Make vulnerability countermeasure information gathering easier for SME(Small and Medium-sized Enterprise)s
October 23, 2008
Information-technology Promotion Agency, Japan (IPA, Chairman Koji Nishigaki) announced the release of a filtered vulnerability countermeasure information tool “MyJVN” on October 23, 2008, which offers the services, such as the customized filtering, auto searching and checklist creation, that help IT users make the better use of JVN iPedia and gather vulnerability countermeasure information more easily and efficiently.
“MyJVN” URL: http://jvndb.jvn.jp/apis/myjvn/ (in Japanese)
In addition, MyJVN now supports CPE (Common Platform Enumeration) on a trial basis to strengthen international collaboration and cross-referenceability. An introductory document to CPE is also available on the IPA web site.
JVN iPedia(*1) is a vulnerability countermeasure information database focused on domestic use and collects vulnerability and countermeasure information about software pervasively used in Japan. It now stores more than 5,400 vulnerability information.
The new tool “MyJVN” improves the usage of vulnerability countermeasure information stored in JVN iPedia by making it easier and more efficient for users to collect their target information through the services like customized filtering, auto searching and checklist creation.
In addition, MyJVN started trial of CPE (Common Platform Enumeration), a structured naming scheme to identify IT products, to strengthen international collaboration and cross-referenceability.
CPE has been developed through the leadership of MITRE(*2) with the sponsorship of the U.S. Department of Homeland Security.
For more information on CPE, please refer to:
CPE Overview ( http://www.ipa.go.jp/security/english/vuln/CPE_en.html )
JVN iPedia and MyJVN already supports CVE(*3), CVSS(*4) and CWE(*5). Continuing to CPE, IPA will keep working on promoting an infrastructure that could help users implement security measures efficiently by introducing cross-referenceable vulnerability information standards into JVN iPedia.
MyJVN allows users to view only their target vulnerability countermeasure information from stored data of JVN iPedia. Select vendors (Figure 1) and products (Figure 2) and MyJVN will list vulnerability countermeasure information only related to what the users have selected (Figure 3).
Furthermore, clicking a title in the list of vulnerabilities allows the users to see the detail of the selected vulnerability (Figure 4). On the detail page, the users could check, for example, which products/system are affected, how severe the effects would be and how to counter the vulnerability.
Figure 1. Vendor Selection Wizard Screen
Figure 2. Product Selection Wizard Screen
Figure 3. Filtering Result – List of Target Vulnerability Information
Figure 4. Detail Page of Selected Vulnerability
Users do not need to set the filtering requirements each time. Once set, the vulnerability countermeasure information will be automatically reloaded based on the latest filtering requirements set by each user when the user uses MyJVN. Just accessing MyJVN and the users can always gather the latest vulnerability countermeasure information of their interest.
The users can use a checklist to see if they are catching up with or behind the vulnerability countermeasure implementation. A vulnerability checklist lists key items from vulnerability countermeasure information, such as the published date, ID, title, overview, severity and product/system affected. The users can print it out and use as a paper checklist (Figure 5).
Figure 5. Checklist
CPE (Common Platform Enumeration) is a structured naming scheme for hardware and software that compose IT systems. CPE has been developed through the leadership of MITRE with the sponsorship of the U.S. Department of Homeland Security and the Version 1.0 was released on January 30, 2007. Through its adoption into the U.S. national vulnerability database NVD(*6) operated by NIST(*7) and Federal Desktop Core Configuration (FDCC)(*8), CPE had been revised and the Version 2.1 was released on January 31, 2008.
MyJVN has a mechanism to cross-reference vulnerability countermeasure information in JVN iPedia by CPE Names using the CPE Dictionary used in NVD as reference.
IPA will continue its efforts in providing vulnerability countermeasure information and improving infrastructure for the better flow and use of vulnerability countermeasure information by advancing cross-referenceability with the CPE Dictionary and adopting CPE Names as the product identifier.
For more information on CPE, please refer to an introductory document to CPE at the following:
(*1)JVN iPedia: The vulnerability countermeasure database operated by IPA.
(*2)MITRE Corporation: A not-for-profit organization that provides information technology support and research and development to the U.S. government.
(*3)CVE: Common Vulnerabilities and Exposures
(*4)CVSS: Common Vulnerability Scoring system. For more information, please refer to CVSS 2.0.
(*5)CWE: Common Weakness Enumeration. For more information, please refer to CWE Overview:
(*6)NVD: National Vulnerability Database. A vulnerability database run by NIST.
(*7)NIST: National Institute of Standards and Technology. A federal agency that develops and promotes measurement, standards and technology.
(*8)FDCC: Federal Desktop Core Configuration. A mandated security standard that requires all federal agencies standardize the minimum configuration of PC settings.
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)