Welcome to the latest edition of the CVE-Announce e-newsletter.
This email newsletter is designed to bring recent news about CVE,
such as new versions, upcoming conferences, new Web site features,
etc. right to your emailbox. Common Vulnerabilities and Exposures
(CVE) is the standard for information security vulnerability
names. CVE content results from the collaborative efforts of the
CVE Editorial Board, which is comprised of leading representatives
from the information security community. Details on subscribing
(and unsubscribing) to the email newsletter are at the end. Please
feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/Ocotber 5, 2009
-------------------------------------------------------
Contents:
1. Feature Story
2. UPCOMING EVENT
3. Also in this Issue
4. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
CVE Celebrates 10 Years!
CVE began 10 years ago this month with 321 entries on the CVE
List. Since then, CVE has truly become the international standard
for public software vulnerability identifiers with more than
38,000+ unique information security issues with publicly known
names available on the CVE Web site. Information security
professionals and product vendors from around the world use CVE
Identifiers (CVE-IDs) as a standard method for identifying
vulnerabilities; facilitating their work processes; and
cross-linking among products, services, and other repositories
that use the identifiers.
Initially intended as a source of mature information, the
immediate success of CVEs in the community required that the
initiative quickly expand to address new security issues that were
appearing almost daily. As a result, the CVE List grew quickly to
7,191 CVE-IDs after five years, and at 10 years now includes
38,727 CVE-IDs. CVEs are now assigned not only by MITRE, but also
by major OS vendors, security researchers, and research
organizations that assign CVEs to newly discovered issues and
include the CVE-IDs in the first public disclosure of the
vulnerabilities.
Impact of CVE on the Information Security Landscape
The widespread impact of CVE in enterprise security is illustrated
by the numerous CVE-Compatible Products and Services in use
throughout industry, government, and academia for vulnerability
management, vulnerability alerting, intrusion detection, and patch
management. The information security community endorsed the
importance of "CVE-Compatible" products from the moment CVE was
launched in 1999. As quickly as December 2000 there were 29
organizations participating with declarations of compatibility for
43 products. Today, there are 142 organizations and 252 products
and services listed on the CVE site. Of these, 75 products and
services from 40 organizations have completed the formal CVE
Compatibility Process and are considered as "Officially
CVE-Compatible."
CVE-IDs have been included in security advisories from 73
organizations including major OS vendors and others, ensuring the
community benefits by having identifiers as soon as a software
issue is announced. CVE-IDs are also used to uniquely identify
vulnerabilities in public watch lists such as the SANS Top 20 Most
Critical Internet Security Vulnerabilities and OWASP Top 10 Web
Application Security Issues, and are rated by severity in the
Common Vulnerability Scoring System (CVSS).
CVE has also inspired entirely new efforts. The U.S. National
Vulnerability Database (NVD) of CVE fix information operated by
the National Institute of Standards and Technology (NIST) is based
upon, and synchronized with, the CVE List. In addition, the Open
Vulnerability and Assessment Language (OVAL(R)) effort uses
CVE-IDs for its standardized OVAL Vulnerability Definitions that
test systems for the presence of CVEs, and the Common Weakness
Enumeration (CWE(TM)) dictionary of software weakness types is
based in part on the CVE List. Other efforts inspired by the
success of CVE include CVSS, Common Configuration Enumeration
(CCE(TM)), Common Platform Enumeration (CPE(TM)), Common Attack
Pattern Enumeration and Classification (CAPEC(TM)), Common Event
Expression (CEE(TM)), Common Result Format (CRF(TM)), Open
Checklist Reporting Language (OCRL(TM)), Open Checklist
Interactive Language (OCIL), Benchmark Development, National
Checklist Program Repository, Common Announcement Interchange
Format (CAIF), Extensible Configuration Checklist Description
Format (XCCDF), and Making Security Measurable.
The success of CVE and the other standards it inspired also
eventually enabled the creation of NIST's Security Content
Automation Protocol (SCAP). SCAP employs existing community
standards to enable "automated vulnerability management,
measurement, and policy compliance evaluation (e.g., FISMA
compliance)," and CVE is one of the six existing open standards
SCAP uses for enumerating, evaluating, and measuring the impact of
software problems and reporting results. The other five standards
are OVAL, CCE, CPE, XCCDF, and CVSS. In addition, the U.S. Federal
Desktop Core Configuration (FDCC) requires verification of
compliance with FDCC requirements using SCAP-validated scanning
tools. CVE has also been a requirement in U.S. Department of
Defense contracts.
And the adoption of CVE continues. This autumn the International
Telecommunication Union's (ITU-T) Cybersecurity Rapporteur Group,
which is the telecom/information system standards body within the
treaty-based 150-year-old intergovernmental organization, is
adopting CVE as a part of its new "Global Cybersecurity
Information Exchange Framework (X.CYBIEF)." ITU-T will be creating
an "X.CVE standard" that is based on the current CVE Compatibility
Requirements, and any future changes to the document will be
reflected in subsequent updates to X.CVE.
Community Participation
CVE is an international information security community effort. It
is your past and ongoing participation, endorsement, and support
that have made CVE the community standard for vulnerability
identifiers. We thank all you who have in any way used CVE-IDs in
your products or research, promoted the use of CVE, and/or adopted
CVE-compatible products or services for your enterprise.
We also thank past and present members of the CVE Editorial Board
for the contributions, and we especially thank our sponsors
throughout these nine years, particularly our current sponsor
National Cyber Security Division at the U.S. Department of
Homeland Security, for their past and current funding and support.
Our Anniversary Celebration
Please join us as our 10-year anniversary celebration continues
throughout the coming year on the CVE Web site and in our Making
Security Measurable booth at events throughout the remainder of
2009, at IT Security Automation Conference 2009, and then
throughout 2010 including InfoSec World 2010, DoD Information
Assurance Symposium 2010, RSA 2010, and Black Hat Briefings 2010.
As always, we welcome any comments or feedback about CVE at
cve@mitre.org.
LINK:
CVE Web site - http://cve.mitre.org
---------------------------------------------------------------
UPCOMING EVENT:
Making Security Measurable Briefing and Booth at "IT Security
Automation Conference 2009," October 26-29
MITRE is scheduled to present a briefing about Making Security
Measurable (MSM) and host an MSM booth at the U.S. National
Institute of Standards and Technology's (NIST) "5th Annual IT
Security Automation Conference" on October 26-29, 2009 in
Baltimore, Maryland, USA. The CVE Team is also scheduled to
contribute to the CVE-related workshops.
Visit the CVE Calendar for information on this and other events.
LINKS:
IT Security Automation Conference 2009 -
http://www.nist.gov/public_affairs/confpage/091026.htm
SCAP - http://nvd.nist.gov/scap.cfm
Making Security Measurable - http://measurablesecurity.mitre.org
CVE Calendar - http://cve.mitre.org/news/calendar.html
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE 10-Year Anniversary Main Topic of Article on "Government
Computer News"
* CVE Compatibility Requirements Document Updated
Read these stories and more news at http://cve.mitre.org/news
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: David Mann, Information Security Technical
Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org)
maintains CVE and provides impartial technical guidance to the CVE
Editorial Board on all matters related to ongoing development of
CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new
email message and copy the following text to the BODY of the
message "SIGNOFF CVE-Announce-list", then send the message to:
listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of
the message: "SUBSCRIBE CVE-Announce-List".
Copyright 2009, The MITRE Corporation. CVE and the CVE logo are
registered trademarks of The MITRE Corporation.
For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cve@mitre.org. Learn more
about Making Security Measurable at
http://measurablesecurity.mitre.org.
