About Us Our Work Employment News & Events
MITRE Remote Access for MITRE Staff and Partners Site Map
The MITRE Digest
Advanced Research
Aviation Systems
Defense and Intelligence
Federal Sector Modernization
Health Transformation
Homeland Security

Follow Us:
Visit MITRE on Facebook
Visit MITRE on Twitter
Visit MITRE on Linkedin
Visit MITRE on YouTube
View MITRE's RSS Feeds
View MITRE's Mobile Apps
Home > News & Events > MITRE Publications > The MITRE Digest >
spacer

Information Assurance Industry Uses CVE and OVAL to Identify Vulnerabilities

February 2006

Back door vulnerabilities

As the number of software vulnerabilities continues to increase, MITRE's CVE and OVAL initiatives are becoming standards in the information assurance industry. The Common Vulnerabilities and Exposures (CVE) initiative is a list of more than 15,000 names industry experts have agreed to use in identifying vulnerabilities. MITRE's Open Vulnerability and Assessment Language (OVAL) project is a baseline standards initiative that helps determine the presence of vulnerabilities and configuration issues on computer systems.

The CVE list also is being used as the basis for the National Vulnerability Database (NVD), developed by the U.S. National Institute of Standards and Technology. NVD is a comprehensive security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources.

Growing List of CVE Names

The breadth of the CVE list of names makes it easier for vendors of information security products and services to identify computer vulnerabilities and create fixes. A vulnerability with a CVE name is important because everybody working in the security field can look up a name on the CVE website and know that the name is standardized.

Before CVE, software manufacturers and security vendors often used different names for the same vulnerability or flaw. "Security product vendors can still use their own native label for a vulnerability," says MITRE's CVE Compatibility manager Robert A. Martin. "Using CVE names ensures that CVE-compatible products and services can correlate to information in other products that use CVE names."

So far, more than 240 information security products and services have declared support of CVE, with 60 of these being "Officially CVE-compatible." When a product or service earns CVE Compatibility, the vendor has shown that it uses CVE names in a way that allows it to cross-link with other organizations and products that use CVE names and that MITRE has evaluated the accuracy of their use of CVE names. This ensures enhanced interoperability and security for enterprises.

OVAL Identifies Vulnerabilities and Configuration Issues

OVAL goes further than CVE by using XML schemas for definitions that check for the presence of vulnerabilities and configuration issues on computer systems. OVAL also uses XML schemas to report the results of the checks. It makes machine-to-machine checking possible, which is faster and more accurate than human-to-machine checking. There are over 1,400 OVAL definitions, and 28 products from 15 organizations have declared support for OVAL, with 10 of these being "Officially Oval-compatible."

"Today, an advisory is sent out as a written narrative description," says Martin. "If you're a tool vendor, you have to have your researchers read the description and figure out how to make your security tool check for that problem."

In checking for vulnerabilities, OVAL does three things: First, it checks to see if the vulnerable software is installed. Second, it checks whether the patches for the issue are present. Third, it evaluates how the software is configured. Depending on the answer to these questions, the OVAL result is that you are or are not vulnerable to the issue.

For configuration issues, OVAL compliance definitions can be used to check the configuration settings of a system and ensure that the settings meet an organization's computer security policies. For example, determining whether or not a particular service is running, a port is open, or a password meets a minimum length requirement, are examples of configuration checks that can be tested using OVAL definitions.

Helping DoD

Currently, MITRE is leveraging the CVE and OVAL Initiatives to help the Department of Defense (DoD) transform its enterprise incident and remediation management efforts. A paper describing the activity was published in the May 2005 Journal of Defense Software Engineering. "MITRE has influenced the DoD toward requiring its software suppliers and security tool providers to support CVE and OVAL," says Martin. "As a result, the DoD will be fundamentally changing the way it deals with vulnerabilities and configuration issues in the commercial and open source components of its infrastructure and mission systems."

—by David Van Cleave

Related Information

Articles and News

Websites

 

Page last updated: February 17, 2006 | Top of page

Homeland Security Center Center for Enterprise Modernization Command, Control, Communications and Intelligence Center Center for Advanced Aviation System Development

 
 
 

Solutions That Make a Difference.®
Copyright © 1997-2013, The MITRE Corporation. All rights reserved.
MITRE is a registered trademark of The MITRE Corporation.
Material on this site may be copied and distributed with permission only.
IDG's Computerworld Names MITRE a "Best Place to Work in IT" for Eighth Straight Year The Boston Globe Ranks MITRE Number 6 Top Place to Work Fast Company Names MITRE One of the "World's 50 Most Innovative Companies"
 

Privacy Policy | Contact Us