Why CPE? Because an app by any other name would not be as secure
New specs proposed for naming and matching IT products under Common Platform Enumeration
- By William Jackson
- May 03, 2011
The Common Platform Enumeration (CPE) scheme, a naming system for IT products, is being updated by the National Institute of Standards and Technology and Mitre Corp. as part of an effort to automate government IT security processes.
NIST has released new drafts of two Interagency Reports proposing revised specifications for naming IT products and for automatically matching those names under the next version of the CPE.
The second draft of IR-7695, “CPE Naming Specification version 2.3” defines the logical structure of names for IT product classes and the procedures for binding and unbinding them to and from machine-readable encodings.
US-Russian dictionary defines cyber war, other concepts
NIST aids the cause of real-time security
The second draft of IR-7696, “CPE Name Matching Specification version 2.3” provides a method for conducting a one-to-one comparison of a source CPE name to a target CPE name. CPE Name Matching methods can determine if common set relations hold between different platforms. “For example, CPE Name Matching can determine if the source and target names are equal, if one of the names is a subset of the other, or if the names are disjoint,” according to the report.
Both proposed specifications also include requirements for IT products for conformance with the CPE version 2.3.
CPE is a standardized way of describing and identifying classes of applications, operating systems, and hardware in an enterprise. It is a component of the Security Content Automation Protocol (SCAP), which security products used by agencies should support. SCAP helps enable the automated assessment of the security status of IT systems.
NIST calls that ability — to unambiguously identify software and hardware products in a network — the foundation of an effective security automation system.
“IT management tools can collect information about installed products, identify products using their CPE names, and use this standardized information to help make fully or partially automated decisions regarding the assets,” the reports say.
Collectively, the CPE specification is intended to provide:
- A method for assigning unique machine-readable identifiers to certain classes of IT products and computing platforms.
- A method for compiling and maintaining dictionaries of machine readable product and platform identifiers.
- A method for constructing machine-readable referring expressions that can be automatically compared by a computer algorithm or other procedure to product and platform identifiers to determine if the identifiers satisfy the expressions.
- A set of interoperability requirements which guarantee that heterogeneous security automation tools can select and use the same unique identifiers to refer to the associated products and platforms.
The reports describe significant changes in naming specifications from the current CPE version, 2.2, to 2.3. The proposed version would create opportunities for growth and innovation in future versions for the ways machines exchange product descriptions and also helps to make the new version backward compatible with earlier specifications.
Comments on draft Interagency Reports 7695 and 7696 should be sent by May 20 to firstname.lastname@example.org.
William Jackson is freelance writer and the author of the CyberEye blog.