This email newsletter is designed to bring recent news about CVE,
such as new versions, upcoming conferences, new Web site features,
etc. right to your emailbox. Common Vulnerabilities and Exposures
(CVE) is the standard for information security vulnerability
names. CVE content results from the collaborative efforts of the
CVE Editorial Board, which is comprised of leading representatives
from the information security community. Details on subscribing
(and unsubscribing) to the email newsletter are at the end. Please
feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/June 15, 2009
-------------------------------------------------------
Contents:
1. Feature Story
2. UPCOMING EVENT
3. Also in this Issue
4. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
CVE Mentioned in Article about SCAP in "Computerworld"
CVE was mentioned in an article entitled "How SCAP Brought Sanity
to Vulnerability Management" in "Computerworld" on May 11, 2009.
The main topic of the article is the U.S. National Institute of
Standards and Technology's (NIST) Security Content Automation
Protocol (SCAP).
CVE is mentioned when the author explains that "SCAP is part of
the Information Security Automation Program and is made up of a
collection of existing standards. These standards include some
that many of us are already familiar with, such as the Common
Vulnerabilities and Exposures (CVE) and the Common Vulnerability
Scoring System (CVSS). Additionally, it includes the Common
Platform Enumeration (CPE), a standard to describe a specific
hardware, OS and software configuration. This is helpful for
enumerating assets, giving you your baseline information to apply
all of this data; the Common Configuration Enumeration (CCE), very
similar to CVE but dealing with misconfiguration issues; the Open
Vulnerability and Assessment Language (OVAL) to provide schemas
that describe the inventory of a computer, the configuration on
that computer and a report of what vulnerabilities were found on
that computer; and Extensible Configuration Checklist Description
Format (XCCDF), a description language to help you apply your
technical policies and standards to your scanning tools."
The author also provides an example of SCAP in action: "Let's see
how this helps me in building a real solution. As a head of a
vulnerability management program as discussed earlier, I am
sitting on data from application security assessment tools, host
and network scanners, and database vulnerability and configuration
scanners. In reality, this includes multiple products and services
for application security, as well as multiple tools for host and
network assessments. I set out by taking advantage of APIs when
available from the assessment tool providers as well as XML data
feeds. Utilizing the code I've just written to automate the
movement of the data, I now need to map this information to a
normalized schema, taking advantage of the SCAP standards. This is
a big deal! I now have a common way to describe the
vulnerabilities. I can eliminate duplicates that reference the
same CVE on the same platforms."
LINKS:
Computerworld article -
http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9132822
SCAP - http://nvd.nist.gov/scap.cfm
CVE - http://cve.mitre.org
---------------------------------------------------------------
UPCOMING EVENT:
MITRE to Host 'Making Security Measurable' Booth at "Black Hat
Briefings 2009," July 29-30
CVE is scheduled to participate in a Making Security Measurable
booth at "Black Hat Briefings 2009" on July 29-30, 2009 at Caesars
Palace Las Vegas in Las Vegas, Nevada, USA.
Stop by Booth 79 and learn how information security data standards
facilitate both effective security process coordination and the
use of automation to assess, manage, and improve the security
posture of enterprise security information infrastructures.
Visit the CVE Calendar for information on this and other events.
LINKS:
Black Hat Briefings 2009 -
http://www.blackhat.com/html/bh-usa-09/bh-us-09-main.html
Making Security Measurable - http://measurablesecurity.mitre.org
CVE Calendar - http://cve.mitre.org/news/calendar.html
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE Mentioned in Article about SCAP in "Government Computer
News"
Read these stories and more news at http://cve.mitre.org/news
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: David Mann, Information Security Technical
Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org)
maintains CVE and provides impartial technical guidance to the CVE
Editorial Board on all matters related to ongoing development of
CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new
email message and copy the following text to the BODY of the
message "SIGNOFF CVE-Announce-list", then send the message to:
listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of
the message: "SUBSCRIBE CVE-Announce-List".
Copyright 2009, The MITRE Corporation. CVE and the CVE logo are
registered trademarks of The MITRE Corporation.
For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cve@mitre.org. Learn more
about Making Security Measurable at
http://measurablesecurity.mitre.org.
No comments:
Post a Comment