Vendor Provided Validation Details - nCircle IP360 version 6.61
The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.
Statement of FDCC Compliance:
Not applicable for the validated capabilities.
Statement of SCAP Implementation:
nCircle IP360 implements the SCAP standard by implementing Common Vulnerability Enumeration
(CVE), Common Platform Enumeration (CPE), and the Common Vulnerability Scoring System
(CVSS). nCircle IP360 implements the CVE standard by assigning appropriate CVE identifiers to
every detectable vulnerability for which such an identifier exists, and by given users access to this
identifier via vulnerability search. nCircle IP360 implements the CPE standard by assigning
appropriate CPE identifiers to every detectable application for which such an identifier exists, and
by providing a product-generated list of these applications nCircle IP360 implements the CVSS
standard by assigning a CVSS (Version 2) score to every detectable vulnerability for which such a
score exists. For those vulnerabilities whose scores have not yet been officially calculated by
NIST, nCircle calculates scores based on NIST guidelines. Whenever new scores are calculated
by NIST, nCircle replaces its scores with the official NIST-calculated scores. In addition, CVSS
Temporal Scores are calculated using NIST guidelines.
Statement of CVE Implementation:
nCircle IP360 implements the CVE standard by assigning appropriate CVE identifiers to every
detectable vulnerability for which such an identifier exists. IP360 provides user access to this
implementation via the following mechanisms:
- IP360's Vulnerability Search feature supports advanced options that allow the vulnerability
database to be searched using multiple criteria, including CVE identifiers. The
Vulnerability Search is capable of searching for both full and partial CVE identifiers.
- IP360 reports display a list of all detected vulnerabilities, along with an accompanying list
of any relevant CVE identifiers. Users can easily determine which CVE identifiers
correspond to a given vulnerability.
- Individual vulnerability entries include a list of externally published advisories. If the
vulnerability has a relevant CVE identifier, the CVE identifier is included in this list as a
direct, external link to the corresponding NIST CVE entry. Clicking on this link will display
information from online CVE content in a new browser window.
Statement of CCE Implementation:
Not applicable for the validated capabilities.
Statement of CPE Implementation:
nCircle IP360 uses various application detection techniques in order to enhance the accuracy and
reliability of vulnerability determination. Moreover, detected applications can be used to improve
overall network security by identifying unauthorized or unexpected applications. IP360 uses CPE
to label these detected applications. Specifically, nCircle IP360 implements the CPE standard by
assigning appropriate CPE identifiers to every detectable application for which such an identifier
exists. Whenever the official CPE dictionary is revised, new CPE identifiers are appended to
application descriptions that did not previously have associated CPE identifiers, based on the
dictionary revisions.
IP360 provides user access to this implementation via the following mechanisms:
- IP360 reports display a list of all detected applications, including operating systems and
system services. For any given application, users can examine details of the detected
application, which includes a description of the application. The description contains,
where available, a CPE identifier that exists within the official CPE dictionary, as provided
by NIST.
- A separate product dictionary that contains a list of all applications that have CPE
identifiers is provided.
Statement of CVSS Implementation:
nCircle IP360 implements the CVSS standard by assigning a CVSS (Version 2) score to every
detectable vulnerability for which such a score exists. For those vulnerabilities whose scores have
not yet been officially calculated by NIST, nCircle calculates scores based on NIST guidelines.
Whenever new scores are calculated by NIST, nCircle replaces its scores with the official NIST-
calculated scores.
IP360 provides user access to this implementation via the following mechanisms:
- IP360 reports display a list of all detected vulnerabilities. Individual vulnerabilities include a
list of externally published advisories. If the vulnerability has an official CVSS score, this
score is included in the list. The CVSS Base Vector is also included in this list. The CVSS
Base Vector is included in the list as a direct, external link to the CVSS Version 2
Calculator. The list also includes an nCircle CVSS Temporal Score and associated Vector,
which is calculated according to NIST CVSS (Version 2) guidelines.
Statement of XCCDF Implementation:
Not applicable for the validated capabilities.
Statement of OVAL Implementation:
Not applicable for the validated capabilities.