Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/17/2012
01:57 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

ICASI Releases Update To XML Framework For Reporting IT System Vulnerabilities

Enhancements in CVRF 1.1 offer users a more comprehensive and flexible format

WAKEFIELD, Mass. – May 17, 2012 – The Industry Consortium for Advancement of Security on the Internet (ICASI), a nonprofit association dedicated to enhancing global IT security by proactively driving excellence and innovation in security response, today announced the publication of the latest version of its Common Vulnerability Reporting Framework (CVRF), Version 1.1. Enhancements in CVRF 1.1 offer users a more comprehensive and flexible format, while reducing duplication and the possibility of errors.

CVRF is an XML-based framework that enables stakeholders across different organizations to share critical vulnerability-related information in an open and common machine-readable format. CVRF replaces the many nonstandard reporting formats previously in use, thus speeding up information exchange and processing. CVRF is available to the public free of charge, along with additional information, at ICASI.org/cvrf.

A brief webcast about CVRF, which will describe the enhancements in Version 1.1 and offer a Q & A session to attendees, is scheduled for Wednesday, May 30 at noon EDT. There is no cost to attend, but advance registration is required.

"CVRF 1.1 is a significant step forward in our efforts to broaden awareness of security vulnerabilities and simplify their reporting," said Russell Smoak, president of ICASI and director and general manager of Security Research and Operations at Cisco Systems. "The new features and enhancements make CVRF both more user-friendly and more applicable to a broader set of requirements. We are grateful to the project team members who have worked so conscientiously to develop these additions and improvements."

Key changes in CVRF 1.1 include:

A completely revamped method for specifying products in a hierarchical manner, dubbed the "Product Tree," has been created. It has been separated from the vulnerability section, which reduces the duplication of XML, and it is much more flexible, powerful, and machine readable The Product Tree supports the construction of logical groups to further cut down on redundant XML by allowing logical groups to be referenced using a single identifier When possible, a consistent type/value construct has been implemented across CVRF. Given that type is an enumerated list, this enables future updates or modifications without much change to CVRF parsers. Using a more generic construct also reduces the overall number of elements, by combining existing (similar) containers into one CVRF has been made less vendor-centric: it is now friendlier to the research and coordination community To ensure a consistent look and feel, many of the optional meta-containers that use a plural term as the top-level identifier (e.g., Threats) are now followed by a container that uses the singular version of the same identifier (e.g., Threat) More constraints ensure that it is harder to build invalid documents A better use of optional elements makes CVRF more flexible for different document producers Whenever possible, elements that were similar and existed in several areas of the document have been aligned (e.g., Note, Acknowledgement, Reference, etc.)

CVRF Background Although the computer security community has made significant progress in several other areas in recent years, including categorizing and ranking the severity of vulnerabilities in information systems, there was no standard framework for creating vulnerability report documentation. Methods such as embedding security metric and vulnerability data inside response reports are all vendor-specific, non-standard and time consuming to decipher manually.

Through its CVRF Project, ICASI undertook to remedy this lack of standardization. The project team expanded existing security documentation formats and integrated a best-of-breed solution into a common, open XML-based framework ‒ CVRF ‒ that brings consolidation and consistency to the security vulnerability documentation space, and its use has grown organically among stakeholders since its launch in May 2011.

The XML-based framework of CVRF predefines a large number of fields, with extensibility and robustness in mind. These fields are consistent in naming and data type, so that any organization that adopts and understands CVRF can easily produce documents or read the ones that another CVRF-equipped organization has produced. Independent discoverers of bugs, large vendors, security coordinators and end users of security response efforts worldwide can all write CVRF documents to share critical vulnerability-related information. Widespread use of CVRF will accelerate information dissemination and exchange and incident resolution as a result.

ICASI maintains CVRF as a living framework that will be enhanced and revised as necessary. ICASI will continue supporting CVRF to ensure that it will remain both stable and free for use by all. Implementers are encouraged to submit their suggestions for improvements to [email protected]

About ICASI The Industry Consortium for Advancement of Security on the Internet (ICASI) provides a unique forum of trust through which global companies can collaborate to actively address complex, multi-product security threats to better protect the critical IT infrastructures that support the world’s enterprises, governments and citizens. ICASI Founding Members include Cisco Systems, IBM, Intel Corporation, Juniper Networks, Microsoft Corporation, and Nokia Corporation. For more information, visit www.ICASI.org, or send an inquiry regarding membership structure, benefits, and dues to [email protected]

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21354
PUBLISHED: 2021-03-08
Pollbot is open source software which "frees its human masters from the toilsome task of polling for the state of things during the Firefox release process." In Pollbot before version 1.4.4 there is an open redirection vulnerability in the path of "https://pollbot.services.mozilla.com...
CVE-2021-21362
PUBLISHED: 2021-03-08
MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary 'mc share upload' URL. Everyone is impacted who uses ...
CVE-2020-4695
PUBLISHED: 2021-03-08
IBM API Connect V10 is impacted by insecure communications during database replication. As the data replication happens over insecure communication channels, an attacker can view unencrypted data leading to a loss of confidentiality.
CVE-2020-4903
PUBLISHED: 2021-03-08
IBM API Connect V10 and V2018 could allow an attacker who has intercepted a registration invitation link to impersonate the registered user or obtain sensitive information. IBM X-Force ID: 191105.
CVE-2020-5014
PUBLISHED: 2021-03-08
IBM DataPower Gateway V10 and V2018 could allow a local attacker with administrative privileges to execute arbitrary code on the system using a server-side requesr forgery attack. IBM X-Force ID: 193247.