Common Vulnerability Exposures/Enumeration(CVE)
Common vulnerabilities and exposure gives common names to openly known security issues or vulnerabilities. The objective of CVE is to make it simpler to impart information over different databases and make available a common platform to evaluate security tools.
How Beyond Security's AVDS uses CVE?
CVE depends on freely accessible data. For the duration of the life of the CVE list, MITRE corporation has depended on external information sources to recognize vulnerabilities. CVE provides information on vendor patches and fix information which it might have obtained from unverified third party.
AVDS actively checks for these patches and fixes and notifies the user about the updates. AVDS also tests if the patches and fixes don't compromise or harm the user system in any way. AVDS tests a user's system with every possible CVE listed in its database (provided by Securiteam) which is updated every day. AVDS also maintains consistent standard and accuracy, thus helping to reduce the overall false positives.
With the help of CVE, AVDS provides information such as vulnerability details, risk level, the impact on system, and solutions. Assigning a CVE number does not mean that it will end up being an official CVE entry, there might be duplicate CVE number or even false entries. The AVDS team independently validates each CVE for especially unique features and authenticity.
CVE Identifier creating process starts with the identification of possible security vulnerability. The information is then allotted a CVE identifier by CNA (CVE numbering authority) and listed by the CVE editor (the MITRE corporation) on the CVE website posted under the CVE List.
MITRE corporation's documentation characterizes CVE identifiers as one of kind, common identifiers for openly known data security vulnerabilities released to the public in a form of a software package. Following are the CVE Identifiers:
- CVE names
- CVE numbers
Comparison between vulnerability and exposures
|Allows the hacker to intrude a system or network due to an error in the software code.||Provides the hacker access to the data that can be sold or misused.|
|Allows the hacker to execute commands with unauthorized permissions.||Allows the hacker to get into data gathering activities.|
|Allows the hacker to get information which is restricted.||Allows the hacker to conceal activities.|
|Allows the hacker to act like another entity.||Used as a main entry point by hackers to access the framework and information.|
|Allows the hacker to deny a service.||This is viewed as a major issue in security policy.|
Following are the major contributors to the CVE community
- CVE board - The CVE Board incorporates individuals from various cyber security-related associations globally, like government offices, research organizations and other security specialists. Through open discussions, the board decides the entries on the CVE List.
- CVE sponsor - US-CERT sponsors CVE at the U.S. department of homeland security. Sponsors page consist of all the past sponsors.
- CVE Numbering authorities - CVE numbering authorities (CNAs) allocate CVE identifiers to newly found problems without including MITRE.
- CVE-compatible products and services - various organizations globally have incorporated CVE identifiers to make their cyber security products and services "CVE-compatible"
Beyond Security's testing solutions accurately assess and manage security weaknesses in networks, applications, industrial systems and networked software. We help businesses and governments simplify the management of their network and application security, thus reducing their vulnerability to attack and data loss. Our product lines, AVDS (network and SCADA vulnerability management) and beSTORM (software security testing), will help you secure your network and applications, comply with your security policy requirements and exceed industry and government standards.