From: CVE Announce List (cvemitre.org)
Date: Mon Jul 17 2006 - 15:19:34 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Welcome to the latest edition of the CVE-Announce e-newsletter. This
email newsletter is designed to bring recent news about CVE, such as new
versions, upcoming conferences, new Web site features, etc. right to
your emailbox. Common Vulnerabilities and Exposures (CVE) is the
standard for information security vulnerability names. CVE content
results from the collaborative efforts of the CVE Editorial Board, which
is comprised of leading representatives from the information security
community. Details on subscribing (and unsubscribing) to the email
newsletter are at the end. Please feel free to pass this newsletter on
to interested colleagues.

Comments: cvemitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/July 17, 2006
-------------------------------------------------------

Contents:

1. Feature Story
2. Upcoming Event
3. IMPORTANT ANNOUNCEMENT
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

CVE Main Topic of Article in IEEE Distributed Systems Online

CVE was the main topic of an article entitled "Functionality Meets
Terminology to Address Network Security Vulnerabilities" in the June
2006 issue of IEEE Distributed Systems Online. The article describes
what CVE is and the problems it solves, discusses the history of CVE,
mentions CVE compatibility, and notes that the U.S. National Institute
of Standards and Technology's National Vulnerability Database (NVD) is
built wholly upon CVE identifiers. The article includes a quote from NVD
project leader and CVE Editorial Board member Peter Mell, who states:
"With 300-plus products and services using [CVE identifiers], we
definitely need a database of information relative to the CVE standard,
and the NVD database provides that. End users need a way to prioritize
the constant stream of vulnerabilities that are coming out ... [and by]
... integrating the NVD and CVE, we've made a significant step toward
helping people to do that."

The author notes some of the business impacts of CVE via its CVE
Compatibility Program when he states: "CVE-compatible products have
shown themselves to be cost-effective. Larry Pesce, manager of
information systems security for Care New England, a Rhode Island-based
healthcare network, says the use of a CVE-compatible penetration testing
tool by vendor Core Security probably saves the organization the cost of
one to two full-time employees a year. Billy Austin, chief security
officer of Saint, a CVE-compatible vendor, says using such tools saves
the typical security administrator 2.5 hours per vulnerability over
doing manual searches."

The article also mentions MITRE's follow on standards efforts including
Open Vulnerability and Assessment Language (OVAL), which uses CVE
identifiers as the basis for its standardized XML definitions that check
for the presence of vulnerabilities on systems; Common Malware
Enumeration (CME), which provides single, common identifiers to virus
threats to reduce public confusions during malware outbreaks and to
facilitate the adoption of a shared, neutral indexing capability for
malware; and Common Weakness Enumeration (CWE), which is a
community-developed formal list of common software weaknesses intended
to serve as a common language for describing software security
vulnerabilities, a standard measuring stick for software security tools
targeting these vulnerabilities, and as a baseline standard for
vulnerability identification, mitigation, and prevention efforts. The
CWE dictionary, which is based in part on the numerous identifiers on
the CVE List, is currently hosted on the CVE Web site.

The article concludes with a quote by MITRE's CWE Project Manager,
Robert A. Martin, who comments on the purpose behind these other
information security standards efforts: "People are so used to selecting
the vendor and that's kind of the core they build out from. What we want
them to do is get married to enabling standards and then build around
that."

National Institute of Standards and Technology (NIST) is a member of the
CVE Editorial Board and CVE, NVD, CWE, OVAL, and CME are all sponsored
by the U.S Department of Homeland Security.

LINKS:

"IEEE Distributed Systems Online" article -
http://csdl2.computer.org/comp/mags/ds/2006/06/o6004.pdf

CVE Compatibility Program - http://cve.mitre.org/compatible/process.html

CWE - http://cve.mitre.org/cwe/index.html

OVAL - http://oval.mitre.org

CME - http://cme.mitre.org

U.S. National Vulnerability Database (NVD) - http://nvd.nist.gov/

------------------------------------------------------------
UPCOMING EVENT:

CVE to Host Booth at "Black Hat Briefings 2006"

MITRE is scheduled to host a CVE/CWE/OVAL/CME exhibitor-meeting booth at
"Black Hat Briefings 2006" on August 2nd - 3rd, 2006 at Caesars Palace
in Las Vegas, Nevada, USA. The event will expose CVE, CWE, OVAL and CME
to a diverse audience of information security-focused attendees from
around the world.

LINK:

CVE Calendar - http://cve.mitre.org/news/calendar.html

-----------------------------------------------------------------
IMPORTANT ANNOUNCEMENT:

Download Options for CVE List to be Modified on July 19th

On July 19, 2006 downloads of the CVE List will no longer be available
with the old-style "CAN" prefix. The CVE naming scheme was modified on
October 19, 2005 to replace the "CAN" prefix with a "CVE" prefix in all
CVE names. Downloads using only the "CVE" prefix will continue to be
offered in three options: (1) a single list combining both CVE names
with "entry" and "candidate" status, (2) entries only, and (3)
candidates only. Each option is available in multiple formats: XML,
HTML, Text, and comma separated. The "CAN" prefix downloads were
continued for eight months to support the transition from the old
format.

CVE information is also available from external resources including CVE
Change Logs, a free tool from CERIAS/Purdue University that records
changes to the CVE List, and the U.S. National Vulnerability Database
(NVD), which is based upon CVE names and offers a variety of search and
download options.

LINKS:

CVE Downloads - http://cve.mitre.org/cve/downloads/

CVE Change Logs - https://cassandra.cerias.purdue.edu/CVE_changes/

U.S. National Vulnerability Database (NVD) - http://nvd.nist.gov/

-----------------------------------------------------------------
ALSO IN THIS ISSUE:

* Secunia Makes Five Declarations of CVE Compatibility

* CVE Editorial Board Holds Teleconference

* Rede Nacional de Ensino e Pesquisa References CVE Identifiers in
   Security Advisories

* CWE Main Topic of Briefing at NIST's "Static Analysis Summit"

* 676 CVE Identifiers with Candidate Status Added to CVE List in June

Read these stories and more news at http://cve.mitre.org/news

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: Steve Christey, Information Security Technical Center.
Writer: Bob Roberge. The MITRE Corporation (www.mitre.org) maintains CVE
and provides impartial technical guidance to the CVE Editorial Board on
all matters related to ongoing development of CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new email
message and copy the following text to the BODY of the message "SIGNOFF
CVE-Announce-list", then send the message to: listservlists.mitre.org.
To subscribe, send an email message to listservlists.mitre.org with the
following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".

Copyright 2006, The MITRE Corporation. CVE and the CVE logo are
registered trademarks of The MITRE Corporation.

For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cvemitre.org.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]