From: CVE-Announce (cvemitre.org)
Date: Wed Sep 05 2007 - 15:12:35 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Welcome to the latest edition of the CVE-Announce e-newsletter.
This email newsletter is designed to bring recent news about CVE,
such as new versions, upcoming conferences, new Web site features,
etc. right to your emailbox. Common Vulnerabilities and Exposures
(CVE) is the standard for information security vulnerability
names. CVE content results from the collaborative efforts of the
CVE Editorial Board, which is comprised of leading representatives
from the information security community. Details on subscribing
(and unsubscribing) to the email newsletter are at the end. Please
feel free to pass this newsletter on to interested colleagues.

Comments: cvemitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/September 5, 2007
-------------------------------------------------------

Contents:

1. Feature Story
2. Hot Topic
3. Upcoming Event
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

CVE Launches New Web Site

CVE has launched a new CVE Web site that offers more CVE
functionality for users through our partnership with the U.S.
National Vulnerability Database (NVD), and better illustrates the
impact and use of CVE in the community. The updated Web site
includes the following enhancements:

Homepage--in addition to news headlines and a focus on column the
homepage now includes a high-level list of examples of the
widespread adoption of CVE; a list of similar standards, some of
which were inspired by CVE; and a badge indicating that CVE is
part of Making Security Measurable.

CVE in Use page--a new page highlighting how as the international
industry standard for vulnerability names CVE Identifiers are
included in numerous CVE-Compatible Products and Services, in NVD
for fix information for CVE-IDs and Security Content Automation
Protocol (SCAP) Mappings for CVE-IDs, in government, and in the
community.

CVE List Main Page--pointers to the full database functionality
for CVE provided through MITRE's partnership with the NVD, and
access to the master copy of the CVE List that is maintained for
the community by MITRE on this public CVE Web site.

CVE List page--offers the same view, search, and download features
for accessing the master copy of the CVE List as the former Get
CVE page.

Data Updates & RSS Feeds page--pointers to external resources that
provide these services for the CVE List.

Obtain a CVE Identifier page--primarily for vulnerability
researchers, this page answers our most frequently asked question:
How can I obtain a CVE Identifier?

About CVE Identifiers page . a new central location for accessing
process and technical information about how the CVE project is
managed including the method for assigning CVE-IDs, role of
Candidate Numbering Authorities, content decisions, data sources,
reference maps, etc.

Please send any comment or concerns to cvemitre.org.

 
LINKs:

CVE Web site - http://cve.mitre.org

National Vulnerability Database (NVD) - http://nvd.nist.gov/

-------------------------------------------------------------
HOT TOPIC:

CVE Basis of 2007 Edition of "OWASP Top 10 Web Application
Security Issues"

The 2007 edition of the "OWASP Top 10 Web Application Security
Issues," released on July 17, 2007, is derived entirely from the
vulnerability trends detailed in the "Vulnerability Type
Distributions in CVE" white paper by CVE List Editor/Common
Weakness Enumeration (CWE) Technical Lead Steve Christey and CWE
Program Manager Robert A. Martin. As with previous versions of the
OWASP list, the 2007 update also uses CVE Identifiers to identify
examples of the vulnerabilities it describes.

OWASP's goal for their Top 10 is to "educate developers,
designers, architects and organizations about the consequences of
the most common web application security vulnerabilities. The Top
10 provides basic methods to protect against these vulnerabilities
. a great start to your secure coding security program."

LINKS:

"OWASP Top 10 Web Application Security Issues" -
http://www.owasp.org/index.php/OWASP_Top_Ten_Project

"Vulnerability Type Distributions in CVE" white paper -
http://cve.mitre.org/docs/vuln-trends/index.html

-------------------------------------------------------------
UPCOMING EVENT:

CVE Included as a Topic at "Security Automation Conference &
Workshop 2007," September 19-20

CVE will be included as a topic at the U.S. National Institute of
Standards and Technology's (NIST) "Security Automation Conference
& Workshop 2007" on September 19-20, 2007 in Gaithersburg,
Maryland, USA. In addition to contributing throughout the
workshop, CVE will also participate on discussions panels on
September 20th.

NIST's Security Content Automation Protocol (SCAP) employs
community standards to enable "automated vulnerability management,
measurement, and policy compliance evaluation (e.g., FISMA
compliance)," and CVE is one of the six open standards SCAP uses
for enumerating, evaluating, and measuring the impact of software
problems and reporting results. The other five standards are Open
Vulnerability and Assessment Language (OVAL), a standard XML for
security testing procedures and reporting; Common Configuration
Enumeration (CCE), standard identifiers and a dictionary for
system security configuration issues; Common Platform Enumeration
(CPE), standard identifiers and a dictionary for platform and
product naming; Extensible Configuration Checklist Description
Format (XCCDF), a standard for specifying checklists and reporting
results; and Common Vulnerability Scoring System (CVSS), a
standard for conveying and scoring the impact of vulnerabilities.

Visit the CVE Calendar for information on this and other events.

LINK:

"Security Automation Conference 2007" -
http://www.nist.gov/public_affairs/confpage/070919.htm

CVE Calendar - http://cve.mitre.org/news/calendar.html

-------------------------------------------------------------
ALSO IN THIS ISSUE:

* Integrigy Corporation Makes Declaration of CVE Compatibility

* CVE Mentioned in .InfoWorld. Article

* CVE Mentioned in .SC Magazine's. Vulnerability Assessment 2007
  Product Review

* CVE Included in Booth at .Black Hat Briefings 2007.

* Common Configuration Enumeration (CCE) Launches Own Web Site

Read these stories and more news at http://cve.mitre.org/news

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: Steve Christey, Information Security Technical
Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org)
maintains CVE and provides impartial technical guidance to the CVE
Editorial Board on all matters related to ongoing development of
CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new
email message and copy the following text to the BODY of the
message "SIGNOFF CVE-Announce-list", then send the message to:
listservlists.mitre.org. To subscribe, send an email message to
listservlists.mitre.org with the following text in the BODY of
the message: "SUBSCRIBE CVE-Announce-List".

Copyright 2007, The MITRE Corporation. CVE and the CVE logo are
registered trademarks of The MITRE Corporation.

For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cvemitre.org.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]