With the September 1999 release of the Common Vulnerabilities and Exposures (CVE) List by MITRE Corporation, consumers and providers of security products alike now stand to benefit through a unified approach to computer security problem enumeration.
How CVE Works
CVE is needed to clean up the messy world of known computer exploits by uniquely identifying them using an industry-wide naming scheme. This scheme cross-references the naming conventions already adopted by security tool manufacturers, security advisory groups, discussion groups, and hacker underground sites. These new vulnerability identities will serve as primary keys for relational database systems that already contain known exploits. Using these as search criteria, users of the software will be referred to the actual databases that contain the details about the vulnerability (symptoms, remediation steps, etc.).
CVE is vital in helping consumers of security tools and systems to effectively compare products using an apples-to-apples approach. You''ll no longer need to concern yourself about which tool tests for which vulnerability. If a tool is CVE-compliant, you can immediately determine if a tool tests for the specific vulnerabilities that concern you without poring through the product''s documentation.
What is a Vulnerability?
CVE defines a vulnerabilities and exposures as follows:
- Vulnerabilities are problems that are universally thought of as "vulnerabilities" in any security policy, software flaws that could directly allow serious damage or security breaches, and specific known vulnerabilities in operating systems, utility, and network programs.
- Exposures are problems that provide stepping stones to successful hacker attacks. Examples include the running of services such as finger, poor logging practices, or software mis-configuration problems.
CVE Goals
The goals of the CVE initiative include:
- Enumerate all publicly known problems,
- Assign a standard, unique name to each problem,
- Operate the list independent of product vendors, advisories, newsgroups, etc.,
- Enable open and sharable information without any distribution restrictions.
CVE helps in providing a common language for security professionals when referring to problems. It facilitates the sharing of data among Intrusion Detection Systems (IDSs), assessment tools, vulnerability databases, academic research, and incident response teams. CVE helps to improve communications across the computer security community and helps to improve the mix of security tools in the marketplace by fostering interoperability among multiple vendor products.
Although many people may criticize the CVE as being an aid to hackers, its benefits outweigh the possible risks in these following ways:
- CVE is restricted to publicly known problems,
- The sharing of information among security professionals is far more difficult than the sharing of information within the hacker community,
- CVE represents a shift in community opinion trends toward open sharing, rather than the former "cloak and dagger" operations of yesteryear.
IE 7
Firefox 2.0
