Look it up: A common language for vulnerabilities

Mitre Corp., which hosts the Common Vulnerability Exposure List, a federally funded standard dictionary of software bugs, is developing a standard language to use in searching for these vulnerabilities in computer systems.

The Open Vulnerability Assessment Language is the next step in standardizing vulnerability management, said Robert A. Martin, CVE compatibility lead for Mitre, of Bedford, Mass.

'It's how you describe the test conditions for vulnerabilities,' Martin said today at the Secure Trusted Operating System Consortium Symposium in Washington. It will describe software configuration parameters used in querying various platforms for known vulnerabilities.

Until development of the CVE in 1999 there was no standard way to identify the vulnerabilities that plague software. The various communities involved in info security'software developers and vendors, researchers, security experts, systems administrators and security officers'describe vulnerabilities in different ways, making it difficult to discuss security problems.

The CVE is not a database of vulnerability information or a taxonomy, but a common dictionary used by government, academia and industry in referring to recognized vulnerabilities.

The CVE list now contains about 2,572 entries, with another 3,832 under evaluation. It is funded by the Homeland Security Department under FedCIRC.

To date, 143 computer security products or services from 96 organizations are compatible with the scheme, using CVE designations to identify vulnerabilities.

Both the National Institute of Standards and Technology and the Defense Department recommend that agencies give preference to CVE-compatible products.

Although testing and scanning tools are becoming common for discovering vulnerabilities in computer systems, there are no standards for these tasks. OVAL will provide standards so that automating vulnerability management can be more effective, Martin said. It will define the attributes needed to find vulnerabilities in a system, to prioritize them and fix them.

About the Author

William Jackson is a Maryland-based freelance writer.


  • 2020 Government Innovation Awards
    Government Innovation Awards - https://governmentinnovationawards.com

    21 Public Sector Innovation award winners

    These projects at the federal, state and local levels show just how transformative government IT can be.

  • Federal 100 Awards
    cheering federal workers

    Nominations for the 2021 Fed 100 are now being accepted

    The deadline for submissions is Dec. 31.

Stay Connected