 |
 |
 |
 |
| |
|||||
|
|
 |
 Industry Standard Helps Identify Gaps and Overlaps in Computer Security Lingo Steve Christey, Consulting Author
In 1998, a MITRE team was assessing various security tools to see which tools protected computers against what vulnerabilities and exposures. The trouble was that various security vendors were using different names for the same vulnerabilities and exposures, so there was no way to tell which products overlapped or where the gaps were. The team felt that a standard list—accepted by everyone in the security community—would solve the problem and help our sponsors ensure the security of their systems. The MITRE team began the process of identifying common vulnerabilities and exposures (the original list contained 321 entries) and then invited the community to get involved. Because the initiative came from a not-for-profit federally funded research and development center, users quickly recognized it as an unbiased, authoritative public resource that would be especially valuable in this era of cyber attack and mischief. In January 1999, the MITRE team advocated the CVE concept to a gathering of stakeholders in the information security community at Purdue University. Several of the software vendors in attendance endorsed our idea and offered their input. They provided the nucleus of the group that, in four months, helped develop a standard for CVE identification and definition. It took both MITRE's "championing" of the CVE vision and the involvement of the greater community to make the standard a reality. Once the idea of a standard was introduced, interest in it grew quickly. In May 1999, MITRE held a CVE kickoff meeting with the core group of contributors. By the time the initial CVE list was released that summer, several other representatives of the information security community had become interested. In time, the involvement of many different stakeholders paved the way for more formalized procedures for identifying and defining CVE entries. Today, a group called the CVE Editorial Board does this work. Founded by MITRE, the group consists of representatives of 40 information-security-related organizations, including commercial security tool vendors, research institutions, government, and academia. People with specialized expertise are invited to take part on an as-needed basis. The CVE list now contains about 2,500 entries. In addition, more than 3,000 "candidates" are being considered for inclusion on the list. Our sponsors and the public have greatly benefited from this effort. Once CVE was established, producers of information security products began basing their products on the CVE list. Now buyers have a standard that they can check against so that they know exactly which vulnerabilities and exposures certain products cover. This has increased the ability of organizations to protect their information systems. |
Solutions That Make a Difference.® |
|
|
Common
Vulnerabilities and Exposures (CVE) is a list of common names for publicly
known information security vulnerabilities and exposures. It is now an
industry standard that MITRE developed to solve a problem.