The Secure Development Lifecycle 29
The goal of CVE is to make it easier to share data across separate vulner-
ability capabilities (tools, repositories, and services) with this “common
enumeration.” Information security vulnerability is a mistake in software
that can be used directly by a hacker to gain access to a system or network.
See the Terminology page of the CVE website for a complete explanation
of how this term is used in the CVE. An information security exposure
is a mistake in software that allows access to information or capabilities
that can be used by a hacker as a stepping-stone into a system or network.
Using a common identifier makes it easier to share data across separate
databases, tools, and services, which, until the creation of CVE in 1999,
were not easily integrated. If a report from a security capability incor-
porates CVE Identifiers, you may then quickly and accurately access fix
information in one or more separate CVE-compatible tools, services, and
repositories to remediate the problem. With CVE, your tools and services
can “speak” (i.e., exchange data) with each other. You will know exactly
what each covers, because CVE provides you with a baseline for evaluat-
ing the coverage of your tools. This means that you can determine which
tools are most effective and appropriate for your organization’s needs. In
short, CVE-compatible tools, services, and databases will give you better
coverage, easier interoperability, and enhanced security.
Bugtraq IDs are identifiers for a commercially operated vulnerability
database that are used in security advisories and alerts, as well as for dis-
cussions on the Bugtraq mailing list. CVE Identifiers are from an interna-
tional information security effort that is publicly available and free to use.
CVE Identifiers are for the sole purpose of providing a common name.
For this reason, CVE Identifiers are frequently used by researchers and
the makers of security tools, websites, databases, and services as a standard
method for identifying vulnerabilities and for cross-linking with other
repositories that also use CVE Identifiers. A CVE Identifier will give you
a standardized identifier for any given vulnerability or exposure. Knowing
this identifier will allow you to quickly and accurately access information
about the problem across multiple information sources that are CVE-
compatible. For example, if you own a security tool whose reports contain
references to CVE Identifiers, you may then access fix information in a
separate CVE-compatible database. CVE also provides you with a base-
line for evaluating the coverage of your tools.
The CVE List feeds the U.S. National Vulnerability Database
(NVD), which then builds upon the information included in CVE
entries to provide enhanced information for each CVE Identifier such as