Common Platform Enumeration (CPE) - Name Format and Description

Abstract

Following security best practices are essential to maintaining the security of IT systems. To this end, several specification languages exist for describing vulnerabilities, testing system state, and expressing security checklists. But descriptions of vulnerabilities and configuration best practices have greater utility when all participants share common names for the entities described. Further, use of consistent and meaningful names can speed application, foster interoperability, improve correlation of test results, and ease gathering of metrics. Today, a popular and widespread naming scheme exists for vulnerabilities; the Common Vulnerabilities and Exposures (CVE) naming scheme is widely used for identifying and describing IT system vulnerabilities. A somewhat similar scheme has been recently introduced for secure configuration best practices: the Common Configuration Enumeration (CCE). All vulnerability and configuration information items have an important distinction that affects their use: they apply only to a particular range of IT systems, platforms, or applications. This is so obvious that IT managers and security administrators sometimes forget about how critical it can be. When a new vulnerability is announced, the first question most practitioners will ask is: "which systems are vulnerable?" In prose vulnerability descriptions, informal or colloquial names for IT platforms are adequate. Experienced system administrators and security analysts can understand and use ad hoc names. There is a strong trend toward automation in security practice. Automated systems cannot work with informal or ad hoc names. To foster effective automation, the community needs a more formal naming scheme, consistent and uniform, that allows tools (as well as human analysts and authors) to clearly identify the IT platforms to which a vulnerability or element of guidance applies.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jan 10, 2007
Accession Number
AD1107063

Entities

People

  • Andrew Buttner
  • Neal Ziring
  • Todd Wittbold

Organizations

  • MITRE Corporation

Tags

DTIC Thesaurus Topics

  • Algorithms
  • Best Practices
  • Cecum
  • Computer Program Documentation
  • Computers
  • Control Systems
  • Databases
  • Dictionaries
  • Guidance
  • Internet
  • Language
  • Laptop Computers
  • National Security
  • Operating Systems
  • Platforms
  • Relational Database Management Systems
  • Security
  • Specifications
  • Standards
  • Web Browsers

Fields of Study

  • Computer science

Readers

  • Computational Linguistics
  • Software Engineering.