A group of security experts have set up a standards initiative to help tighten cyber defences by providing a list of information vulnerabilities.
The Mitre Corporation has joined with IBM Research, Cisco, CERIAS/Purdue University and 16 other top security organisations to create the Common Vulnerabilities and Exposures (CVE) initiative.
The initiative will draw up a list of information security vulnerabilities and exposures, and provide common names for publicly known problems. Such information will be posted to its Web site, cve.mitre.org.
Other participants in the project include Axent Technologies, The Ballistic Missile Defense Organization, Bugtraq, Cybersafe, Harris, Network Security, SANS Institute and Securityfocus.com.
As well as provide data sharing among intrusion detection systems, assessment tools, vulnerability databases, researchers and incident response teams, CVE will also ensure interoperability between third party products.
Said Pete Tasker, executive director of security and information at Mitre, "In the past, each security tool and vulnerability database used its own names for vulnerabilities and exposures. Without a common language to correlate pieces of vulnerability-related information, it was difficult to manage the output from the security tools that we use."
Mitre is a not for profit company working on scientific and technical issues for the public benefit. According to Tasker, a common language and data sharing are two benefits CVE will provide. The group is working on remaining names and will add new links for vendors of compatible tools.
Observers believe CVE is a scientific necessity. Said Bill Fithen, senior analyst at Computer Emergency Response Team (CERT) said, "It will facilitate improved communication among information professionals. We intend to contribute our accumulated knowledge."
The content of CVE comes from a collaborative effort of the 19 member CVE editorial board. These include, Axent Technologies, Ballistic Missile Defense Organization, Cybersafe, CERIAS/Purdue University, L-3 Network Security, Network Associates, SANS Institute and Securityfocus.com. The board identifies which vulnerabilities or exposure are included in CVE and determines the common name and description for each.
"Until now each vendor has developed their own list of 'known vulnerabilities' and then created ways of detecting and responding to them," said Christopher Klaus, founder and chief technology officer of Internet Security Systems (ISS).
Klaus said the initiative will provide a standard way for ecommerce companies to describe and define vulnerabilities. "CVE provides a common infrastructure and creates a method to speak the same language and reduce confusion," he said.
Why does Facebook store "my entire call history with my partner's mum", asks developer who requested his Facebook data
Facebook database included text-message metadata - despite not using Facebook Messenger for SMS
Before Ocado could start selling the technology it had developed to other retailers, it had to tear down and rebuild its own monolithic architecture
Successful attack could result in harm to patients and financial loss, warns NHS governing body
Guccifer 2.0 claimed to be a lone Romanian hacker - until a schoolboy error gave him, her or them away