Why CPE? Because an app by any other name would not be as secure

New specs proposed for naming and matching IT products under Common Platform Enumeration

The Common Platform Enumeration (CPE) scheme, a naming system for IT products, is being updated by the National Institute of Standards and Technology and Mitre Corp. as part of an effort to automate government IT security processes.

NIST has released new drafts of two Interagency Reports proposing revised specifications for naming IT products and for automatically matching those names under the next version of the CPE.

The second draft of IR-7695, “CPE Naming Specification version 2.3” defines the logical structure of names for IT product classes and the procedures for binding and unbinding them to and from machine-readable encodings.


Related stories:

US-Russian dictionary defines cyber war, other concepts

NIST aids the cause of real-time security


The second draft of IR-7696, “CPE Name Matching Specification version 2.3” provides a method for conducting a one-to-one comparison of a source CPE name to a target CPE name. CPE Name Matching methods can determine if common set relations hold between different platforms. “For example, CPE Name Matching can determine if the source and target names are equal, if one of the names is a subset of the other, or if the names are disjoint,” according to the report.

Both proposed specifications also include requirements for IT products for conformance with the CPE version 2.3.

CPE is a standardized way of describing and identifying classes of applications, operating systems, and hardware in an enterprise. It is a component of the Security Content Automation Protocol (SCAP), which security products used by agencies should support. SCAP helps enable the automated assessment of the security status of IT systems.

NIST calls that ability — to unambiguously identify software and hardware products in a network — the foundation of an effective security automation system.

“IT management tools can collect information about installed products, identify products using their CPE names, and use this standardized information to help make fully or partially automated decisions regarding the assets,” the reports say.

Collectively, the CPE specification is intended to provide:

  • A method for assigning unique machine-readable identifiers to certain classes of IT products and computing platforms.
  • A method for compiling and maintaining dictionaries of machine readable product and platform identifiers.
  • A method for constructing machine-readable referring expressions that can be automatically compared by a computer algorithm or other procedure to product and platform identifiers to determine if the identifiers satisfy the expressions.
  • A set of interoperability requirements which guarantee that heterogeneous security automation tools can select and use the same unique identifiers to refer to the associated products and platforms.

The reports describe significant changes in naming specifications from the current CPE version, 2.2, to 2.3. The proposed version would create opportunities for growth and innovation in future versions for the ways machines exchange product descriptions and also helps to make the new version backward compatible with earlier specifications.

Comments on draft Interagency Reports 7695 and 7696 should be sent by May 20 to cpe-comments@nist.gov.

 

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above