Mitre publishes a dictionary of security threats

Mitre publishes a dictionary of security threats

The searchable online listing includes names and descriptions of more than 600 system menaces

By William Jackson

GCN Staff

Mitre Corp., a government-funded Bedford, Mass., researcher, has published a searchable security dictionary of common vulnerabilities and exposures.

The CVE dictionary standardizes the names and descriptions of more than 600 information security threats.

CVE, maintained by Mitre and developed in conjunction with several other security companies and organizations, has a vendor-independent naming convention to ease database sharing and make security tools more interoperable.

'CVE is a scientific necessity,' said Bill Fithen, senior analyst with the Computer Emergency Response Team at Carnegie Mellon University.

'We view it as a milestone in the science of information assurance,' he said.

The dictionary, available on the Web at, came out in September, and security companies immediately announced products compatible with its terminology.

Common needs

The lack of common names and descriptions for common security vulnerabilities has made it difficult to share or compare information from the databases incorporated in various security tools. Security experts and systems administrators did not speak a common language.

One CVE entry, CVE-1999-0067, a Common Gateway Interface packet handling function that allows remote command execution through shell metacharacters, reportedly had 10 names and descriptions in various vendors' databases.

There was no easy way to tell when different databases re-ferred to the same thing, and applying a fix was impossible if the administrator could not be sure what problem was involved.

The idea of writing a security dictionary came up in January 1999 during a workshop on security databases at Purdue University, said Pete Tasker, executive director of Mitre's security and information operations.

An editorial board with representatives from 19 organizations formed in May. Mitre maintains the database, moderates editorial board meetings and provides technical guidance.

'When we hit the point of about 1,000 entries, I expect CVE to be a very powerful tool,' said Stephen Northcutt, director of intrusion detection programs at the SANS In-stitute of Bethesda, Md.

A common naming convention will let se-curity tool databases share information and improve their interoperability, Tasker said.

The CVE editorial board has members from Axent Technologies Inc. of Rockville, Md.; the Ballistic Missile Defense Organization; BindView Development Corp. of Houston; the CERT Coordination Center; Cisco Systems Inc. of San Jose, Calif.; CyberSafe Corp. of Seattle; GTE Internetworking of Cambridge, Mass.; Harris Corp. of Melbourne, Fla.; and IBM Corp.

Secure group

Also on the board are security consultant Adam Shostack and representatives of Internet Security Systems Inc. of Atlanta; L-3 Network Security Systems LLC of Denver; Mitre; Network Flight Recorder Inc. of Woodbine, Md.; the NTBugtraq e-mail list; Purdue University; the SANS Institute; Web portal; Silicon Defense of Arcata, Calif.; and the University of California at Davis.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected