Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is
designed to bring recent news about CVE, such as new versions, upcoming conferences, new
Web site features, etc. right to your email box. Common Vulnerabilities and Exposures
(CVE) is the standard for information security vulnerability names. CVE content results
from the collaborative efforts of the CVE Editorial Board, which is comprised of leading
representatives from the information security community. Details on subscribing (and
unsubscribing) to the email newsletter are at the end. Please feel free to pass this
newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/July 31, 2014
-------------------------------------------------------
Contents:
1. 1 Product from VirtuStream Now Registered as Officially "CVE-Compatible"
2. Reminder to Update Products, Services, and Processes to the New CVE-ID Numbering
Format
3. Register Now for "Security Automation Workshop 2014," August 26-28
4. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
1 Product from VirtuStream Now Registered as Officially "CVE-Compatible"
One additional information security product has achieved the final stage of MITRE's
formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is
now eligible to use the CVE-Compatible Product/Service logo, and a completed and
reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the
product as part of the organization's listing on the CVE-Compatible Products and
Services page on the CVE Web site. A total of 143 products to-date have been recognized
as officially compatible.
The following product is now registered as officially "CVE-Compatible":
Virtustream, Inc. - Analytics and Continuous Monitoring Engine (ACE)
Use of the official CVE-Compatible logo will allow system administrators and other
security professionals to look for the logo when adopting vulnerability management
products and services for their enterprises and the compatibility process questionnaire
will help end-users compare how different products and services satisfy the CVE
compatibility requirements, and therefore which specific implementations are best for
their networks and systems.
For additional information about CVE compatibility and to review all products and
services listed, visit the CVE Compatibility Process and CVE-Compatible Products and
Services.
LINKS:
Analytics and Continuous Monitoring Engine (ACE) -
https://cve.mitre.org/compatible/questionnaires/162.html
Virtustream, Inc. - http://www.virtustreamsecurity.com/
CVE-Compatible Products and Services - https://cve.mitre.org/compatible/
Process - https://cve.mitre.org/compatible/process.html
Make a Declaration - https://cve.mitre.org/compatible/make_a_declaration.html
News page article -
https://cve.mitre.org/news/index.html#july292014_1_Product_from_VirtuStream_Now_Register
ed_as_Officially_CVE_Compatible
---------------------------------------------------------------
Reminder to Update Products, Services, and Processes to the New CVE-ID Numbering Format
The format for CVE Identifiers (CVE-IDs) has changed. Because of this change, all
products, services, and/or processes that use CVE-IDs need to be updated.
Previously, CVE-IDs could only have 4 digits at the end such as "CVE-2014-0160", but
that syntax limited the number of IDs that could be issued in a calendar year to 9,999.
Now, unlimited CVE-IDs can be issued in a given year because with the new format they
can have 4 digits at the end or more such as "CVE-2014-99999" with 5 digits at the end,
"CVE-2014-456123" with 6 digits at the end, and so on as needed. The number of
vulnerabilities being reported each year is growing rapidly, so the change was very much
needed.
Technical guidance and test data is available on the CVE Web site for developers and
consumers to help you update your tools, web sites, and other capabilities to accept the
new CVE-ID numbering format. Questions or concerns may be sent to
cve-id-change@mitre.org.
LINKS:
New CVE-ID Format page - https://cve.mitre.org/cve/identifiers/syntaxchange.html
Technical guidance and test data -
https://cve.mitre.org/cve/identifiers/tech-guidance.html
News page article -
https://cve.mitre.org/news/index.html#july292014_Reminder_to_Update_Products,_Services,_
and_Processes_to_the_New_CVE-ID_Numbering_Format
---------------------------------------------------------------
Register Now for "Security Automation Workshop 2014," August 26-28
"Security Automation Workshop 2014," hosted at MITRE Corporation in McLean, Virginia,
USA on August 26-28, 2014, will bring government and industry together in order to
develop a consensus way forward for the endpoint posture assessment standards being
developed in the Internet Engineering Task Force (IETF) Security Automation Continuous
Monitoring (SACM) Working Group.
This three-day event is geared towards security automation tool vendors, end users, and
other related stakeholders. The agenda includes sessions that illustrate operational
gaps and issues, as well as challenges with the current security automation efforts.
Documents associated with the IETF SACM group will be discussed as well as other related
standards work. In addition to U.S. Government-led sessions, other select industry and
end users will be asked to share their experiences and challenges with the group. The
intent is to have open and productive discussions about how to collect, evaluate, and
report standardized data that is needed to identify software vulnerabilities, detect
software tampering, and defects in software configurations to support a number of
operational and security processes.
As this event is designed to foster collaborative conversation between government and
industry, the targeted audience is those key stakeholders within vendors, end user
groups, and select government agencies that bring deep existing domain knowledge to the
discussions. This is not intended to serve as an introduction for those that wish to
learn about this landscape, and as such those that require introductory information are
asked to pursue that in a different venue. Attendees for the event should be prepared to
share their experiences and ideas for the future state of security automation and should
be directly involved with the related topics.
Visit the "Security Automation Workshop 2014" page for an agenda, other event details,
and registration information.
LINKS:
Event registration - https://register.mitre.org/saworkshop/
Agenda - https://register.mitre.org/saworkshop/agenda.pdf
IETF SACM - https://datatracker.ietf.org/wg/sacm/documents/
News page article -
https://cve.mitre.org/news/index.html#july292014_Security_Automation_Workshop_2014_Augus
t_26-28
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Steve Boyle, Information Security Technical Center. Writer: Bob
Roberge. The MITRE Corporation (www.mitre.org) maintains CVE and provides impartial
technical guidance to the CVE Editorial Board on all matters related to ongoing
development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the
following text to the BODY of the message "SIGNOFF CVE-Announce-list", then send the
message to: listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".
Copyright 2014, The MITRE Corporation. CVE and the CVE logo are registered trademarks of
The MITRE Corporation.
For more information about CVE, visit the CVE Web site at https://cve.mitre.org or send
an email to cve@mitre.org.
Learn more about Making Security Measurable at http://measurablesecurity.mitre.org and
Strengthening Cyber Defense at
http://www.mitre.org/work/cybersecurity/cyber_standards.html.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment