MITRE, in collaboration with government, industry, and academic stakeholders, is improving the measurability of security through enumerating baseline security data, providing standardized languages as means for accurately communicating the information, and encouraging the sharing of the information with users by developing repositories.
The other activities and initiatives listed here have similar concepts or compatible approaches to MITRE’s. Together all of these efforts are helping to make security more measurable by defining the concepts that need to be measured, providing for high fidelity communications about the measurements, and providing for sharing of the measurements and the definitions of what to measure.
 |
 | |||||||||||
|
||||||||||||
 |
 | |||||||||||
| Enumerations | Languages | Repositories |
|---|---|---|
 Common Vulnerabilities and Exposures (CVE®) - common vulnerability identifiers
 Common Weakness Enumeration (CWE™) - list of software weakness types
 Common Attack Pattern Enumeration and Classification (CAPEC™) - list of common attack patterns
 Common Configuration Enumeration (CCE™) - common security configuration identifiers
 Common Platform Enumeration (CPE™) - common platform identifiers
CWE/SANS Top 25 - community consensus list of the 25 most dangerous software errors + mitigations
Center for Internet Security (CIS) Consensus Security Metrics Definitions - set of standard metrics and data definitions that can be used across organizations to collect and analyze data on security process performance and outcomes
Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance - twenty key actions or security "controls" that organizations must take to block or mitigate known and reasonably expected attacks
SANS Top Cyber Security Risks - community consensus list of the Most Critical Internet Security Threats and Vulnerabilities that uses CVE-IDs to identify the issues
OWASP Top Ten - community consensus list of the ten most critical Web application security flaws that uses CWE-IDs to uniquely identify the issues it describes
WASC Web Security Threat Classification - list of Web security threats
|
 Open Vulnerability and Assessment Language (OVAL®) - standard for determining vulnerability and configuration issues
 Common
Event Expression (CEE™) - standardizes the way computer events
are described, logged, and exchanged
Malware Attribute Enumeration and Characterization (MAEC™) - standardized language for attribute-based malware characterization
Cyber Observable Expression (CybOX™) - standard language for cyber observables
Benchmark Development - resources for creating standards-based, structured, and automatable security guidance
OVAL Interpreter - free tool for collecting information for testing, carrying out OVAL Definitions, and presenting results of the tests
Recommendation Tracker™ - free tool that facilitates the development of automated security benchmarks
Extensible Configuration Checklist Description Format (XCCDF) - specification language for uniform expression of security checklists, benchmarks, and other configuration guidance
Open Checklist Interactive Language (OCIL) - standardized language for expressing and evaluating non-automated security checks
Common Vulnerability Scoring System (CVSS) - open standard that conveys vulnerability severity and helps determine urgency and priority of response
Policy Language for Assessment Results Reporting (PLARR) - language for requesting IT asset assessment results from tools, databases, and other products
Assessment Results Format (ARF) - open language for exchanging per-device assessment results data between assessment tools, asset databases, and other products that manage asset information
Assessment Summary Results (ASR) - language for exchanging summarized assessment results data
Common Frameworks for Vulnerability Disclosure and Response (CVRF) - standard format for reporting and sharing vulnerability information among multiple organizations
|
 OVAL Repository - community-developed OVAL Vulnerability, Compliance, Inventory, and Patch Definitions
National Vulnerability Database (NVD) - U.S. vulnerability database based on CVE that integrates all publicly available vulnerability resources and references
NIST Security Content Automation Protocol (SCAP) - security content for automating technical control compliance activities, vulnerability checking, and security measurement
Red Hat OVAL Repository - OVAL Patch Definitions corresponding to Red Hat Errata security advisories
Novell OVAL Repository - OVAL Definitions for SUSE Linux Enterprise compliance checking
Debian OVAL Repository - OVAL Definitions corresponding to Debian security advisories
IT Security Database OVAL Feed and Repository - a compilation of OVAL Vulnerability, Inventory, Compliance, and Patch definitions from multiple public sources
SecPod Technologies OVAL Definitions Professional Feed - OVAL Vulnerability, Inventory, Compliance, and Patch definitions covering majority of CVEs for various operating systems, enterprise servers, and applications
National Checklist Program Repository - U.S. government repository of publicly available security checklists/benchmarks
Center for Internet Security (CIS) Benchmarks - best-practice security configurations accepted for compliance with FISMA, the ISO standard, GLB, SOx, HIPAA, and FIRPA, and other regulatory requirements for information security
DISA Security Technical Implementation Guides (STIGS) - U.S. Defense Information Systems Agency’s (DISA) STIGS are configuration standards for DOD information assurance and information assurance-enabled devices and systems
U.S. Federal Desktop Core Configuration (FDCC) - OMB-mandated security configuration for Microsoft Windows Vista and XP operating system software that uses CCE-IDs as the main identifiers for the settings in the FDCC data file downloads
United States Government Configuration Baseline (USGCB) - security configuration baselines for IT products deployed across federal agencies
|
| View the current collection of organizations, activities, and initiatives. | ||
This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2007–2012 The MITRE Corporation. CVE and OVAL are registered trademarks and the Making Security Measurable logo, CCE, CWE, CPE, CAPEC, CEE, MAEC, CWSS, CWRAF, CybOX, and Recommendation Tracker are trademarks of The MITRE Corporation. All other trademarks are the property of their respective owners. Contact us: measurablesecurity@mitre.org
Page Last Updated: December 02, 2011