1. Common Vulnerabilities and Exposures (CVE) September 29, 1999 Pete Tasker Margie Zuk Steve Christey, Dave Mann Bill Hill, Dave Baker

2. Where Does CVE Fit?

3. Before CVE: Same Problem, Different Names

4. ToolTalk (rpc.ttdbserverd) buffer overflow After CVE: One Common Language CVE-1999-0003 Buffer overflow in in qpopper CVE-1999-0006 CGI phf program allows remote command execution CVE-1999-0067 Windows NT debug-level access bug (a.k.a. Sechole) CVE-1999-0344 Description Name

5. How was CVE Developed? From Tools and Vulnerability Mappings

6. Who Developed CVE? The CVE Editorial Board Tool Vendors Andy Balinsky - Cisco Scott Blake - Bindview Natalie Brader - L-3 Security Rob Clyde - AXENT Andre Frech - ISS Kent Landfield - NFR Craig Ozancin - AXENT Paul E. Proctor - CyberSafe Mike Prosser - L-3 Security Steve Snapp - CyberSafe Bill Wall - Harris Kevin Ziese - Cisco Academic/Educational Matt Bishop - UC Davis Computer Security Lab Alan Paller - SANS Institute Gene Spafford - Purdue University CERIAS Pascal Meunier - Purdue University CERIAS MITRE Steve Christey (Chair) Bill Hill David Mann Dave Baker Other Security Analysts Russ Cooper - NTBugtraq Marc Dacier - IBM Elias Levy - Bugtraq, Security Focus Steve Northcutt - OSD/BMDO Adam Shostack - Zero-Knowledge Sys Stuart Staniford-Chen - Silicon Defense Response Teams Bill Fithen - CERT Coordination Center/ Carnegie Mellon University Network Security Kelly Cooper - GTE Internet

7. What are the Benefits of CVE? l Provides common language for referring to problems l Facilitates data sharing among - Intrusion Detection Systems (IDSes) - Assessment tools - Vulnerability databases - Researchers - Incident response teams l Will lead to improved security tools - More comprehensive, better comparisons, interoperable - Indications and warning systems l Will spark further innovations - Focal point for discussing critical database content issues (e.g. configuration problems)

8. What’s Next for CVE? l SANS Network Security Conference (Oct. 6) - Training for 1000 system administrators - Jeffrey Hunker (NSC) keynote - Intrusion detection live exercise (IDnet) - Booth with editorial board members & demo l National Information Systems Security Conference (Oct. 19) - Two booths: with NIAP and with vendors l Editorial Board works through resolution of remaining naming issues l Enhancements provided to the CVE web site to make it more useful l Expand CVE impact and community through outreach - Add other vendor tools, vulnerability sites, applications

9. CVE: Fostering Better Protection through Better Information Sharing

10. Additional Detail

11. CVE Timeline l “Towards a Common Enumeration of Vulnerabilities,” 2nd CERIAS Workshop on Vulnerability Databases (January 1999) l Initial creation of Draft CVE (Feb-April 1999) - 663 vulnerabilities - Data derived from security tools, hacker site, advisories l Formation of Editorial Board (April-May 1999) l Validation of Draft CVE (May-Sept 1999) l Creation of validation process (May-Sept 1999) l Discussion of high-level CVE content (July-ongoing 1999) l Public release (September 1999)

12. The CVE Editorial Board l Experts from more than 19 security-related organizations - Researchers, security tool vendors, mailing list moderators, vulnerability database owners, response teams, system administrators, security analysts l Mailing list discussions - Validation and voting for individual CVE entries - High-level content decisions l Meetings - Face-to-Face - Teleconference l Membership on an as-needed or as-recommended basis

13. Bringing New Entries into the CVE l Assignment - Candidate number CAN-1999-XXXX to distinguish from validated CVE entry - Candidate Numbering Authority (CNA) reduces “noise” l Proposal - Announcement and discussion - Voting: Accept, Modify, Reject, Recast, Reviewing l Modification l Interim Decision l Final Decision - CVE name(s) assigned if candidate is accepted l Publication on CVE web site