Guide to Using Vulnerability Naming Schemes
This NIST guide explains how organizations can use standardized IT system vulnerability names (e.g., “OS software flaws” or “application security configuration issues”) to support interoperability, minimize confusion regarding the problem being addressed and quickly identify remediation information when a new problem arises. It provides information and recommendations regarding two commonly used naming schemes: Common Vulnerabilities and Exposures (CVE) and Common Configuration Enumeration (CCE).
A vulnerability naming scheme is a systematic method for creating and maintaining a standardized dictionary of common names for a set of vulnerabilities in IT systems, such as software flaws in an operating system or security configuration issues in an application. The naming scheme ensures that each vulnerability entered into the dictionary has a unique name. Using standardized vulnerability naming schemes supports interoperability. Organizations typically have many tools for system security management that reference vulnerabilities—for example, vulnerability and patch management software, vulnerability assessment tools, anti-virus software and intrusion detection systems. If these tools do not use standardized names for vulnerabilities, it may not be clear that multiple tools are referencing the same vulnerabilities in their reports, and it may take extra time and resources to resolve these discrepancies and correlate the information. This lack of interoperability can cause delays and inconsistencies in security assessment, reporting, decision-making and vulnerability remediation, as well as hamper communications both within organizations and between organizations. Use of standardized names also helps minimize confusion regarding which problem is being addressed, such as which vulnerabilities a new patch mitigates. This helps organizations to quickly identify the information they need, such as remediation information, when a new problem arises.
This publication provides information and recommendations related to two commonly used vulnerability naming schemes: Common Vulnerabilities and Exposures (CVE), and Common Configuration Enumeration (CCE).
The attached Zip file includes:
- Intro Page.doc
- Cover Sheet and Terms.pdf
- Guide to Using Vulnerability Naming Schemes.pdf