Notes
Slide Show
Outline
1
Standards for Enabling Automation in Information Security
  • Robert A. Martin
  • ramartin@mitre.org
  • MITRE.
  • 18 November 2004
2
Difficult to Integrate Information on
Vulnerabilities and Exposures
3
The CVE List provides a path for integrating information on Vulnerabilities and Exposures
4
Compatible Product “Metrics”
  • By Product Name (200)
  • By Organization (125)
  • By Type (12)
  • By Country (18)
  • By Level (7@1, 28@2, 120@3,
  •                     11@4, 34@5)
5
OVAL Query
6
OVAL Schema
& Definitions
  • 993 definitions


  • XML, SQL, & Pseudo Code


  • Schemas for:
    • Microsoft Windows
    • Sun Solaris 7, 8, 9
    • Red Hat Linux


  • Draft Schemas
    • Hewlett-Packard UNIX (HP-UX)
    • Debian Linux
7
Vulnerability Management
How most vulnerability management processes are applied to systems today
8
Use Standards to Provide Flexible, End-to-End Automated Vulnerability Management
How the process could work using standards
9
Vulnerability Management Using Standards: xML, CVE, OVAL
10
A broader look at
Vulnerability Management
11
Standards for Enabling Automation in Information Security