newsletter is designed to bring recent news about CVE, such as new versions,
upcoming conferences, new Web site features, etc. right to your email box.
Common Vulnerabilities and Exposures (CVE) is the standard for information
security vulnerability names. CVE content results from the collaborative
efforts of the CVE Editorial Board, which is comprised of leading
representatives from the information security community. Details on
subscribing (and unsubscribing) to the email newsletter are at the end.
Please feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/December 20, 2010
-------------------------------------------------------
Contents:
1. Feature Story
2. Hot Topic
3. Upcoming Event
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
3 Products and Services from 2 Organizations Now Registered as Officially
"CVE-Compatible"
Three additional information security products and services have achieved
the final stage of MITRE's formal CVE Compatibility Process and are now
officially "CVE-Compatible." The products and services are now eligible to
use the CVE-Compatible Product/Service logo, and a completed and reviewed
"CVE Compatibility Requirements Evaluation" questionnaire is posted for each
product as part of the organization's listing on the CVE-Compatible Products
and Services page on the CVE Web site. A total of 111 products to-date have
been recognized as officially compatible.
The following products are now registered as officially "CVE-Compatible":
* Xi'an Jiaotong University Jump Network Technology Co., Ltd. - JumpIPS
- Jump NVAS
* Offensive Security - Exploit Database
Use of the official CVE-Compatible logo will allow system administrators and
other security professionals to look for the logo when adopting
vulnerability management products and services for their enterprises and the
compatibility process questionnaire will help end-users compare how
different products and services satisfy the CVE compatibility requirements,
and therefore which specific implementations are best for their networks and
systems.
For additional information about CVE compatibility and to review all
products and services listed, visit the CVE Compatibility Process and
CVE-Compatible Products and Services.
LINKS:
Jump Network Technology - http://www.jump.net.cn/
Offensive Security - http://www.offensive-security.com/
CVE Compatibility Process - http://cve.mitre.org/compatible/process.html
CVE-Compatible Products - http://cve.mitre.org/compatible/
---------------------------------------------------------------
HOT TOPIC:
New ISO/IEC Report Lists the 51 Most Common Vulnerabilities in Programming
Languages
The International Organization for Standardization (ISO) and International
Electrotechnical Commission (IEC) issued a joint technical report (TR) on
September 29, 2010 entitled "ISO/IEC TR 24772:2010, Information technology
-- Programming languages -- Guidance to avoiding vulnerabilities in
programming languages through language selection and use" that describes
classes of programming language vulnerabilities-features of languages that
encourage or permit the writing of code that contains application
vulnerabilities. The report describes 51 vulnerabilities in languages
themselves, as well as 20 additional vulnerabilities that could be avoided
by offering a richer set of library routines.
According to the report, programming language vulnerabilities should
especially be avoided "in the development of systems where assured behaviour
is required for security, safety, mission critical and business critical
software. In general, this guidance is applicable to the software developed,
reviewed, or maintained for any application." The report explains that the
vulnerabilities occur in programming languages due to issues arising from
incomplete or evolving language specifications, human cognitive limitations,
lack of predictable execution, lack of portability and interoperability,
inadequate language intrinsic support, and language features prone to
erroneous use.
All of the vulnerabilities are documented in a standardized,
language-independent format that allows readers to quickly comprehend and
utilize the information. The report also provides standardized templates for
the community to use when a new programming language vulnerability and/or
resulting application vulnerability is identified.
No one language contains all of the vulnerabilities described in the report,
but most are very common. Of the programming language and application
vulnerabilities detailed in the report, 17 are also on the 2010 CWE/SANS Top
25 Most Dangerous Software Errors list. Future editions of the report will
cover the remainder of the Top 25, any additional programming language and
application vulnerabilities found in follow-on work, and annexes that apply
the general guidance to particular programming languages.
The report is available for purchase from http://www.iso.org and
http://www.ansi.org.
---------------------------------------------------------------
UPCOMING EVENT:
CVE/Making Security Measurable Booth at "Black Hat DC 2011," January 18-19
MITRE will host a CVE/Making Security Measurable booth at "Black Hat DC
2011," on January 18-19, 2011 in Arlington, Virginia, USA.
Visit the CVE Calendar for information on this and other events.
LINKS:
Black Hat DC 2011 - http://www.blackhat.com/
Making Security Measurable - http://makingsecuritymeasurable.mitre.org/
CVE Calendar - http://cve.mitre.org/news/calendar.html
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE/Making Security Measurable Briefing at "ITU-T Security Workshop"
* CVE/Making Security Measurable Briefing at "Rethinking Cyber Security: A
Systems-Based Approach Conference"
Read these stories and more news at http://cve.mitre.org/news
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Steve Boyle, Information Security Technical Center. Writer:
Bob Roberge. The MITRE Corporation (www.mitre.org) maintains CVE and
provides impartial technical guidance to the CVE Editorial Board on all
matters related to ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message
and copy the following text to the BODY of the message "SIGNOFF
CVE-Announce-list", then send the message to: listserv@lists.mitre.org. To
subscribe, send an email message to listserv@lists.mitre.org with the
following text in the BODY of the message: "SUBSCRIBE CVE-Announce-List".
Copyright 2010, The MITRE Corporation. CVE and the CVE logo are registered
trademarks of The MITRE Corporation.
For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cve@mitre.org. Learn more about
Making Security Measurable at http://measurablesecurity.mitre.org.
No comments:
Post a Comment