CCE Included as Topic at IT Security Automation Conference 2010
|
|||||
 |
 |
||||
| CCE Website is in "Archive" status — read the announcement | |||||
News & Events — 2010 ArchiveDecember 14, 2010 CCE/Making Security Measurable Briefing at ITU-T Security Workshop CCE Team member and Common Weakness Enumeration (CWE)/CAPEC Program Manager Robert A. Martin presented a briefing about CCE/Making Security Measurable entitled "Vendor Neutral Security Measurement & Management with Standards" at ITU-T security workshop "Addressing Security Challenges on a Global Scale" on December 6-7, 2010 in Geneva, Switzerland. Visit the CCE Calendar for information on this and other events. CCE/Making Security Measurable Briefing at Rethinking Cyber Security: A Systems-Based Approach Conference CCE Team Member and CWE Program Manager Robert A. Martin presented a briefing about CCE/Making Security Measurable and the Common Weakness Enumeration (CWE) at Rethinking Cyber Security: A Systems-Based Approach Conference on November 16-17, 2010 in Charlottesville, Virginia, USA. Visit the CCE Calendar for information on this and other events. November 1, 2010 CCE/Making Security Measurable Briefing at Rethinking Cyber Security: A Systems-Based Approach Conference, November 16-17 CCE Team Member and CWE Program Manager Robert A. Martin will present a briefing about CCE/Making Security Measurable and the Common Weakness Enumeration (CWE) at Rethinking Cyber Security: A Systems-Based Approach Conference on November 16-17, 2010 in Charlottesville, Virginia, USA. Visit the CCE Calendar for information on this and other events. October 12, 2010
CCE was included as a topic at the U.S. National Institute of Standards and Technology’s (NIST) 6th Annual IT Security Automation Conference on September 27-29, 2010 in Baltimore, Maryland, USA. Also, MITRE hosted a CCE/Making Security Measurable booth and presented briefings and/or participated on discussion panels about the Making Security Measurable, CPE, CVE, OVAL, XCCDF, ARF, CWE, CAPEC, and MAEC efforts. Visit the CCE Calendar for information on this and other events. CCE a Topic of SCAP Discussion Panel and Making Security Measurable Booth at HSNI 2010 MITRE participated in a SCAP Panel Discussion about CVE, CCE, CPE, OVAL, XCCDF, and OCIL, and hosted a Making Security Measurable table booth, at Homeland Security for Networked Industries (HSNI) 2010 Conference and Expo on September 20-21, 2010 in Washington, D.C., USA. Visit the CCE Calendar for information on this and other events. September 26, 2010 CCE List Content Updated CCE Version 5.20100926 is now available on the CCE List page. There are now 10,300 total CCE entries in the CCE List. Changes for Version 5.20100926 include: 4,592 total new entries; first release of CCE lists for Internet Explorer 8, Microsoft Office 2010, Oracle WebLogic Server 11g, and Windows Server 2008 R2; and updates, including new CCEs, for Red Hat Enterprise Linux 5 and Windows 7. A report is available that that provides more details on the changes between Version 5.20100428 and Version 5.20100926. Future updates will be noted here and on the CCE Working Group email discussion list. Please send any comments or concerns to cce@mitre.org. August 26, 2010 CCE Included as Topic at IT Security Automation Conference 2010, September 27-29 CCE will be included as a topic at the U.S. National Institute of Standards and Technology’s (NIST) 6th Annual IT Security Automation Conference on September 27-29, 2010 in Baltimore, Maryland, USA. The CCE Team is also scheduled to contribute to the CCE-related workshops. NIST’s Security Content Automation Protocol (SCAP) employs existing community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and CCE is one of the six open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. The other five standards are Common Vulnerabilities and Exposures (CVE), a dictionary of standard identifiers for security vulnerabilities related to software flaws; Open Vulnerability and Assessment Language (OVAL), a standard XML for security testing procedures and reporting; Common Platform Enumeration (CPE), standard identifiers and a dictionary for platform and product naming; Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; and Common Vulnerability Scoring System (CVSS), a standard for conveying and scoring the impact of vulnerabilities. Visit the CCE Calendar for information on this and other events. CCE a Topic of SCAP Discussion Panel and Making Security Measurable Booth at HSNI 2010, September 20-21 MITRE will participate in a SCAP Panel Discussion about CVE, CCE, CPE, OVAL, XCCDF, and OCIL, and host a Making Security Measurable table booth, at Homeland Security for Networked Industries (HSNI) 2010 Conference and Expo on September 20-21, 2010 in Washington, D.C., USA. Visit the CCE Calendar for information on this and other events. Making Security Measurable and Software Assurance Briefing at GFIRST National Conference MITRE’s Making Security Measurable, CWE, CAPEC, and MAEC efforts were key parts of a briefing entitled "Software Assurance: Mitigating Risks to Improve Incident Management" that was presented at the 6th Annual GFIRST National Conference in San Antonio, Texas, USA on August 17, 2010 by Director for Software Assurance at DHS NCSD, Joe Jarzombek, Deputy Operations Manager at US-CERT, Thomas Millar, CWE/CAPEC Program Manager Robert A. Martin, and CAPEC/CWE Co-Founder and Architect Sean Barnum. The conference itself ran August 15-20. Visit the CCE Calendar for information on this and other events. August 2, 2010 CCE/Making Security Measurable Booth at Black Hat Briefings 2010 CCE participated in a Making Security Measurable booth at Black Hat Briefings 2010 on July 28-29, 2010 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA. Attendees learned how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures. Visit the CCE Calendar for information on this and other events. July 13, 2010 CCE/Making Security Measurable Booth at Black Hat Briefings 2010, July 28-29 CCE is scheduled to participate in a Making Security Measurable booth at Black Hat Briefings 2010 on July 28-29, 2010 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA. Stop by Booth 65 and learn how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures. Visit the CCE Calendar for information on this and other events. Instruction on Using CCE Included in MITRE’s Free Benchmark Development Course, July 26 MITRE is scheduled to hold a free Benchmark Development Course at MITRE Corporation in McLean, Virginia, USA on July 26, 2010. The instruction on using CCE Identifiers in benchmark development is included in a section of the course entitled "Augmenting Guidance." The course explains the overall benefits of using CCE for fast and accurate correlation of common system configuration issues by different groups of people, between different tools, and across repositories; provides an example of a CCE Identifier and the information it includes; and teaches how to map to CCE Identifiers in benchmarks. The main purpose of the course is to share MITRE’s experience and knowledge with vendors, security content developers, and others on how to use industry standards and free tools to create automatable security guidance that helps system administrators configure and operate systems securely. In addition to instruction on how to use CCE, the course also explains how and why to use Extensible Configuration Checklist Description Format (XCCDF), Common Platform Enumeration (CPE), Open Vulnerability and Assessment Language (OVAL) Definitions, the OVAL Interpreter, Benchmark Editor, and Recommendation Tracker, among other standards and tools, to create good benchmarks that can be automated. Visit the CCE Calendar for information on this and other events. CCE a Main Topic at MITRE’s Security Automation Developer Days Conference 2010 MITRE hosted the second Security Automation Developer Days Conference 2010 at MITRE in Bedford, Massachusetts, USA on June 14-16, 2010. The purpose of the three-day event is for the community to discuss all current and emerging Security Content Automation Protocol (SCAP) standards in technical detail and to derive solutions that benefit all concerned parties. A brief technical overview of software assurance efforts sponsored by the U.S. Department of Homeland Security was also provided on the third day of the conference. Visit the CCE Calendar for information on this and other events. May 19, 2010 CCE a Main Topic at Security Automation Developer Days Conference, June 14-16 MITRE is scheduled to host the second Security Automation Developer Days Conference at MITRE in Bedford, Massachusetts, USA on June 14-16, 2010. The purpose of the three-day event is for the community to discuss all current and emerging Security Content Automation Protocol (SCAP) standards in technical detail and to derive solutions that benefit all concerned parties. The U.S. National Institute of Standards and Technology’s (NIST) SCAP employs existing community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and CCE is one of the six open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. The other five standards are Common Vulnerabilities and Exposures (CVE), a dictionary of standard identifiers for security vulnerabilities related to software flaws; Open Vulnerability and Assessment Language (OVAL), a standard XML for security testing procedures and reporting; Common Platform Enumeration (CPE), standard identifiers and a dictionary for platform and product naming; Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; and Common Vulnerability Scoring System (CVSS), a standard for conveying and scoring the impact of vulnerabilities. A brief technical overview of software assurance efforts sponsored by the U.S. Department of Homeland Security will also be provided on the third day of the conference. For conference details and to register, visit: https://register.mitre.org/devdays/. May 6, 2010 CCE List Content Updated CCE Version 5.20100428 is now available on the CCE List page. This release is the first time the CCE List is available in XML, which was generated from the CCE Excel spreadsheets that remain the canonical format. There are now 5,703 total CCE entries on the CCE List. Changes for Version 5.20100428 include: the first-published CCE List for Microsoft Windows 7; updates to the Windows Server 2003 list; and minor changes to the IE 7, Office 2007, RHEL 5, Solaris 10, Vista, Windows 2000, Windows XP, and Windows Server 2008 lists to better support generation of CCE XML from the canonical spreadsheets. A report is available that that provides more details on the changes between Version 5.20090506 and Version 5.20100428. Future updates will be noted here and on the CCE Working Group email discussion list. Please send any comments or concerns to cce@mitre.org. Instruction on Using CCE Included in MITRE’s Free Benchmark Development Course, May 17 MITRE is scheduled to hold a free Benchmark Development Course at MITRE Corporation in McLean, Virginia, USA on May 17, 2010. The instruction on using CCE Identifiers in benchmark development is included in a section of the course entitled "Map Guidance to Existing Control Standards." The course explains the overall benefits of using CCE for fast and accurate correlation of common system configuration issues by different groups of people, between different tools, and across repositories; provides an example of a CCE Identifier and the information it includes; and teaches how to map to CCE Identifiers in benchmarks. The main purpose of the course is to share MITRE’s experience and knowledge with vendors, security content developers, and others on how to use industry standards and free tools to create automatable security guidance that helps system administrators configure and operate systems securely. In addition to instruction on how to use CCE, the course also explains how and why to use Extensible Configuration Checklist Description Format (XCCDF), Common Platform Enumeration (CPE), Open Vulnerability and Assessment Language (OVAL) Definitions, the OVAL Interpreter, Benchmark Editor, and Recommendation Tracker, among other standards and tools, to create good benchmarks that can be automated. Visit the CCE Calendar for information on this and other events. MITRE Hosts "Making Security Measurable" Booth at InfoSec World 2010, April 19-21 MITRE hosted a Making Security Measurable booth at MIS Training Institute’s (MISTI) InfoSec World Conference & Expo 2010 at the Disney Coronado Springs Resort, in Orlando, Florida, USA, on April 19-21, 2010. Visit the CCE Calendar for information on this and other events. April 7, 2010 MITRE to Host "Making Security Measurable" Booth at InfoSec World 2010, April 19-21 MITRE is scheduled to host a Making Security Measurable booth at MIS Training Institute’s (MISTI) InfoSec World Conference & Expo 2010 at the Disney Coronado Springs Resort, in Orlando, Florida, USA, on April 19-21, 2010. Please stop by booth 319 and say hello! Visit the CCE Calendar for information on this and other events. Photos from Making Security Measurable Booth at RSA 2010 MITRE hosted a Making Security Measurable booth at RSA 2010 at the Moscone Center in San Francisco, California, USA, on March 1-5, 2010. See photos below:
Visit the CCE Calendar for information on this and other events. MITRE Presents Making Security Measurable Briefing at DHS/DoD/NIST SwA Forum CCE Team Member and CWE/CAPEC Program Manager Robert A. Martin presented a briefing about Making Security Measurable to the DHS/DoD/NIST SwA Forum on March 9-12, 2010 at MITRE Corporation in McLean, Virginia, USA. Visit the CCE Calendar for information on this and other events. Contact cce@mitre.org to have OVAL present a briefing or participate in a panel discussion about CCE, CVE, CPE, CAPEC, CWE, CEE, MAEC, OVAL, and/or Making Security Measurable at your event. March 5, 2010 MITRE Hosts Making Security Measurable Booth at RSA 2010, March 1-5 MITRE hosted a Making Security Measurable booth at RSA 2010 at the Moscone Center in San Francisco, California, USA, on March 1-5, 2010. Visit the CCE Calendar for information on this and other events. February 4, 2010 MITRE to Host Making Security Measurable Booth at RSA 2010, March 1-5 MITRE is scheduled to host a Making Security Measurable booth at RSA 2010 at the Moscone Center in San Francisco, California, USA, on March 1-5, 2010. Please stop by Booth 2617 and say hello! Visit the CCE Calendar for information on this and other events. MITRE to Present Making Security Measurable Briefing at DHS/DoD/NIST SwA Forum, March 9-12 CCE Team Member and CWE Program Manager Robert A. Martin is scheduled to present a briefing about CCE/Making Security Measurable to the DHS/DoD/NIST SwA Forum on March 9-12, 2010 at MITRE Corporation in McLean, Virginia, USA. Visit the CCE Calendar for information on this and other events. Instruction on Using CCE Included in MITRE’s Free Benchmark Development Course, March 15-16 MITRE is scheduled to hold a Free Benchmark Development Course at MITRE Corporation in McLean, Virginia, USA on March 15-16, 2010. The instruction on using CCE Identifiers in benchmark development is included in a section of the course entitled "Map Guidance to Existing Control Standards." The course explains the overall benefits of using CCE for fast and accurate correlation of common system configuration issues by different groups of people, between different tools, and across repositories; provides an example of a CCE Identifier and the information it includes; and teaches how to map to CCE Identifiers in benchmarks. The main purpose of the course is to share MITRE’s experience and knowledge with vendors, security content developers, and others on how to use industry standards and free tools to create automatable security guidance that helps system administrators configure and operate systems securely. In addition to instruction on how to use CCE, the course also explains how and why to use Extensible Configuration Checklist Description Format (XCCDF), Common Platform Enumeration (CPE), Open Vulnerability and Assessment Language (OVAL) Definitions, the OVAL Interpreter, Benchmark Editor, and Recommendation Tracker, among other standards and tools, to create good benchmarks that can be automated. Visit the CCE Calendar for information on this and other events. MITRE Hosts "Making Security Measurable" Booth at the 2010 Information Assurance Symposium MITRE hosted a Making Security Measurable booth at the 2010 Information Assurance Symposium in Nashville, Tennessee, USA, on February 2-5, 2010. The symposium is designed to bring together industry, government, and military information assurance professionals with "the latest Information Assurance (IA) products and solutions available to secure voice and data networks." Visit the CCE Calendar for information on this and other events. January 6, 2010 MITRE Announces Initial "Making Security Measurable" Calendar of Events for 2010 MITRE has announced its initial Making Security Measurable calendar of events for 2010. Details regarding MITRE’s scheduled participation at these events are noted on the CCE Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.
Other events may be added throughout the year. Visit the CCE Calendar for information or contact cce@mitre.org to have MITRE present a briefing or participate in a panel discussion about CCE, CVE, CPE, CAPEC, CWE, MAEC, CEE, OVAL, and/or Making Security Measurable at your event. Security Automation Is Main Focus of DoD’s IAnewsletter "Security Automation: A New Approach to Managing and Protecting Critical Information" is the main topic of the Winter 2010 issue of the Department of Defense’s (DoD) Information Assurance Technology Analysis Center’s (IATAC) IAnewsletter. According to the newsletter, a security automation strategy will enable automation of "many security and configuration management, compliance, and network defense functions and give our [DoD] system administrators and network defenders a chance to succeed." Specific articles topics include: An Introduction to Security Automation; Security Automation: A New Approach Managing and Protecting Critical Information; Security Content Automation Protocol; Secure Configuration Management (SCM); DoD Activities Underway to Mature SCAP Standards; Why Industry Needs Federal Government Leadership to Gain the Benefits of Security Automation; and Practicing Standards-Based Security Assessment and Management. In addition, MITRE’s CVE, CCE, CPE, and OVAL information assurance data standards are mentioned throughout the issue, especially with regard to how they are utilized by the National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP) to help enable automated, standards-based security assessment and management. The newsletter is free to download from the IATAC Web site. Instruction on Using CCE Included in MITRE’s Free Benchmark Development Course, January 26-27 MITRE is scheduled to hold a Free Benchmark Development Course at MITRE Corporation in McLean, Virginia, USA on January 26-27, 2010. The instruction on using CCE Identifiers in benchmark development is included in a section of the course entitled "Map Guidance to Existing Control Standards." The course explains the overall benefits of using CCE for fast and accurate correlation of common system configuration issues by different groups of people, between different tools, and across repositories; provides an example of a CCE Identifier and the information it includes; and teaches how to map to CCE Identifiers in benchmarks. The main purpose of the course is to share MITRE’s experience and knowledge with vendors, security content developers, and others on how to use industry standards and free tools to create automatable security guidance that helps system administrators configure and operate systems securely. In addition to instruction on how to use CCE, the course also explains how and why to use Extensible Configuration Checklist Description Format (XCCDF), Common Platform Enumeration (CPE), Open Vulnerability and Assessment Language (OVAL) Definitions, the OVAL Interpreter, Benchmark Editor, and Recommendation Tracker, among other standards and tools, to create good benchmarks that can be automated. Visit the CCE Calendar for information on this and other events. |
||||
