by Josef Weiss
October 18, 2017
In the early days of the Internet, vulnerabilities were not publicly known or identifiable. In 1999, the information security industry endorsed the importance using a common format in identifying vulnerabilities, thus the Common Vulnerabilities and Exposures (CVE®) was created. Since 1999, the adoption of CVE has grown from 29 organizations to over 150 organizations. Renaud Deraison, one of Tenable’s founders, is a past member of the CVE Editorial board.
Tenable products were first CVE Compatible in 2004, and currently Tenable.io is compatible. Tenable continues to lead the security industry in vulnerability management and continuous network monitoring by embracing accepted standards such as CVE.
Cyber Exposure has an operational security lifecycle which aims to provide common visibility to Security and IT teams. Tenable.io utilizes the CVE program to reference each of the vulnerabilities detected by Tenable.io. This identifies and remediates security issues quickly and efficiently. The CVE identifiers can be used throughout several areas of the Cyber Exposure lifecycle within Tenable.io for reporting, asset identification, risk management, and threat mitigation. The CVE Analysis report helps to identify vulnerabilities by their CVE identifiers from 1999 to 2019.
CVE is a widely used industry standard for identifying vulnerabilities across software vendors and vulnerability management systems. Using CVE IDs to identify vulnerabilities allows organizations to easily target affected systems and software for remediation. As vendors provide patches for widespread vulnerabilities such as WannaCry and Krack, many new plugins are released. The task of tracking vulnerabilities is simplified by using CVE identifiers, as the CVE identifiers for vulnerabilities remain the same even as new patches and plugins are released. Using CVE is a very flexible and useful method of detecting vulnerabilities to assist in the risk management process.
Cyber Exposure is the next frontier for empowering organizations to accurately understand, represent and ultimately reduce their cyber risk against the rapidly changing modern attack surface. Cyber Exposure will help the CISO drive a new level of dialogue with the business. Being able to know which areas of your business are secure or exposed, then the CISO can more effectively measure the organizations Cyber Risk. For example, how much and where to invest to reduce risk to an acceptable amount and help drive strategic business decisions.
This report provides the business with an easy to understand format for displaying the current count of vulnerabilities based on CVE release data and collection methods. This allows analysts and administrators to accurately represent and communicate cyber risk back to the business.Tenable.io is the first solution in Cyber Exposure that provides the key risk metrics business’ need to measure risk exposures.
Chapters
Executive Summary - This chapter provides a high level view of vulnerabilities by CVE. The matrices and trend graphs provide an analyst with counts of vulnerabilities by CVE year and collection method. The trend graphs provide an understanding of vulnerabilities filtered on CVE over the past three months. By tracking the current vulnerability count, analysts can track mitigation progress.
Vulnerabilities with CVE from 1999 to 2009 - This chapter provides details for all vulnerabilities with CVE from 1999 to 2009. The content provided is sorted by vulnerability and severity. For each vulnerability, a list of applicable CVEs, vulnerability description, and the affected systems is provided.
Vulnerabilities with CVE from 2010 to 2019 - The chapter provides details for all vulnerabilities with CVE from 2010 to 2019. The content provided is sorted by vulnerability and severity. For each vulnerability, a list of applicable CVEs, vulnerability description, and the affected systems is provided.