Look it up: A common language for vulnerabilities
- By William Jackson
- Dec 03, 2003
Mitre Corp., which hosts the Common Vulnerability Exposure List, a federally funded standard dictionary of software bugs, is developing a standard language to use in searching for these vulnerabilities in computer systems.
The Open Vulnerability Assessment Language is the next step in standardizing vulnerability management, said Robert A. Martin, CVE compatibility lead for Mitre, of Bedford, Mass.
'It's how you describe the test conditions for vulnerabilities,' Martin said today at the Secure Trusted Operating System Consortium Symposium in Washington. It will describe software configuration parameters used in querying various platforms for known vulnerabilities.
Until development of the CVE in 1999 there was no standard way to identify the vulnerabilities that plague software. The various communities involved in info security'software developers and vendors, researchers, security experts, systems administrators and security officers'describe vulnerabilities in different ways, making it difficult to discuss security problems.
The CVE is not a database of vulnerability information or a taxonomy, but a common dictionary used by government, academia and industry in referring to recognized vulnerabilities.
The CVE list now contains about 2,572 entries, with another 3,832 under evaluation. It is funded by the Homeland Security Department under FedCIRC.
To date, 143 computer security products or services from 96 organizations are compatible with the scheme, using CVE designations to identify vulnerabilities.
Both the National Institute of Standards and Technology and the Defense Department recommend that agencies give preference to CVE-compatible products.
Although testing and scanning tools are becoming common for discovering vulnerabilities in computer systems, there are no standards for these tasks. OVAL will provide standards so that automating vulnerability management can be more effective, Martin said. It will define the attributes needed to find vulnerabilities in a system, to prioritize them and fix them.
William Jackson is a Maryland-based freelance writer.