MITRE, in collaboration with government, industry, and academic stakeholders, is improving the measurability of security through enumerating baseline security data, providing standardized languages as means for accurately communicating the information, and encouraging the sharing of the information with users by developing repositories.
The other activities and initiatives listed here have similar concepts or compatible approaches to MITRE’s. Together all of these efforts are helping to make security more measurable by defining the concepts that need to be measured, providing for high fidelity communications about the measurements, and providing for sharing of the measurements and the definitions of what to measure.
 |
 | |||||||||||
|
||||||||||||
 |
 | |||||||||||
| Enumerations | Languages | Repositories |
|---|---|---|
 Common Vulnerabilities and Exposures (CVE®) - common vulnerability identifiers
 Common Weakness Enumeration (CWE™) - list of software weakness types
 Common Attack Pattern Enumeration and Classification (CAPEC™) - list of common attack patterns
 Common Configuration Enumeration (CCE™) - common security configuration identifiers
 Common Platform Enumeration (CPE™) - common platform identifiers
CWE/SANS Top 25 - consensus list of the 25 most dangerous programming errors
Center for Internet Security (CIS) Consensus Security Metrics Definitions - set of standard metrics and data definitions that can be used across organizations to collect and analyze data on security process performance and outcomes
Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance - twenty key actions or security "controls" that organizations must take to block or mitigate known and reasonably expected attacks
SANS Top Twenty - SANS/FBI consensus list of the Twenty Most Critical Internet Security Vulnerabilities that uses CVE-IDs to identify the issues
OWASP Top Ten - ten most critical Web application security flaws
WASC Web Security Threat Classification - list of Web security threats
|
 Open Vulnerability and Assessment Language (OVAL®) - standard for determining vulnerability and configuration issues
 Common
Result Format (CRF™) - standardized assessment result format
for conveying findings based on common names and naming schemes Common
Event Expression (CEE™) - standardizes the way computer events
are described, logged, and exchanged
Open Checklist Reporting Language (OCRL™) - standard for creating reports used in compliance evaluation
Benchmark Development - resources for creating standards-based, structured, and automatable security guidance
OVAL Interpreter - free tool for collecting information for testing, carrying out OVAL Definitions, and presenting results of the tests
Benchmark Editor™ - free tool that enhances and simplifies creation and editing of benchmark documents written in XCCDF and OVAL
Recommendation Tracker™ - free tool that facilitates the development of automated security benchmarks
Extensible Configuration Checklist Description Format (XCCDF) - specification language for uniform expression of security checklists, benchmarks, and other configuration guidance
Common Vulnerability Scoring System (CVSS) - open standard that conveys vulnerability severity and helps determine urgency and priority of response
Common Announcement Interchange Format (CAIF) - XML-based format created to store and exchange security announcements in a normalized way
OMG Semantics of Business Vocabulary and Business Rules (SBVR) - language for interchange of business vocabularies and rules among organizations and software tools
|
 OVAL Repository - community-developed OVAL Vulnerability, Compliance, Inventory, and Patch Definitions
National Vulnerability Database (NVD) - U.S. vulnerability database based on CVE that integrates all publicly available vulnerability resources and references
NIST Security Content Automation Protocol (SCAP) - security content for automating technical control compliance activities, vulnerability checking, and security measurement
Red Hat Repository - OVAL Patch Definitions corresponding to Red Hat Errata security advisories
Center for Internet Security (CIS) Benchmarks - best-practice security configurations accepted for compliance with FISMA, the ISO standard, GLB, SOx, HIPAA, and FIRPA, and other regulatory requirements for information security
DISA Security Technical Implementation Guides (STIGS) - U.S. Defense Information Systems Agency’s (DISA) STIGS are configuration standards for DOD information assurance and information assurance-enabled devices and systems
|
| View the current collection of organizations, activities, and initiatives. | ||
This Web site is hosted by The MITRE Corporation. © 2009 The MITRE Corporation. CVE and OVAL are registered trademarks and the Making Security Measurable logo, CCE, CWE, CPE, CAPEC, CEE, CRF, OCRL, Benchmark Editor, and Recommendation Tracker are trademarks of The MITRE Corporation. All other trademarks are the property of their respective owners. Contact us: measurablesecurity@mitre.org
Page Last Updated: June 30, 2009