Hi, in layman terms, CVEs are the code numbers assigned to the vulnerabilities that can exist in any system, hardware or a software. To work with it I would recommend to have a vulnerability scanner may it be a SAST or a DAST for devops. The Vuln scanner will help u identify the vulnerabilities with references to their related CVEs that contain a detailed explanation related to that specific vuln along with its remediation steps. You must have a vulnerability management program that will articulate the whole process and vuln management lifecycle. This is what I would propose in simple terms. Best of luck

The vulnerability scanners I've worked with usually give you a CVE number along with what they detect --- while they also provide the recommendations to mitigate the vulnerabilities, if your teams want more info about his you can do a search on sites such as CVE; in most cases, they point you to the vendor / community websites for more details on the requirements / impacts, etc.

Also, entities that provide alerts tend to include the CVE numbers with these, and one source you can avail of for alerts itself if you're a member of (ISC)2 is Vulnerability Central.

---

@iluom wrote:

Hi,

 

Can someone help me how to use Common Vulnerabilities and Exposures (CVE) – A dictionary of publicly known information security vulnerabilities and exposures.

 

---

Mouli,

Start your research on use of CVE's at the primary home site, maintained by the company that developed them

http://cve.mitre.org

MITRE started the CVE program to reconcile the confusion over multiple common names for the same vulnerability or virus. Over teh years it has become adopted by most security analysis companies, and also by governments, such as the U.S. National Vulnerability Database.

See  the explanation of the relationships between them at

http://cve.mitre.org/about/cve_and_nvd_relationship.html

There are several ways to use the CVE codes. If your security scanner identifies problems with a system by giving the CVE #, you can go to the CVE and NVD sites to learn more details about precisely what the vulnerability is, and how to remediate it.

Also, security researchers who think they have identified a new vulnerability in a system or program can research the NVD to see if it has already been identified and cataloged, or if they might submit it as a new potential CVE.

As you learn about CVE details, I recommend you also research the U. S. NIST Security Content Automation Protocol (SCAP) which leverages the CVE registrations, too.

(While I did not work on the CVE or the broader CxE enumeration projects at MITRE, I did work closely with several of the key researchers in those projects. Excellent work and darn smart folks!)