CVE
History
The CVE List was launched by MITRE as a community effort in 1999.
CVE lifecycle
https://www.cve.org/About/Process#CVERecordLifecycle
CWE and CVE
At first glance, CWE and CVE seems similar, but there is a major difference.
- CWE stands for Common Weakness Enumeration, and has to do with the vulnerability—not the instance within a product or system.
- CVE stands for Common Vulnerabilities and Exposures, and has to do with the specific instance within a product or system—not the underlying flaw
Essentially, CWE is a “dictionary” of software vulnerabilities, while CVE is a list of known instances of vulnerability for specific products or systems.
CVSS and CWSS
We also need a scoring system for vulnerabilities.
- CVSS stands for Common Vulnerability Scoring System, and is used to score the severity of a vulnerability
- CWSS stands for Common Weakness Scoring System, and ranks the severity of software weaknesses
CVE and NVD
The CVE List was launched by MITRE as a community effort in 1999, and the U.S. National Vulnerability Database (NVD) was launched by the National Institute of Standards and Technology (NIST) in 2005.
- CVE - A list of records—each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities. CVE Records are used in numerous cybersecurity products and services from around the world, including NVD.
- NVD - A vulnerability database built upon and fully synchronized with the CVE List so that any updates to CVE appear immediately in NVD.
The CVE List feeds NVD, which then builds upon the information included in CVE Records to provide enhanced information for each record such as fix information, severity scores, and impact ratings. As part of its enhanced information, NVD also provides advanced searching features such as by OS; by vendor name, product name, and/or version number; and by vulnerability type, severity, related exploit range, and impact.
Link
security #devsecops #quartz