|
|||||
CCE Website is in "Archive" status — read the announcement | |||||
News & Events — 2011 ArchiveDecember 1, 2011 CCE List Content Updated CCE Version 5.20111130 is now available on the CCE List page. There are now 10,667 total CCE entries in the CCE List. Changes for Version 5.20111130 include: 317 new entries for Windows Server 2008 R2. A report is available that that provides more details on the changes between Version 5.20111007 and Version 5.20111130. Future updates will be noted here and on the CCE Working Group email discussion list. Please send any comments or concerns to cce@mitre.org. November 15, 2011 "CCE in Use" Page Added to CCE Web Site A new CCE in Use page has been added to the CCE Web site highlighting how CCE is currently in use across the community. CCE/CPE/OVAL/SCAP/SwA Workshops and CCE/Making Security Measurable Booth at IT Security Automation Conference 2011 CCE was included as a topic at the U.S. National Institute of Standards and Technology’s (NIST) 7th Annual IT Security Automation Conference on October 31 - November 2, 2011 in Arlington, Virginia, USA. MITRE also contributed to the CCE-, CPE-, OVAL-, SCAP-, and Software Assurance (SwA)-related workshops and hosted a CCE/Making Security Measurable booth. NIST’s Security Content Automation Protocol (SCAP) employs existing community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and CCE is one of the eight open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. The other seven standards are Common Vulnerabilities and Exposures (CVE), a dictionary of standard identifiers for security vulnerabilities related to software flaws; Open Vulnerability and Assessment Language (OVAL), a standard XML for security testing procedures and reporting; Common Platform Enumeration (CPE), standard identifiers and a dictionary for platform and product naming; Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; Open Checklist Interactive Language (OCIL), a standard language for expressing and evaluating non-automated security checks; Common Vulnerability Scoring System (CVSS), a standard for conveying and scoring the impact of vulnerabilities; and Common Configuration Scoring System (CCSS), a standard for conveying and scoring the impact of software security configuration issues. Visit the CCE Calendar for information on this and other events. October 11, 2011 CCE List Content Updated CCE Version 5.20111007 is now available on the CCE List page. There are now 10,350 total CCE entries in the CCE List. Changes for Version 5.20111007 include: 13 new entries for Oracle WebLogic Server 11g, 8 new entries for Windows Vista, 7 new entries for Windows 7, 4 new entries for Windows XP, and 2 new entries for Red Hat Enterprise Linux 5. A report is available that that provides more details on the changes between Version 5.20110602 and Version 5.20111007. Future updates will be noted here and on the CCE Working Group email discussion list. Please send any comments or concerns to cce@mitre.org. October 6, 2011 CCE Included as Topic at IT Security Automation Conference 2011, October 31 - November 2 CCE will be included as a topic at the U.S. National Institute of Standards and Technology’s (NIST) 7th Annual IT Security Automation Conference on October 31 - November 2, 2011 in Arlington, Virginia, USA. The CCE Team is also scheduled to contribute to the CCE-related workshops. Visit the CCE Calendar for information on this and other events. CCE/Making Security Measurable Briefing at Software Assurance Enabling Reliability, Resilience, Robustness, and Security Workshop CCE Team Member and CWE/CAPEC Program Manager Robert A. Martin presented a CCE/Making Security Measurable briefing and a CWE/CAPEC/MAEC briefing at Software Assurance Enabling Reliability, Resilience, Robustness, and Security Workshop on September 26, 2011 in Linthicum Heights, Maryland, USA. Visit the CCE Calendar for information on this and other events. September 6, 2011 CCE/Making Security Measurable Briefing and CWE/CAPEC/MAEC Briefing at Software Assurance Enabling Reliability, Resilience, Robustness, and Security Workshop, September 26 CCE Team Member and CWE/CAPEC Program Manager Robert A. Martin will present a CCE/Making Security Measurable briefing and a CWE/CAPEC/MAEC briefing at Software Assurance Enabling Reliability, Resilience, Robustness, and Security Workshop on September 26, 2011 in Linthicum Heights, Maryland, USA. In addition, Director for Software Assurance at U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Joe Jarzombek will present a Software Assurance briefing. Visit the CCE Calendar for information on this and other events. August 17, 2011 CCE Celebrates 5 Years! CCE began five years ago this month as a proof-of-concept draft with entries for Windows 2000, Windows XP, and Windows Server 2003 and 19 information security community organizations participating on the CCE Working Group. Since then, CCE has become an industry standard for unique identifiers for system configuration issues. The CCE List has grown to 10,316 total entries for a variety of major operating systems and applications and the CCE Working Group has grown to 44 organizations and 119 members. CCE in Use CCEs are used for mappings between best-practice documents including the Defense Information Systems Agency Defense Information Systems Agency Security Technical Implementation Guides (STIGS), National Institute of Standards and Technology Security Configuration Guides, National Security Agency Security Configuration Guides, Center for Internet Security Benchmark Documents, and the Unified Compliance Framework. The 2008 Microsoft Windows Server Security Guide and 2007 Microsoft Office Security Guide incorporate CCE-IDs, and CCE-IDs are the main identifiers used for the settings in the U.S. Federal Desktop Core Configuration (FDCC) data file downloads. Use of CCE for authoring security guidance is taught in MITRE’s free Benchmark Development Course, which provides free online instruction on how to use CCE, along with other standards and tools, to help security guidance authors write good benchmarks that can be automated. CCE is also a key component for enabling the automation of security content as one of six existing standards — along with CVE, CPE, OVAL, XCCDF, and CVSS — employed by the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP) to enable automated vulnerability management, measurement, and policy compliance evaluation. There are also several tools that incorporate CCE-IDs that are currently listed on the NIST Web site as being "SCAP-Validated." Our Anniversary Celebration It is your participation and endorsement that have transformed CCE into the community standard for unique identifiers for system configuration issues. We thank all you who have in any way used CCE-IDs in your products, research, or processes; promoted the use of CCE; and/or adopted products or services that incorporate CCE for your enterprise. We would also like to thank our sponsors throughout these five years, for their past and current funding and support. We welcome any comments or feedback about CCE at cce@mitre.org. CCE/Making Security Measurable Briefing at GFIRST 2011 CWE/CAPEC Program Manager Robert A. Martin, CWE/CAPEC Co-Founder and Architect Sean Barnum, and MAEC Program Manager Penny Chase presented a CCE/Making Security Measurable and a CWE/CAPEC/MAEC briefing at GFIRST National Conference 2011 on August 8-12, 2011 at the Gaylord Opryland Hotel & Convention Center in Nashville, Tennessee, USA. Visit the CCE Calendar for information on this and other events. August 4, 2011 CCE/Making Security Measurable Briefing at GFIRST 2011, August 8-12 CWE/CAPEC Program Manager Robert A. Martin, CWE/CAPEC Co-Founder and Architect Sean Barnum, and MAEC Program Manager Penny Chase will present a CCE/Making Security Measurable and a CWE/CAPEC/MAEC briefing at GFIRST National Conference 2011 on August 8-12, 2011 at the Gaylord Opryland Hotel & Convention Center in Nashville, Tennessee, USA. Visit the CCE Calendar for information on this and other events. CCE/Making Security Measurable Booth at Black Hat Briefings 2011 MITRE hosted a CCE/Making Security Measurable booth at Black Hat Briefings 2011 on August 3-4, 2011 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA. Attendees learned how the CCE, CVE, CPE, CAPEC, CWE, MAEC, CEE, OVAL, etc., information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures. Visit the CCE Calendar for information on this and other events. July 19, 2011 CCE/Making Security Measurable Booth at Black Hat Briefings 2011 MITRE will host a CCE/Making Security Measurable booth at Black Hat Briefings 2011 on August 3-4, 2011 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA. Please visit us at Booth 307 and say hello! Visit the CCE Calendar for information on this and other events. July 1, 2011 Briefing Slides from Security Automation Developer Days 2011 Now Available 21 briefing presentations from the sessions at the Security Automation Developer Days 2011 conference on June 14-17, 2011 at MITRE in Bedford, Massachusetts, USA are now available for download on the Events & Participation page on the Making Security Measurable Web site. June 10, 2011 Registration Now Closed for MITRE’s Security Automation Developer Days 2011 on June 14-17 Registration is now closed for MITRE’s free Security Automation Developer Days 2011 conference scheduled for June 14-17, 2011 at MITRE in Bedford, Massachusetts, USA. For the event agenda, lodging, and other conference details please visit the conference details page. June 2, 2011 CCE List Content Updated CCE Version 5.20110602 is now available on the CCE List page. There are now 10,316 total CCE entries in the CCE List. Changes for Version 5.20110602 include: 16 new entries for Red Hat Enterprise Linux 5. A report is available that that provides more details on the changes between Version 5.20100926 and Version 5.20110602. Future updates will be noted here and on the CCE Working Group email discussion list. Please send any comments or concerns to cce@mitre.org. June 1, 2011 Agenda Now Available for MITRE’s Security Automation Developer Days 2011 on June 14-17 The agenda for MITRE’s free Security Automation Developer Days 2011 conference scheduled for June 14-17, 2011 at MITRE in Bedford, Massachusetts, USA is now available at https://register.mitre.org/devdays/agenda.pdf. For registration, lodging, and other conference details please visit the conference registration page. May 3, 2011 MITRE to Host Security Automation Developer Days 2011 on June 14-17 MITRE Corporation will host the third Security Automation Developer Days conference on June 14-17, 2011, at MITRE in Bedford, Massachusetts, USA. This four-day conference is technical in nature and will focus on the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP). The purpose of the event is for the community to discuss SCAP — and those existing standards upon which it is based including Common Configuration Enumeration (CCE™), Common Platform Enumeration (CPE™), Open Vulnerability and Assessment Language (OVAL®), Extensible Configuration Checklist Description Format (XCCDF) — in technical detail and to derive solutions that benefit all concerned parties. All current and emerging SCAP standards are addressed at this workshop. MITRE first hosted Developer Days in 2005 and has been running them annually ever since. The model for these technical exchanges has since been adopted as the format used by the Security Automation community. An agenda will be available soon. For registration, lodging, and other conference details, please visit: https://register.mitre.org/devdays/. MITRE Hosts CCE/Making Security Measurable Booth at InfoSec World 2011 MITRE hosted a CCE/Making Security Measurable booth at InfoSec World Conference & Expo 2011 at Disney’s Contemporary Resort in Orlando, Florida, USA, on April 19-21, 2011. Attendees learned how the CCE, CVE, CPE, OVAL, CAPEC, CWE, CEE, MAEC, etc. information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures. Visit the CCE Calendar for information on this and other events. April 7, 2011 CCE Included in Department of Homeland Security’s Enabling Distributed Security in Cyberspace White Paper CCE was included in the U.S. Department of Homeland Security (DHS) Enabling Distributed Security in Cyberspace white paper published on March 23, 2011 on the DHS Web site Blog. The main topic of the white paper is "how prevention and defense can be enhanced through three security building blocks: automation, interoperability, and authentication. If these building blocks were incorporated into cyber devices and processes, cyber stakeholders would have significantly stronger means to identify and respond to threats — creating and exchanging trusted information and coordinating courses of action in near real time." The paper defines Interoperability as already being "enabled through an approach that has been refined over the past decade by many in industry, academia, and government. It is an information-oriented approach, generally referred to as [cyber] security content automation …" and is comprised of (1) Enumerations "of the fundamental entities of cybersecurity" and lists CVE, CCE, CPE, CWE, and CAPEC; (2) Languages and Formats that "incorporate enumerations and support the creation of machine-readable security state assertions, assessment results, audit logs, messages, and reports" and lists OVAL, CEE, and MAEC; and (3) Knowledge Repositories that "contain a broad collection of best practices, benchmarks, profiles, standards, templates, checklists, tools, guidelines, rules, and principles, among others" that are based upon or incorporate data from these standards. The paper also states that these eight established community enumeration and language standards that have been in use within the community for years can be further leveraged moving forward because they are "standards [that] build upon themselves to expand functionality over time", and projections of that expanding utility are provided through 2014. The white paper is available to view or download at http://www.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white-paper-03-23-2011.pdf. MITRE to Host CCE/Making Security Measurable Booth at InfoSec World 2011, April 19-21 MITRE will host a CCE/Making Security Measurable booth at InfoSec World Conference & Expo 2011 at Disney’s Contemporary Resort in Orlando, Florida, USA, on April 19-21, 2011. Members of the CCE Team will be in attendance. Please stop by Booth 307 and say hello! Visit the CCE Calendar for information on this and other events. MITRE Hosts CCE/Making Security Measurable Booth at 2011 Information Assurance Symposium MITRE hosted a CCE/Making Security Measurable booth at the 2011 Information Assurance Symposium in Nashville, Tennessee, USA, on March 8-10, 2011. The symposium is designed to bring together industry, government, and military information assurance (IA) professionals with the latest available IA products and solutions. Attendees learned how the CCE, CVE, CPE, OVAL, CAPEC, CWE, CEE, MAEC, etc. information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures. Visit the CCE Calendar for information on this and other events. March 4, 2011 "CCE List Submission and Style Guidelines" Now Available The CCE List Submission and Style Guidelines document is now available in the CCE List section. The purpose of this document is to describe the basic process by which members of the information security community can submit properly formatted CCE entries (also called "CCEs") to the CCE Content Team so they can be reviewed, have CCE Identifiers (CCE-IDs) assigned, and be published on the CCE List for use by the community. MITRE to Host CCE/Making Security Measurable Booth at 2011 Information Assurance Symposium, March 8-10 MITRE will host a CCE/Making Security Measurable booth at the 2011 Information Assurance Symposium in Nashville, Tennessee, USA, on March 8-10, 2011. The symposium is designed to bring together industry, government, and military information assurance (IA) professionals with the latest available IA products and solutions. Members of the CCE Team will be in attendance. Please stop by Booth 217 and say hello! Visit the CCE Calendar for information on this and other events. CCE Hosts Birds-of-a-Feather Meeting at RSA 2011 CCE hosted a Birds-of-a-Feather (BOF) meeting at RSA 2011 at the Moscone Center in San Francisco, California, USA. Discussion topics included the current state of the enumeration, a proposed change to formatting of platform sub-components, changes to the create and edit processes, and plans for streamlining the CCE development and management processes. Members of the information security community are encouraged to participate in the CCE effort by joining the CCE Working Group. MITRE Hosts CCE/Making Security Measurable Booth at RSA 2011 MITRE hosted a CCE/Making Security Measurable booth at RSA 2011 at the Moscone Center in San Francisco, California, USA, on February 14-18, 2011. Attendees learned how information security data standards CCE, CVE, CPE, OVAL, CAPEC, CWE, CEE, MAEC, etc. facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures. Making Security Measurable booth photos: Visit the CCE Calendar for information on this and other events. February 10, 2011 CCE Birds-of-a-Feather Meeting at RSA 2011 on February 17 CCE will host a Birds-of-a-Feather (BOF) meeting at RSA 2011 at the Moscone Center in San Francisco, California, USA. We hope to see you there.
Please contact us at cce@mitre.org with any comments or concerns. MITRE to Host CCE/Making Security Measurable Booth at RSA 2011, February 14-18 MITRE is scheduled to host a CCE/Making Security Measurable booth at RSA 2011 at the Moscone Center in San Francisco, California, USA, on February 14-18, 2011. Members of the CCE Team will be in attendance. Please stop by Booth 2617 and say hello! Visit the CCE Calendar for information on this and other events. CCE/Making Security Measurable Booth at Black Hat DC 2011 MITRE hosted a CCE/Making Security Measurable booth at Black Hat DC 2011 on January 18-19, 2011 in Arlington, Virginia, USA. Attendees learned how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures. Visit the CCE Calendar for information on this and other events. January 3, 2011 MITRE Announces Initial "Making Security Measurable" Calendar of Events for 2011 MITRE has announced its initial Making Security Measurable calendar of events for 2011. Details regarding MITRE’s scheduled participation at these events are noted on the CCE Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.
Other events may be added throughout the year. Visit the CCE Calendar for information or contact cce@mitre.org to have MITRE present a briefing or participate in a panel discussion about CCE, CVE, CPE, CAPEC, CWE, MAEC, CEE, OVAL, Software Assurance, and/or Making Security Measurable at your event. |
||||||||||
Page Last Updated: January 11, 2012 |