cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Contributor I

Common Vulnerabilities and Exposures (CVE)

Hi,

 

Can someone help me how to use Common Vulnerabilities and Exposures (CVE) – A dictionary of publicly known information security vulnerabilities and exposures.

 

I heard CVE Entries are used in numerous cybersecurity products and services

 

I want to explore/refer this list for my secure software development activities but it looks very huge and don't know where to start and how leverage for my needs.

 

Any suggestions

 

Thanks.

 

 

Mouli, CISSP
Tags (1)
5 Replies
Viewer

Re: Common Vulnerabilities and Exposures (CVE)

Hi, in layman terms, CVEs are the code numbers assigned to the vulnerabilities that can exist in any system, hardware or a software. To work with it I would recommend to have a vulnerability scanner may it be a SAST or a DAST for devops. The Vuln scanner will help u identify the vulnerabilities with references to their related CVEs that contain a detailed explanation related to that specific vuln along with its remediation steps. You must have a vulnerability management program that will articulate the whole process and vuln management lifecycle. This is what I would propose in simple terms. Best of luck


Contributor I

Re: Common Vulnerabilities and Exposures (CVE)

Hi Zia,

 

Thanks for your worthy suggestion and it helps to proceed further.

 

Thanks

Mouli, CISSP
Community Champion

Re: Common Vulnerabilities and Exposures (CVE)

 

The vulnerability scanners I've worked with usually give you a CVE number along with what they detect --- while they also provide the recommendations to mitigate the vulnerabilities, if your teams want more info about his you can do a search on sites such as CVE; in most cases, they point you to the vendor / community websites for more details on the requirements / impacts, etc.

 

Also, entities that provide alerts tend to include the CVE numbers with these, and one source you can avail of for alerts itself if you're a member of (ISC)2 is Vulnerability Central.

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
Advocate II

Re: Common Vulnerabilities and Exposures (CVE)


@iluom wrote:

Hi,

 

Can someone help me how to use Common Vulnerabilities and Exposures (CVE) – A dictionary of publicly known information security vulnerabilities and exposures.

 


Mouli,

Start your research on use of CVE's at the primary home site, maintained by the company that developed them

http://cve.mitre.org

 

MITRE started the CVE program to reconcile the confusion over multiple common names for the same vulnerability or virus. Over teh years it has become adopted by most security analysis companies, and also by governments, such as the U.S. National Vulnerability Database.

 

See  the explanation of the relationships between them at

http://cve.mitre.org/about/cve_and_nvd_relationship.html

 

There are several ways to use the CVE codes. If your security scanner identifies problems with a system by giving the CVE #, you can go to the CVE and NVD sites to learn more details about precisely what the vulnerability is, and how to remediate it.

 

Also, security researchers who think they have identified a new vulnerability in a system or program can research the NVD to see if it has already been identified and cataloged, or if they might submit it as a new potential CVE.

 

As you learn about CVE details, I recommend you also research the U. S. NIST Security Content Automation Protocol (SCAP) which leverages the CVE registrations, too.

 

(While I did not work on the CVE or the broader CxE enumeration projects at MITRE, I did work closely with several of the key researchers in those projects. Excellent work and darn smart folks!)

 

 

 

Dr. D. Cragin Shelton, CISSP
Dr.Cragin@iCloud.com
https://CraginS.blogspot.com/
My Community Profile
My LinkedIn Profile
Contributor I

Re: Common Vulnerabilities and Exposures (CVE)

Excellent ! great info.
Mouli, CISSP