 |
 |
 |
 |
| |
|||||
|
|
 |
The Common Vulnerabilities and Exposures (CVE) list is a growing compendium of common names for publicly known vulnerabilities (design flaws) and exposures (risky services). MITRE established CVE to make it easier to share data among network and system administrators who use different vulnerability databases and tools; to provide a basis for assessing the security of an organization; to provide a set of criteria for users to compare intrusion detection and security scanning products; and to encourage organizations working in this area to provide more complete coverage of vulnerabilities and exposures in their products and databases. The list is growing by approximately 100 new entries each month; some are new vulnerabilities and some are legacy ones that are still active and important. We are currently seeing 10-20 new vulnerabilities or exposures reported publicly every week. To date, 1,077 common names have been agreed on by the CVE Editorial Board, and another 746 candidate names have been proposed. In the past month we have received an additional 10,000 vulnerabilities contained in submittals from the databases of CVE Editorial Board members. We are processing them to correlate them and identify new vulnerabilities. (These are likely to result in an additional 2,000 unique candidates.) The content of CVE is the result of a collaborative effort involving the cyber community and the CVE Editorial Board. The Board comprises representatives from 30 organizations such as security tool vendors, operating system vendors, academic institutions, government, and other prominent security experts. MITRE manages the activities of the Editorial Board. MITRE runs a database behind the public list of names that enables new candidate names to be formulated in a matter of days. This process permits the community to adopt the common name early on to help understand and mitigate the new vulnerability or exposure, while awaiting Editorial Board agreement. Editorial Board meetings are held every six weeks. The meetings are forums for focused discussion of important vulnerabilities and exposures and issues of their relative importance and relationships. The discussions are in turn shaping how the vendors improve their tools and databases. Twenty-five developers of vulnerability databases and tools have declared that their products are or will be CVE-compatible. They have done this because their customers put a high premium on interoperability. In at least one case, a commercial company made its database CVE-compatible because a large contract depended on it. CVE can be the basis for assessing organizations' security readiness and then become the basis for improving the readiness by helping to track a list of high priority patches to be applied. In a recent announcement by the SANS Institute on how to eliminate the 10 most critical Internet security threats, 68 CVE items were referenced. Response has been enthusiastic at the conferences, workshops, and meetings, involving network and system administrators, researchers, and law enforcement personnel, where we have described CVE this year. The CVE public website, cve.mitre.org, contains information on the named vulnerabilities and candidates, the members of the Editorial Board, CVE-compatible products, and other related information. For more information, please contact Margie Zuk using the employee directory. |
Solutions That Make a Difference.® |
|
|