial Board, which is comprised of leading representatives
from the information security community. Details on subscribing
(and unsubscribing) to the email newsletter are at the end. Please
feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/March 24, 2008
-------------------------------------------------------
Contents:
1. Feature Story
2. HOT TOPIC
3. Upcoming Event
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
Two Products from Two Organizations Now Registered as Officially
"CVE-Compatible"
Two additional information security products have achieved the
final stage of MITRE's formal CVE Compatibility Process and are
now officially "CVE-Compatible." The products are now eligible to
use the CVE-Compatible Product/Service logo, and a completed and
reviewed "CVE Compatibility Requirements Evaluation" questionnaire
is posted for each product as part of the organization's listing
on the CVE-Compatible Products and Services page on the CVE Web
site. A total of 78 products to-date have been recognized as
officially compatible.
The following products are now registered as officially
"CVE-Compatible":
* Archer Technologies - Archer Threat Management
* GFI Software Ltd. - GFI LANguard Network Security Scanner
Use of the official CVE-Compatible logo will allow system
administrators and other security professionals to look for the
logo when adopting vulnerability management products and services
for their enterprises and the compatibility process questionnaire
will help end-users compare how different products satisfy the CVE
compatibility requirements, and therefore which specific
implementations are best for their networks and systems.
For additional information about CVE compatibility and to review
all products and services listed, visit the CVE Compatibility
Process and CVE-Compatible Products and Services.
LINKS:
Archer Technologies - http://www.archer-tech.com
GFI Software Ltd - http://www.gfi.com
CVE Compatibility Process -
http://cve.mitre.org/compatible/process.html
CVE-Compatible Products and Service -
http://cve.mitre.org/compatible/
-------------------------------------------------------------
HOT TOPIC:
CVE Mentioned in "Government Computer News" Article about SCAP
CVE was mentioned in a March 3, 2008 article entitled "SCAP
narrows security gap" in "Government Computer News." The main
topic of the article is the U.S. National Institute of Standards
and Technology's (NIST) Security Content Automation Protocol
(SCAP) program, which is "a suite of tools to help automate
vulnerability management and evaluate compliance with federal
information technology security requirements."
CVE is mentioned as one of the "more mature standards" of the six
SCAP includes: "The Common Vulnerabilities and Exposures Standard
from Mitre, which provides standard identifiers and a dictionary
for security vulnerabilities related to software flaws."
Three of the other standards the author references as mature are
Open Vulnerability and Assessment Language (OVAL), a standard XML
for security testing procedures and reporting; Extensible
Configuration Checklist Description Format (XCCDF), a standard for
specifying checklists and reporting results; and Common
Vulnerability Scoring System (CVSS), a standard for conveying and
scoring the impact of vulnerabilities. The author also notes the
two "less mature" standards SCAP uses: Common Configuration
Enumeration (CCE), standard identifiers and a dictionary for
system security configuration issues; and Common Platform
Enumeration (CPE), standard identifiers and a dictionary for
platform and product naming.
SCAP is an expansion of NIST's U.S. National Vulnerability
Database (NVD) that is based upon the CVE List. NVD, CVE, and OVAL
are all sponsored by the National Cyber Security Division of the
U.S. Department of Homeland Security.
LINKS:
Government Computer News article -
http://www.gcn.com/print/27_5/45909-1.html
SCAP - http://nvd.nist.gov/scap.cfm
CVE Web site - http://cve.mitre.org
-------------------------------------------------------------
UPCOMING EVENT:
MITRE to Host 'Making Security Measurable' Booth at "RSA 2008,"
April 7-11
MITRE is scheduled to host a Making Security Measurable exhibitor
booth at "RSA 2008" on April 7-11, 2008 at the Moscone Center in
San Francisco, California, USA.
The conference will expose the CVE, CCE, CME, CPE, CWE, CAPEC,CEE,
CRF, OVAL, and Making Security Measurable efforts to information
security professionals from government and industry. Visit the CWE
Calendar for information on this and other events.
LINKS:
RSA 2008 - http://www.rsaconference.com/2008/US/Home.aspx
Making Security Measurable - http://measurablesecurity.mitre.org
CVE Calendar - http://cve.mitre.org/news/calendar.html
-------------------------------------------------------------
ALSO IN THIS ISSUE:
* MITRE Presents 'Making Security Measurable' Briefing at "SEPG
North America 2008" on March 18
* MITRE Hosts 'Making Security Measurable' Booth at "InfoSec World
2008," March 10-11
Read these stories and more news at http://cve.mitre.org/news
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: David Mann, Information Security Technical
Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org)
maintains CVE and provides impartial technical guidance to the CVE
Editorial Board on all matters related to ongoing development of
CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new
email message and copy the following text to the BODY of the
message "SIGNOFF CVE-Announce-list", then send the message to:
listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of
the message: "SUBSCRIBE CVE-Announce-List".
Copyright 2008, The MITRE Corporation. CVE and the CVE logo are
registered trademarks of The MITRE Corporation.
For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cve@mitre.org.
No comments:
Post a Comment