New specifications proposed for the Common Platform Enumeration scheme
Public comment is welcome through Sept. 15
- By William Jackson
- Aug 31, 2010
An updated version of the Common Platform Enumeration scheme is being developed by the National Institute of Standards and Technology and MITRE Corp., as part of an effort to automate information security processes for agencies.
CPE is a component of the Security Content Automation Protocol (SCAP) and provides a standardized way to identify and describe software and hardware in the enterprise for security evaluations. Agencies are required to use SCAP enabled security tools when available.
NIST has released drafts of three interagency reports that propose specifications for naming, name matching and dictionaries for CPE version 2.3.
NIST releases guide to security automation protocol
NIST releases FISMA security control tools
“Given the speed with which attackers discover and exploit new vulnerabilities, best practices need to be continuously refined and updated at least as fast as the attackers can operate,” NIST officials wrote in introducing the draft reports. “To meet this challenge, security automation has emerged as an advanced computer-security technology intended to help information system administrators assess, manage, maintain and upgrade the security posture of their IT infrastructures regardless of their enterprises’ scale, organization and structure.”
NIST calls the ability unambiguously identify software and hardware products in a network the foundation of an effective security automation system.
A detailed computing asset inventory provides the information needed to integrate and correlate "a wealth of other knowledge" about vulnerabilities, exposures, configuration issues, best-practice configurations, security checklists and more, according to the draft report.
The CPE is a family of specifications that address need for a standardized scheme for identifying and describing these elements with a common language that can be used by automated tools. Collectively, the CPE specification is intended to provide:
- A method for assigning unique machine-readable identifiers to certain classes of IT products and computing platforms.
- A method for compiling and maintaining dictionaries of machine readable product and platform identifiers.
- A method for constructing machine-readable referring expressions that can be automatically compared by a computer algorithm or other procedure to product and platform identifiers to determine whether the identifiers satisfy the expressions.
- A set of interoperability requirements which guarantee that heterogeneous security automation tools can select and use the same unique identifiers to refer to the associated products and platforms.
Interagency Report 7695 defines the CPE naming specification, including the logical structure of well-formed CPE names and the procedures for binding and unbinding these names with machine-readable encodings.
IR 7696 provides the CPE matching specification, which defines procedures for comparing CPE names to determine if they refer to some or all of the same products or platforms.
Finally,IR 7697 contains the CPE dictionary specification, which defines the concept of a dictionary of identifiers and prescribes high-level rules for dictionary curators.
Not included in this batch of reports is the language specification, which defines an approach for forming complex logical expressions out of well-formed names.
Comments on these draft reports should be sent by Sept. 15th to firstname.lastname@example.org.
William Jackson is freelance writer and the author of the CyberEye blog.