cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
iluom
Contributor II

Common Vulnerabilities and Exposures (CVE)

Hi,

 

Can someone help me how to use Common Vulnerabilities and Exposures (CVE) – A dictionary of publicly known information security vulnerabilities and exposures.

 

I heard CVE Entries are used in numerous cybersecurity products and services

 

I want to explore/refer this list for my secure software development activities but it looks very huge and don't know where to start and how leverage for my needs.

 

Any suggestions

 

Thanks.

 

 

Chandra Mouli, CISSP, CCSP, CSSLP
5 Replies
chzia
Viewer

Hi, in layman terms, CVEs are the code numbers assigned to the vulnerabilities that can exist in any system, hardware or a software. To work with it I would recommend to have a vulnerability scanner may it be a SAST or a DAST for devops. The Vuln scanner will help u identify the vulnerabilities with references to their related CVEs that contain a detailed explanation related to that specific vuln along with its remediation steps. You must have a vulnerability management program that will articulate the whole process and vuln management lifecycle. This is what I would propose in simple terms. Best of luck


iluom
Contributor II

Hi Zia,

 

Thanks for your worthy suggestion and it helps to proceed further.

 

Thanks

Chandra Mouli, CISSP, CCSP, CSSLP
Shannon
Community Champion

 

The vulnerability scanners I've worked with usually give you a CVE number along with what they detect --- while they also provide the recommendations to mitigate the vulnerabilities, if your teams want more info about his you can do a search on sites such as CVE; in most cases, they point you to the vendor / community websites for more details on the requirements / impacts, etc.

 

Also, entities that provide alerts tend to include the CVE numbers with these, and one source you can avail of for alerts itself if you're a member of (ISC)2 is Vulnerability Central.

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
CraginS
Defender I


@iluom wrote:

Hi,

 

Can someone help me how to use Common Vulnerabilities and Exposures (CVE) – A dictionary of publicly known information security vulnerabilities and exposures.

 


Mouli,

Start your research on use of CVE's at the primary home site, maintained by the company that developed them

http://cve.mitre.org

 

MITRE started the CVE program to reconcile the confusion over multiple common names for the same vulnerability or virus. Over teh years it has become adopted by most security analysis companies, and also by governments, such as the U.S. National Vulnerability Database.

 

See  the explanation of the relationships between them at

http://cve.mitre.org/about/cve_and_nvd_relationship.html

 

There are several ways to use the CVE codes. If your security scanner identifies problems with a system by giving the CVE #, you can go to the CVE and NVD sites to learn more details about precisely what the vulnerability is, and how to remediate it.

 

Also, security researchers who think they have identified a new vulnerability in a system or program can research the NVD to see if it has already been identified and cataloged, or if they might submit it as a new potential CVE.

 

As you learn about CVE details, I recommend you also research the U. S. NIST Security Content Automation Protocol (SCAP) which leverages the CVE registrations, too.

 

(While I did not work on the CVE or the broader CxE enumeration projects at MITRE, I did work closely with several of the key researchers in those projects. Excellent work and darn smart folks!)

 

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
iluom
Contributor II

Excellent ! great info.
Chandra Mouli, CISSP, CCSP, CSSLP