|
|
|
||||||||||||||
DocumentsVulnerability Type Distributions in CVE This technical white paper discusses the high-level types of vulnerabilities that have been publicly reported over the past five years, such as buffer overflows, cross-site scripting (XSS), SQL injection, and PHP file inclusion. The paper identifies and explains trends such as the rapid rise of web application vulnerabilities, covers the distribution of vulnerability types in operating system vendor advisories, and compares the issues being reported in open and closed source advisories. October 4, 2006 Steven M. Christey, co-creator of CVE and editor of the CVE List Transformational Vulnerability Management Through Standards This technical report on the MITRE Web site discusses the U.S Department of Defense's (DOD) new enterprise licenses for vulnerability assessment and remediation tools that are required to conform to the CVE and OVAL standards efforts. Robert A. Martin, CVE Compatibility Lead - May 2005 Security Patches Got You Running in Circles? Reprint of an article about CVE originally printed in Security Wire Perspectives newsletter, Vol. 6, No. 39. Posted here with permission from Information Security Magazine and TechTarget . May 17, 2004 - Robert A. Martin, CVE Compatibility Lead A Progress Report on the CVE Initiative Briefing presented at the FIRST 14th Annual Computer Security Incident Handling Conference , Kona, Hawaii, USA. June 24, 2002 - Steven M. Christey, co-creator of CVE and editor of the CVE List, and Robert A. Martin, CVE Compatibility Lead
HTML
Managing Vulnerabilities in Networked Systems This article about CVE was published in IEEE Computer Society Computer Magazine , Vol. 34, No. 11. November 2001 - Robert A. Martin, CVE Compatibility Lead PDF (129K) CVE Behind the Scenes: The Complexity of Being Simple Briefing focusing on the various technical issues encountered in CVE presented at Black Hat Briefings , Las Vegas, Nevada, USA. July 11, 2001 - Steve Christey, co-creator of CVE and editor of the CVE List PowerPoint (813K) Vulnerabilities of Developing on the Net This article about CVE was published in Crosstalk, The Journal of Defense Software Engineering . It was also presented at the U.S. Air Force's Software Technology Support Center's Thirteenth Annual Software Technology Conference on May 2, 2001 in Salt Lake City, Utah, USA. April 15, 2001 - Robert A. Martin, CVE Compatibility Lead CVE-Technical Details of CVE This briefing was presented at the Canadian Information Technology Security Symposium , Ottawa, Canada. June 22, 2000 - Steve Christey, co-creator of CVE and editor of the CVE List, and Margie Zuk, CVE Manager PowerPoint (105K) Common Vulnerabilities and Exposures (CVE) An introduction to CVE. PowerPoint slides with attached notes. September 29, 1999 - Pete Tasker, Margie Zuk, Steve Christey, Dave Mann, Bill Hill, Dave Baker PowerPoint (87K) White Paper: "The Development of a Common Vulnerabilities and Exposures List" This white paper was presented at the Second International Workshop on Recent Advances in Intrusion Detection , Purdue University, West Lafayette, Indiana, USA. September 8, 1999 - Steven M. Christey, David W. Baker, William H. Hill, David E. Mann
PowerPoint
(65K)
White Paper: "Towards a Common Enumeration of Vulnerabilities" This white paper was presented at the 2nd Workshop on Research with Security Vulnerability Databases, Purdue University , West Lafayette, Indiana, USA. January 21-22, 1999 - David E. Mann and Steven M. Christey, co-creators of the CVE List
HTML
Describes the CVE Naming Process including definition of a CVE name and an overview of the creation of a CVE name. Version 2.0, October 17, 2005 - Steven M. Christey and Robert J. Roberge A description of the three stages of the process of building the CVE List : (1) the Initial Submission Stage, (2) Candidate Stage, and (3) Entry Stage. Also included is a description of the procedures for modifications and deletions in the CVE List. Version 1.0, September 7, 2004 - Steven M. Christey This document includes a full discussion of CVE names with "candidate" status, also called candidates, candidate numbers, and CANs, including what a candidate is, the two ways new security issues become candidates, how long it takes for candidates to be moved from candidate to entry status, how candidates are affected by CVE content decisions, and how users can find out about the most recent candidates. Version 1.0, September 7, 2004 - Steven M. Christey and Robert J. Roberge CVE Content Decisions Overview Describes the two most commonly used CDs, "Inclusion Content Decisions," which specify whether a vulnerability or exposure should go into CVE, and "Abstraction Content Decisions," which specify what level of abstraction, or detail, at which a vulnerability should be described. An example of the two most commonly used abstraction facets of CVE CDs is also included. Version 1.1, June 15, 2005 - Steven M. Christey CVE Abstraction Content Decisions: Rationale and Application This document provides guidelines for Abstraction CDs, clarifying when to combine multiple reports, bugs, and/or attack vectors into a single CVE name, and when to create separate CVE names. Also discussed are the design goals of CDs and their role in managing vulnerability information for the CVE Initiative, an outline of CVE's major abstraction CDs, a comparison of CDs with other vulnerability information sources, and numerous examples of CDs in action. Version 1.0, June 15, 2005 - Steven M. Christey Handling Duplicate Public CVE Identifiers When duplicate CVE identifiers are accidentally assigned by vendors, researchers, or coordinators and made public in initial public vulnerability announcements, CVE's Primary Candidate Numbering Authority must be consulted to choose the proper candidate to use. This document details the criteria MITRE uses for selecting the preferred identifier. Version 1.0, July 27, 2005 - Steven M. Christey Candidate Numbering Authorities Includes an introduction to the candidate reservation process, defines Candidate Numbering Authorities (CNAs), provides the requirements for being a CNA, describes CNA tasks, explains the communication requirements from the CNA to MITRE, defines the role of vendor liaisons, and explains the researcher's responsibilities in the process. Also included is a list of the several organizations currently participating as CNAs. Version 1.0, March 28, 2005 - Steven M. Christey Each CVE name includes appropriate references. Each reference used in CVE (1) identifies the source, (2) includes a well-defined identifier to facilitate searching on a source's Web site, and (3) notes the associated CVE name. CVE also includes a Reference Maps page with links to documents from the commonly used information sources that are used as references for CVE entries and candidates. A list of the organizations from the information security community that provide us with vulnerability information that helps MITRE create new CVE candidates. New CVE versions are created approximately once per year. When they are released Version Reports are also made available that list the differences between versions. Also includes a description of the various versions of CVE that have been released to-date. Description of the formal "CVE Compatibility Process," including Phase 1, the Declaration Phase, which consists of registering an organization's declaration of intent to make their product(s) and/or service(s) CVE-compatible, and Phase 2, the Evaluation Phase, which requires the completion of a questionnaire that specifically looks for the details of how the organization has satisfied the CVE Compatibility Requirements document. May 6, 2003 - Robert A. Martin, Steven M. Christey, and Robert J. Roberge Requirements and Recommendations for CVE Compatibility Provides the detailed requirements against which an information product or service may become CVE-compatible. Version 1.0.1, June 15, 2005 - Robert A. Martin and Steven M. Christey CVE Editorial Board Roles, Tasks, and Qualifications This document clarifies the roles, tasks, and qualifications for CVE Editorial Board members. Roles include technical members, liaisons, advocates, and emeritus members. Version 1.2, September 13, 2001 - Steven M. Christey, Editorial Board Chair Process for Adding New Members to the Editorial Board This document formalizes the high-level process that is used for identifying, evaluating, and adding new members to the CVE Editorial Board. Version 0.2, September 13, 2001 - Steven M. Christey, Editorial Board Chair CVE-Relevant Software Supplier Requirements (SWSupplier) This document is an extract of the statement of objectives used by the Department of Defense to explain the security-relevant requirements they wanted met by software suppliers. Several areas of security issues are addressed as well as the use of CVE names for vulnerabilities in security notifications. - November 2004 Word (76K) CVE-Relevant Vulnerability Assessment Tool Requirements (IAVMtool) This document is an extract of the statement of work used by the Department of Defense to explain the security-relevant requirements they wanted met by an enterprise-wide vulnerability assessment and reporting tool. Several areas of security issues are addressed as well as the use of CVE names for vulnerabilities being reported. - November 2004 Word (60K) CVE-Relevant Remediation Tool Requirements (IAremedtool) This document is an extract of the statement of work used by the Department of Defense to explain the security-relevant requirements they wanted met by an enterprise-wide remediation tool. Several areas of security issues are addressed as well as the use of CVE names for choosing which vulnerabilities are remediated and reporting remediation status. - November 2004 Word (76K) Page Last Updated: December 06, 2006 |
||||||||||||||
|
Privacy
policy
Terms of use Contact us |
