Vulnerability Related Standards

Security vulnerabilities in software applications are the most important factor that helps malware to spread. The number of known vulnerabilities is increasing every day. Vulnerability databases like National Vulnerability Database, SecurityFocus or Secunia publish thousands of new vulnerabilities each year.

The chart below will help getting an idea about the numbers we are talking. It shows how many new vulnerabilities have been registered by CVE starting with 1999 until 2008. Basically in the last three years there were around 7000 new vulnerabilities each year.

Due to these large numbers, the task to detect and fix vulnerabilities is extremely difficult. Tools like GFI LANguard are trying to automate the job for network administrators. Their functionality relays a lot on the industry standards established for vulnerability management and therefore it is important when dealing with vulnerabilities to know a bit about the most common standards related to them.

Common Vulnerabilities and Exposures (CVE)

Common Vulnerabilities and Exposures is the most popular standard in use when someone wants to reference certain vulnerabilities. Practically it assigns a unique name (CVE Identifier) to each vulnerability, making easier for people to identify and gather more information about an item from different sources.

About CVE (excerpt from the official site):

Common Vulnerabilities and Exposures is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities.

CVE’s common identifiers make it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization’s security tools. If a report from one of your security tools incorporates CVE Identifiers, you may then quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem.

CVE is:

• One name for one vulnerability or exposure
• One standardized description for each vulnerability or exposure
• A dictionary rather than a database
• How disparate databases and tools can “speak” the same language
• The way to interoperability and better security coverage
• A basis for evaluation among tools and databases
• Free for public download and use
• Industry-endorsed via the CVE Editorial Board and CVE-Compatible Products

CVE is maintained by The MITRE Corporation and it is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

Open Vulnerability and Assessment Language (OVAL)

OVAL is an XML based language used to represent in a structured manner the checks (i.e. file versions, registry values, etc.) that need to be performed on a system to determine if a vulnerability is present or not. An OVAL compatible tool can receive as input vulnerability tests written in OVAL and it will determine if the vulnerabilities are present or not on the scanned systems.

About OVAL (excerpt from the official site):

Open Vulnerability and Assessment Language (OVAL) is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. OVAL includes a language used to encode system details, and an assortment of content repositories held throughout the community. The language standardizes the three main steps of the assessment process: representing configuration information of systems for testing; analyzing the system for the presence of the specified machine state (vulnerability, configuration, patch state, etc.); and reporting the results of this assessment. The repositories are collections of publicly available and open content that utilize the language.

OVAL Website and OVAL Repository are hosted by The MITRE Corporation. OVAL is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

Common Vulnerability Scoring System (CVSS)

The number of known vulnerabilities is pretty large, but not all of them are equally dangerous. Some of them are easy to exploit and grant to the attacker full privileges on the vulnerable systems, while for others is impossible to create a general exploit or the probability to meet the environmental conditions that will make the vulnerability possible is extremely low. It is crucial to know which vulnerabilities have the most significant impact to able to prioritize what to fix first. Here is where CVSS helps. It is a standard to rate vulnerabilities based on their impact.

About CVSS (excerpt from the official site):

CVSS is a vulnerability scoring system designed to provide an open and standardized method for rating IT vulnerabilities. CVSS helps organizations prioritize and coordinate a joint response to security vulnerabilities by communicating the base, temporal and environmental properties of a vulnerability.

CVSS is maintained by FIRST.org, Inc.