Problem solve Get help with specific problems with your technologies, process and projects.

Do the Common Vulnerabilities and Exposures protect applications?

When discussing today's many security holes, security professionals can use the Common Vulnerabilities and Exposures (CVE) dictionary to make sure that they refer to the same flaw. But what can the list do for home-grown Web application software? Expert Ed Skoudis explains.

How does Common Vulnerability Enumeration help defend against application attacks? Does it actually do anything?
For those who haven't heard of it, the phrase "Common Vulnerability Enumeration" was an early moniker applied to Mitre Corp.'s systematic naming and numbering of security issues. The modern name is now " Common Vulnerabilities and Exposures", or CVE for short. When new vulnerabilities are discovered, like a buffer overflow in vendor XYZ's ABC product, a CVE number gets assigned to it, and a brief description is posted at Mitre's easily searchable CVE Web site.

When discussing today's many vulnerabilities, people can use CVE to make sure that they refer to the same flaw. Suppose I were to tell you that I was hacked yesterday with a buffer-overflow attack in vendor XYZ's Web server. "Oh man!" you might respond, "I was hacked with a buffer overflow in XYZ's Web server as well. It must have been the same exploit!" With CVE, however, I can say, "I was hit with CVE-2007-1234." You might respond, "Oh, I got snagged by CVE-2007-5678." We could then rapidly conclude that while the issue was in the same software product, it was indeed a different vulnerability that we each suffered from. This consistent nomenclature is helpful in our business. Mitre has also started the Common Malware Enumeration project (CME), which aims to apply a consistent naming and numbering scheme to malware specimens.

The vast majority of vulnerabilities cataloged within the enumeration refer to software flaws in specific network service software and client-side applications. They focus on the exact vulnerabilities in particular products themselves, and not a description of the classes of vulnerabilities. That is, instead of explaining how buffer overflows generally work, CVE inventories thousands of examples of real buffer-overflow flaws. The list does include a significant number of application attacks, but only against specific applications, such as certain widely used ecommerce packages, enterprise resource planning (ERP) tools, database environments and groupware products. CVE doesn't focus on the description of Web application attacks, like cross-site scripting (XSS), SQL injection and session cloning. Instead, as you might expect, it includes specific examples of those kinds of vulnerabilities in widely used software, such as specific Apache modules, PHP scripts, commercial ecommerce software and so forth.

Here's the rub: a lot of Web application software is home-grown, with organizations rolling their own applications together to satisfy their business needs and serve their customers. Thus, it's not widely used software, and flaws in it are not included in the CVE. That's not Mitre's fault, though; the list keeps track of software vulnerabilities so that organizations deploying that software can be aware of their flaws. CVE, however, does not address general categories of flaws or vulnerabilities in company-specific Web applications.

More information:

This was last published in July 2007

Dig Deeper on Risk assessments, metrics and frameworks

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.