Mitre publishes dictionary of information security threats

Mitre publishes dictionary of information security threats

By William Jackson

GCN Staff

Mitre Corp., a government-funded Bedford, Mass., researcher, has published a searchable security dictionary of common vulnerabilities and exposures.

The CVE dictionary standardizes the names and descriptions of more than 600 information security threats.

CVE, maintained by Mitre and developed in conjunction with several other security companies and organizations, has a vendor-independent naming convention to ease database sharing and make security tools more interoperable.

'CVE is a scientific necessity,'' said Bill Fithen, senior analyst with the Computer Emergency Response Team at Carnegie Mellon University. 'We view it as a milestone in the science of information assurance.''

The dictionary, available on the Web at, came out in September, and security companies immediately announced products compatible with its terminology.

The lack of common names and descriptions for common security vulnerabilities has made it difficult to share or compare information from the databases incorporated in various security tools. Security experts and systems administrators did not speak a common language.

One CVE entry, CVE-1999-0067, a Common Gateway Interface packet handling function that allows remote command execution through shell metacharacters, reportedly had 10 names and descriptions in various vendors' databases.

There was no easy way to tell when different databases referred to the same thing, and applying a fix was impossible if the administrator could not be sure what problem was involved.

The idea of writing a security dictionary came up in January during a workshop on security databases at Purdue University, said Pete Tasker, executive director of Mitre's security and information operations.

An editorial board with representatives from 19 organizations formed in May. Mitre maintains the database, moderates editorial board meetings and provides technical guidance.

'When we hit the point of about 1,000 entries, I expect CVE to be a very powerful tool,'' said Stephen Northcutt, director of intrusion detection programs at the SANS Institute of Bethesda, Md.

A common naming convention will let security tool databases share information and eventually improve their interoperability, Tasker said.

The CVE editorial board has members from Axent Technologies Inc. of Rockville, Md.; the Ballistic Missile Defense Organization; BindView Development Corp. of Houston; the CERT Coordination Center; Cisco Systems Inc. of San Jose, Calif.; CyberSafe Corp. of Seattle; GTE Internetworking of Cambridge, Mass.; Harris Corp. of Melbourne, Fla.; and IBM Corp.

Also on the board are representatives of Internet Security Systems Inc. of Atlanta; L-3 Network Security Systems LLC of Denver; Mitre; Network Flight Recorder Inc. of Woodbine, Md.; the NTBugtraq e-mail list; Purdue University; the SANS Institute; Web portal; Silicon Defense of Arcata, Calif.; the University of California at Davis; and security consultant Adam Shostack.


  • automated processes (Nikolay Klimenko/

    How the Army’s DORA bot cuts manual work for contracting professionals

    Thanks to robotic process automation, the time it takes Army contracting professionals to determine whether prospective vendors should receive a contract has been cut from an hour to just five minutes.

  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

Stay Connected