The Common Configuration Enumeration

The National Vulnerability Database (NVD) is probably the best place to check for any known security vulnerabilities in software products. It now contains information on over 34,000 different security vulnerabilities. Its Common Vulnerabilities and Exposures (CVE) naming scheme is the most common way in which security vulnerabilities are identified, and many commercial security testing products now report their findings with CVE numbers attached to them.

The vulnerabilities that CVE names cover all relate to design or implementation flaws in products. That covers many security vulnerabilities, but not all of them. Many other vulnerabilities are caused by the way in which products are configured. The National Checklist Program that’s run by NIST now has 142 checklists for 78 different products that list ways to configure them securely, but there’s no database of ways in which configuring or misconfiguring products can cause security problems. This is changing, however, and this information will eventually be part of the NVD.

The new scheme is the Common Configuration Enumeration (CCE). From the MITRE web site, here’s a description of what the CCE scheme will cover:

CCE™ provides unique identifiers to system configuration issues in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. For example, CCE Identifiers can be used to associate checks in configuration assessment tools with statements in configuration best-practice documents.

So once CCE is rolled out and added to the NVD, we’ll have a repository of all known security vulnerabilities caused by configuration or misconfiguration of products. That should make the NVD even more useful than it is now.

Leave a Reply

Your email address will not be published. Required fields are marked *