| |
Following security best practices are essential
to maintaining the security of IT systems, and several specification
languages currently exist for describing vulnerabilities, testing
system state, and expressing security checklists. But descriptions
of vulnerabilities and configuration best practices have greater utility
when all participants share common names for the entities described.
In addition, use of consistent and meaningful names—for example,
Common Vulnerabilities and Exposures (CVE®)
for IT system vulnerabilities and Common Configuration Enumeration
(CCE™) for
secure configuration best practices—can speed application, foster
interoperability, improve correlation of test results, and ease the
gathering of metrics.
The same is true
for naming IT systems, platforms, and packages. Using informal or
colloquial names to identify the platforms is adequate for experienced
system administrators and security analysts to use on their own
when dealing with vulnerabilities and configuration issues, but
to foster automation in security practice the community needs a
more formal naming scheme, consistent and uniform, that allows tools
(as well as humans) to clearly identify the IT platforms to which
a vulnerability or element of guidance applies. With a clear and
uniform naming specification, community members can generate IT
platform names in a consistent and predictable way.
CPE™ is a structured
naming scheme for information technology systems, platforms,
and packages. Based upon the generic syntax for Uniform Resource
Identifiers (URI), CPE includes a formal name format, a language for describing complex platforms, a method
for checking names against a system, and a description format
for binding text and tests to a name.
overview | faqs | governance | contact us
|
|
