newsletter is designed to bring recent news about CVE, such as new versions,
upcoming conferences, new Web site features, etc. right to your email box.
Common Vulnerabilities and Exposures (CVE) is the standard for information
security vulnerability names. CVE content results from the collaborative
efforts of the CVE Editorial Board, which is comprised of leading
representatives from the information security community. Details on
subscribing (and unsubscribing) to the email newsletter are at the end.
Please feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/March 27, 2012
-------------------------------------------------------
Contents:
1. Feature Story
2. Upcoming Event
3. Hot Topic
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
CVE-Compatible Products and Services Update
Four additional information security products from four organizations have
achieved the final stage of MITRE's formal CVE Compatibility Process and is
now officially "CVE-Compatible." The products are now eligible to use the
CVE-Compatible Product/Service logo, and a completed and reviewed "CVE
Compatibility Requirements Evaluation" questionnaire is posted for the
product as part of the organization's listing on the CVE-Compatible Products
and Services page on the CVE Web site. A total of 123 products to-date have
been recognized as officially compatible.
The following products are now registered as officially "CVE-Compatible":
Cisco Systems, Inc. - Cisco Security IntelliShield Alert Manager
Service
Security-Database - Security Database Web site
CXSecurity - World Laboratory of Bugtraq 2
Application Security - DbProtect
Use of the official CVE-Compatible logo will allow system administrators and
other security professionals to look for the logo when adopting
vulnerability management products and services for their enterprises and the
compatibility process questionnaire will help end-users compare how
different products and services satisfy the CVE compatibility requirements,
and therefore which specific implementations are best for their networks and
systems.
In addition, three organizations have made declarations of CVE Compatibility
for 12 products and services: NGSSecure, a Division of NCC Group UK PLC,
declared that its enterprise class vulnerability management software
product, NGS Auditor, and its standalone vulnerability assessment software
products, NGS OraScan, NGS DominoScan II, NGS SQuirreL for DB2, NGS SQuirreL
for SQL Server, NGS SQuirreL for Oracle, NGS SQuirreL for Informix, NGS
SQuirreL for Sybase ASE, NGS SQuirreL for MySQL, and NGS Typhon III, are
CVE-Compatible; Sangfor Technologies Co., Ltd. declared that its
Next-Generation Application Firewall is CVE-Compatible; and NETpeas, SA
declared that its cloud-based, multi-engines vulnerability management
service, COREvidence, will be CVE-Compatible. A total of 106 organizations
to-date have made Declarations of CVE Compatibility for 174 products and
services.
For additional information about CVE Compatibility and to review all
products and services listed, visit the CVE Compatibility Process and
CVE-Compatible Products and Services.
LINKS:
Cisco - http://cve.mitre.org/compatible/questionnaires/142.html
Security-Database - http://cve.mitre.org/compatible/questionnaires/84.html
CXSecurity - http://cve.mitre.org/compatible/questionnaires/141.html
Application Security -
http://cve.mitre.org/compatible/questionnaires/140.html
NGSSecure - http://www.ngssecure.com/
Sangfor Technologies - http://www.sangfor.com/
NETpeas - http://www.netpeas.com/
CVE Compatibility Process - http://cve.mitre.org/compatible/process.html
CVE-Compatible Products and Services - http://cve.mitre.org/compatible/
Make a Declaration - http://cve.mitre.org/compatible/make_a_declaration.html
---------------------------------------------------------------
UPCOMING EVENT:
CVE/Making Security Measurable Booth at "Infosec World 2012," April 2-4
MITRE will host a CVE/Making Security Measurable booth at "Infosec World
Conference & Expo 2012" at Disney's Contemporary Resort in Orlando, Florida,
USA, on April 2-4, 2012. Attendees will learn how information security data
standards such as CVE, CCE, CPE, MAEC, CybOX, CWE, CAPEC, CEE, OVAL, etc.,
facilitate both effective security process coordination and the use of
automation to assess, manage, and improve the security posture of enterprise
security information infrastructures.
Members of the CVE Team will be in attendance. Please stop by Booth 513 and
say hello!
LINKS:
Infosec World 2012 -
http://www.misti.com/default.asp?page=65&Return=70&ProductID=5539&LS=infosec
world
Making Security Measurable - http://measurablesecurity.mitre.org
CVE Calendar - http://cve.mitre.org/news/calendar.html
---------------------------------------------------------------
HOT TOPIC:
CVE Mentioned in Article about Updates to Guidelines for Adopting and Using
Security Content Automation Protocol (SCAP) on "GCN"
CVE is mentioned in a January 9, 2012 article entitled "Getting the most out
of automated IT security management" on Government Computer News.com. The
main topic of the article is the National Institute of Standards and
Technology (NIST) updating its guidelines for using Security Content
Automation Protocol (SCAP) "for checking and validating security settings on
IT systems" by releasing "Special Publication 800-117, Guide to Adopting and
Using the Security Content Automation Protocol Version 1.2, Revision 1."
CVE is mentioned when the author explains how SCAP combines several existing
community standards created and maintained by several different
organizations "including MITRE Corp., the National Security Agency, and the
Forum for Incident Response and Security Teams", and that the
"specifications making up SCAP are divided into languages, reporting
formats, enumerations, measurement and scoring systems, and integrity
protection." The author then lists the 11 SCAP components, with CVE included
under Enumerations. The other MITRE initiatives listed are Common Platform
Enumeration (CPE) and Common Configuration Enumeration (CCE), also under
Enumerations, and under Languages, Open Vulnerability and Assessment
Language (OVAL). The article concludes with a summary of the updates to the
guidelines.
LINKS:
GCN article -
http://gcn.com/articles/2012/01/09/nist-scap-automated-security-management.a
spx?sc_lang=en
SCAP - http://scap.nist.gov/
CCE - http://cce.mitre.org/
CPE - http://cpe.mitre.org/
OVAL - http://oval.mitre.org/
CVE - http://cve.mitre.org/
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* New CVE Editorial Board Member for National Institute of Standards and
Technology (NIST)
* Photos from CVE/Making Security Measurable Booth at "RSA 2012"
Read these stories and more news at http://cve.mitre.org/news
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Steve Boyle, Information Security Technical Center. Writer:
Bob Roberge. The MITRE Corporation (www.mitre.org) maintains CVE and
provides impartial technical guidance to the CVE Editorial Board on all
matters related to ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message
and copy the following text to the BODY of the message "SIGNOFF
CVE-Announce-list", then send the message to: listserv@lists.mitre.org. To
subscribe, send an email message to listserv@lists.mitre.org with the
following text in the BODY of the message: "SUBSCRIBE CVE-Announce-List".
Copyright 2012, The MITRE Corporation. CVE and the CVE logo are registered
trademarks of The MITRE Corporation.
For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cve@mitre.org. Learn more about
Making Security Measurable at http://measurablesecurity.mitre.org.
No comments:
Post a Comment