newsletter is designed to bring recent news about CVE, such as new versions,
upcoming conferences, new Web site features, etc. right to your emailbox.
Common Vulnerabilities and Exposures (CVE) is the standard for information
security vulnerability names. CVE content results from the collaborative
efforts of the CVE Editorial Board, which is comprised of leading
representatives from the information security community. Details on
subscribing (and unsubscribing) to the email newsletter are at the end.
Please feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/August 19, 2010
-------------------------------------------------------
Contents:
1. Feature Story
2. HOT TOPIC #1
3. HOT TOPIC #2
4. Upcoming Event
5. Also in this Issue
6. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
Three Products and Services from Two Organizations Now Registered as
Officially "CVE-Compatible"
Three additional information security products and services have achieved
the final stage of MITRE's formal CVE Compatibility Process and are now
officially "CVE-Compatible." The products and services are now eligible to
use the CVE-Compatible Product/Service logo, and a completed and reviewed
"CVE Compatibility Requirements Evaluation" questionnaire is posted for each
product as part of the organization's listing on the CVE-Compatible Products
and Services page on the CVE Web site. A total of 103 products to-date have
been recognized as officially compatible.
The following products are now registered as officially "CVE-Compatible":
* NOWCOM.co., Ltd. - SNIPER IPS
- SecureCAST
* Legendsec Technology Co. Ltd. - Legendsec SecIDS 3600 Intrusion Detection
System
Use of the official CVE-Compatible logo will allow system administrators and
other security professionals to look for the logo when adopting
vulnerability management products and services for their enterprises and the
compatibility process questionnaire will help end-users compare how
different products and services satisfy the CVE compatibility requirements,
and therefore which specific implementations are best for their networks and
systems.
For additional information about CVE compatibility and to review all
products and services listed, visit the CVE Compatibility Process and
CVE-Compatible Products and Services pages.
LINKS:
NOWCOM.co., Ltd. - http://www.nowcom.co.kr/
Legendsec Technology Co. Ltd. - http://www.legendsec.com/
CVE Compatibility Process - http://cve.mitre.org/compatible/process.html
CVE-Compatible Products - http://cve.mitre.org/compatible/
---------------------------------------------------------------
HOT TOPIC #1:
JPCERT/CC Becomes CVE Numbering Authority
Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) has
become a CVE Numbering Authority (CNA). JPCERT/CC will begin releasing Japan
Vulnerability Notes (JVN) and JVN iPedia entries that contain reserved CVE
Identifier numbers.
Steve Christey, Editor of the CVE List, said, "We are pleased that important
vulnerabilities in Japanese products will be announced with CVE numbers,
thanks to the Japanese CERT's new role as a CNA. This will help Japanese
consumers to better manage vulnerabilities within their networks.
JPCERT/CC's active participation in the CVE Initiative demonstrates how
international relationships can improve how vulnerability information is
shared across the globe."
Reference maps for JVN and JVNDB identifiers are available to link these
identifiers to their associated CVE Identifier numbers.
JPCERT/CC works with the Information-technology Promotion Agency (IPA) under
the Information Security Early Warning Partnership in Japan.
For additional information about CNAs, and to review the complete list of
organizations participating, visit the CVE Numbering Authorities page.
LINKS:
JPCERT/CC - http://www.jpcert.or.jp/english/
CVE Numbering Authorities - http://cve.mitre.org/cve/cna.html
---------------------------------------------------------------
HOT TOPIC #2:
CVE Mentioned in Two Recent Industry Publications
CVE was mentioned in a June 2010 white paper published by the Software
Assurance Forum for Excellence in Code (SAFECode) entitled "An Overview of
Software Integrity Practices: An Assurance-Based Approach to Minimizing
Risks in the Software Supply Chain."
CVE is mentioned in a section on Vulnerability Response in which the
author's state: "In today's world, vendors must push for a more formal
understanding of how well their suppliers are equipped with the capability
to collect input on vulnerabilities from researchers, customers or sources
and turn around a meaningful impact analysis and appropriate remedies in the
short timeframes involved. The fact is that the handling of such
vulnerabilities will likely become a joint responsibility in the face of
downstream visibility to customers. No one can afford to be surprised about
a supplier's potential immaturity in handling these challenges in the middle
of a situation. Suppliers provide common terminology for these discussions
by using now-default references to well-known specifications like Common
Vulnerabilities and Exposures (CVE) and Common Vulnerability Scoring System
(the CVSS). Each party should identify contact personnel and review timing
and escalation paths as appropriate to be prepared to provide a prompt
response."
Also, CVE was mentioned in article entitled "Securing Voice over Internet
Protocol" in the June 2010 issue of "Hakin9". CVE is mentioned in a section
on "Hardening Your VoIP Against Attack" in which the author states:
"Consistent repair of your Common Vulnerabilities and Exposures (CVEs) is
the litmus test that all information security professionals will be judged
by regarding how successfully they are protecting their VoIP networks.
Repairing vulnerabilities also helps you stay in compliance with related
regulations, including GLBA, HIPAA, 21 CFR FDA 11, E-Sign and SOX-404. CVE
Management is the key to hardening your VoIP and removing defects from your
computers and networking equipment." CVE is also mentioned a section on
"Possible VoIP Attacks" in which the author describes specific examples of
the "types of attacks on your VoIP that [vulnerabilities named by] CVEs can
make it vulnerable to".
LINKS:
SAFECode software integrity white paper -
http://www.safecode.org/publications/SAFECode_Software_Integrity_Controls061
0.pdf
Hakin9 voip security article -
http://download.hakin9.org/en/Securing_VoIP_06_2010.pdf
---------------------------------------------------------------
UPCOMING EVENT:
CVE Included as Topic at "IT Security Automation Conference 2010", September
27-29
CVE will be included as a topic at the U.S. National Institute of Standards
and Technology's (NIST) "6th Annual IT Security Automation Conference 2010"
on September 27-29, 2010 in Baltimore, Maryland, USA. The CVE Team is also
scheduled to contribute to the CVE-related workshops.
The U.S. National Institute of Standards and Technology's (NIST) SCAP
employs existing community standards to enable "automated vulnerability
management, measurement, and policy compliance evaluation (e.g., FISMA
compliance)," and CVE is one of the six open standards SCAP uses for
enumerating, evaluating, and measuring the impact of software problems and
reporting results. The other five standards are Open Vulnerability and
Assessment Language (OVAL), a standard XML for security testing procedures
and reporting; Common Configuration Enumeration (CCE), standard identifiers
and a dictionary for system security configuration issues; Common Platform
Enumeration (CPE), standard identifiers and a dictionary for platform and
product naming; Extensible Configuration Checklist Description Format
(XCCDF), a standard for specifying checklists and reporting results; and
Common Vulnerability Scoring System (CVSS), a standard for conveying and
scoring the impact of vulnerabilities.
MITRE will also present Software Assurance and Making Security Measurable
briefings, and host a Making Security Measurable booth. We hope to see you
there.
For additional information on this and other events visit the CVE Calendar
page.
LINKS:
IT Security Automation Conference - http://scap.nist.gov/events/
Making Security Measurable - http://makingsecuritymeasurable.mitre.org/
CVE Calendar - http://cve.mitre.org/news/calendar.html
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* Beijing Venustech Security Inc. Makes Declaration of CVE Compatibility
* Novell, Inc. Makes Declaration of CVE Compatibility
* XMCO Partners Makes Declaration of CVE Compatibility
* CVE/Making Security Measurable Booth at "Black Hat Briefings 2010"
Read these stories and more news at http://cve.mitre.org/news
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Steve Boyle, Information Security Technical Center. Writer:
Bob Roberge. The MITRE Corporation (www.mitre.org) maintains CVE and
provides impartial technical guidance to the CVE Editorial Board on all
matters related to ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message
and copy the following text to the BODY of the message "SIGNOFF
CVE-Announce-list", then send the message to: listserv@lists.mitre.org. To
subscribe, send an email message to listserv@lists.mitre.org with the
following text in the BODY of the message: "SUBSCRIBE CVE-Announce-List".
Copyright 2010, The MITRE Corporation. CVE and the CVE logo are registered
trademarks of The MITRE Corporation.
For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cve@mitre.org. Learn more about
Making Security Measurable at http://measurablesecurity.mitre.org.
No comments:
Post a Comment