HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:Developer API for JVN iPedia Released
Applications can now access JVN iPedia vulnerability countermeasure information through MyJVN API
Feb 25, 2010
>> JAPANESE
Information-technology Promotion Agency, Japan (IPA, Chairman Koji Nishigaki) has released MyJVN API, a software interface to access and utilize vulnerability countermeasure information stored in JVN iPedia, on February 25, 2010.
URL: http://jvndb.jvn.jp/en/apis/index.html
Since late 2009, we’ve regularly seen the media reports where the websites of big name companies and public bodies had been maliciously manipulated and had exposed their site visitors to computer viruses. To prevent the website hacking, inclusively called the Gumblar attack, it is the most important for the website administrators to promptly obtain vulnerability information on the software products used in their systems and eliminate vulnerabilities.
IPA offers a free vulnerability countermeasure information database JVN iPedia, where vulnerability and countermeasure information on software products, such as OS, applications, libraries and embedded products, used in Japan are collected and stored for public use(*1). Until now, the functions to see and search the data in JVN iPedia were provided by IPA, but there had been a lot of requests from application developers to make API (application programming interface)(*2) for JVN iPedia available for them to use its data in their vulnerability management services and assessment tools.
To respond to their requests, IPA developed and released MyJVN API, a software interface to access and utilize vulnerability countermeasure information stored in JVN iPedia, with testing support tools. To enable application developers to use data through open interface, JVN iPedia has adopted SCAP(*3), a set of standards for describing vulnerability countermeasure information. For example, it uses CVE(*4) for identifying vulnerability and was officially approved as CVE-Compatible by MITRE(*5) in January 2010(*6).
By using MyJVN API, any custom applications can access the data in JVN iPedia and various vulnerability management services can now efficiently utilize vulnerability countermeasure information. JVN iPedia has been growing in use, achieving 4 million hits per month in January 2010. IPA hopes the release of MyJVN API pushes the use of JVN iPedia yet forward and promotes implementation of countermeasure against vulnerabilities.
To access MyJVN API testing support tools, visit the following URL:
http://jvndb.jvn.jp/en/apis/index.html
Table 1. Basic Functions Provided by MyJVN API
|
Function |
API |
Description |
|---|---|---|---|
1 |
Get list of vendors |
getVendorList |
The vendor list that is filtered by the CPE is acquired in XML format. |
2 |
Get list of products |
getProductList |
The product list that is filtered by the CPE is acquired in XML format. |
3 |
Get list of vulnerability overviews |
getVulnOverviewList |
The vulnerability overview list that is filtered by the CPE is acquired in JVNRSS (RSS + mod_sec) format. |
4 |
Get the details of vulnerability |
getVulnDetailInfo |
The vulnerability detail information is acquired in VULDEF format. |
MyJVN API Testing Support Tools Figure 1 shows the parameter input page for the “getVendorList” API testing support tool. By using the tool, developers can check the supposed output values by inputting parameters during application development.
MyJVN tools developed and provided by IPA, such as MyJVN Filtered Vulnerability Countermeasure Information Tool(*7), MyJVN Version Checker(*8) and MyJVN Security Configuration Checker(*9), are also using MyJVN API.
(*1)Vulnerability countermeasure information database. Vulnerability countermeasure information on software products used in Japan is collected and stored, and made available to the public.
http://jvndb.jvn.jp/en/
(*2)Specification to enable interaction with other software including how to exchange data.
(*3)Security Content Automation Protocol.
http://scap.nist.gov/
Please refer to “SCAP (Security Content Automation Protocol) Overview”.
http://www.ipa.go.jp/security/vuln/SCAP.html (in Japanese)
(*4)Common Vulnerabilities and Exposures. Please refer to “CVE (Common Vulnerabilities and Exposures) Overview”
http://www.ipa.go.jp/security/english/vuln/CVE_en.html
(*5)MITRE Corporation. A not-for-profit organization that provides information technology support and research and development to the U.S. government.
http://www.mitre.org/
(*6)MITRE approved that CVE identifiers are adequately implemented in JVN, JVN iPedia and MyJVN (official CVE-Compatible status granted).
http://www.cve.mitre.org/news/index.html#jan082010a
(*7)A filtered vulnerability countermeasure information tool designed to help users access the JVN iPedia vulnerability countermeasure database more efficiently, by means of condition filtering and automated retrieval functions.
http://jvndb.jvn.jp/en/apis/myjvn/
(*8)A tool designed to help users easily check whether the software installed on their PC is the latest version.
http://www.ipa.go.jp/security/english/vuln/200911_myjvn_vc_en.html
http://jvndb.jvn.jp/apis/myjvn/#VCCHECK (in Japanese)
(*9)An easy-to-use tool designed to help users assess Windows security settings of their PC.
http://www.ipa.go.jp/security/english/vuln/200912_myjvn_cc_en.html
http://jvndb.jvn.jp/apis/myjvn/#CCCHECK (in Japanese)
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: 
