In this post I would like to provide some links, that you can use to find out necessary information about vulnerability by its CVE ID. I also want to share my amazement, how the method of using the CVE identifiers is changing.
Traditionally, CVE was a global identifier that most of vulnerabilities had. Have you found malicious bug in some software? Send a brief description to MITRE and you will receive CVE id. Some time later NIST will analyze this CVE, will add CVSS vector and CPEs and will put a new item to the NVD database. MITRE and NVD CVE databases were really useful source of information.
It seems like MITRE Corporation wants to cut the costs of security projects. Once again. They transfered OVAL Project to the Center for Internet Security. Now MITRE announced the launch of a “Federated-Style CVE ID”. The idea is to give oportunity for other authorities to issue CVE IDs in special format.
The federated ID syntax will be CVE-CCCIII-YYYY-NNNN…N, where “CCC” encodes the issuing authority’s country and “III” encodes the issuing authority. At its launch, MITRE will be the only issuing authority, but we expect to quickly add others to address the needs of the research and discloser communities, as well as the cybersecurity community as a whole. This new federated ID system will significantly enhance the early stage vulnerability mitigation coordination, and reduce the time lapse between request and issuance
SecPod Technologies is an information security products company located in Bangalore, India. They are also known as top OVAL Contributor and NVT vendorfor OpenVAS. Besides the products designed for a big enterprises (vulnerability scanner Saner Business and threat intelligence platform Ancor), they have either vulnerability and compliance management solution for personal use – Saner Personal. And personal means that this scanner will scan only localhost. It’s free, SCAP-compatible, it has remediation capabilities. And it works. =)
Thanks for visiting my website. Glad to see you here. My name is Alexander and I’m an Information Security Automation specialist. For 6 years I have actively participated in development of MaxPatrol and XSpider – the best known Vulnerability and Compliance Management products in Russia and CIS. Nowadays I am working at the biggest Internet/Mobile Company in Russia. I am responsible for precise automated vulnerability assessment of a huge and diverse IT-infrastructure and vulnerability intelligence.
Enthusiast for NIST/MITRE/CIS and OWASP open security standards and initiatives.
This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at firstname.lastname@example.org or contact me any other way.