Common Vulnerabilities and Exposures (CVE®) - http://cve.mitre.org
International in scope and free for public use, CVE is a dictionary of publicly known information security vulnerabilities and exposures. CVE’s common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services.

Common Configuration Enumeration (CCE™) - http://cce.mitre.org
CCE provides unique identifiers to system configurations in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools.

Common Malware Enumeration (CME™) - http://cme.mitre.org
CME provides single, common identifiers to new virus threats to reduce public confusions during malware outbreaks. CME is not an attempt to replace the vendor names currently used for viruses and other forms of malware, but instead aims to facilitate the adoption of a shared, neutral indexing capability for malware.

Common Platform Enumeration (CPE™) - http://cpe.mitre.org
CPE is a structured naming scheme for information technology systems, platforms, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a structured name format, a method for checking names against a system, and a description format for binding text and tests to a name.

Common Weakness Enumeration (CWE™) - http://cwe.mitre.org
Targeted to developers and security practitioners, CWE is a formal or dictionary of common software weaknesses created to serve as a common language for describing software security weaknesses in architecture, design, or code; serve as a standard measuring stick for software security tools targeting these weaknesses, and to provide a common baseline standard for weakness identification, mitigation, and prevention efforts.

Common Attack Pattern Enumeration and Classification (CAPEC™) - http://capec.mitre.org
CAPEC is a catalog of attack patterns along with a comprehensive schema and classification taxonomy focused on enhancing security throughout the software development lifecycle, and to support the needs of developers, testers and educators. By providing a standard mechanism for identifying, collecting, refining, and sharing attack patterns among the software community, CAPEC provides for a more complete and thorough review of the strength of our systems from the point-of-view of attackers.

Open Vulnerability and Assessment Language (OVAL®) - http://oval.mitre.org
OVAL is an international, information security community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. OVAL includes a language used to encode system details, and an assortment of content repositories held throughout the community. The language standardizes the three main steps of the assessment process: representing configuration information of systems for testing; analyzing the system for the presence of the specified machine state (vulnerability, configuration, patch state, etc.); and reporting the results of this assessment. The repositories are collections of publicly available and open content that utilize the language.

Common Result Format (CRF™) - http://crf.mitre.org
CRF is a standardized IT asset assessment result format that facilitates the exchange of assessment results among systems to increase tool interoperability and allow for the aggregation of those results across large enterprises that utilize diverse technologies to detect patch levels, policy compliance, vulnerability, asset inventory, and other tasks. CRF leverages existing standardization efforts for common names and naming schemes to report the findings for assets.

Common Event Expression (CEE™) - http://cee.mitre.org
CEE standardizes the way computer events are described, logged, and exchanged. By using CEE’s common language and syntax, enterprise-wide log management, correlation, aggregation, auditing, and incident handling can be performed more efficiently and produce better results than was possible prior to CEE.

OVAL Interpreter - http://sourceforge.net/projects/ovaldi/
The OVAL Interpreter is a freely available reference implementation for the OVAL Language created to show how information can be collected from a computer for testing, to evaluate and carry out the OVAL Definitions for that platform, and to report the results of the tests. It is not a fully functional scanning tool and has a simplistic user interface but running the Interpreter will provide a list of OVAL-IDs and their references (e.g., CVE Identifiers) determined by OVAL to be present on the system.

Benchmark Editor™ - http://benchmarkeditor.mitre.org
Free for public download and use, Benchmark Editor is a Java-based tool that enhances and simplifies the creation and editing of benchmark documents written in standard languages such as XCCDF and OVAL.

Note: CVE, CWE, CAPEC, and OVAL are sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

Default Password Enumeration (DPE) - http://www.security-database.com/toolswatch/+DPE-Default-Passwords-Enumeration+.html
Created by Security-Database, DPE is "a naming scheme that provides structured enumeration of default logons and passwords of network devices, applications, and operating systems." The main goal of DPE is to "increase the "password auditing scanners" interoperability potential. Any kind of tool integrating the XML DPE scheme will be able to identify and report default access configurations on specific devices, software or operating systems. Taking into account the benefits of SecurityMetrics standards principles, DPE integrates [MITRE’s Common Platform Enumeration (CPE™)] naming scheme to describe information technology systems, platforms and packages."

OWASP Top Ten - http://www.owasp.org/index.php/Top_10_2007
The Open Web Application Security Project (OWASP) Top Ten is an international consensus list of the ten most critical Web application security flaws. According to the OWASP Web site: "Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code." The list uses CVE Identifiers to uniquely identify the vulnerabilities it describes.

SANS Top Twenty - http://www.sans.org/top20/
The SANS Top Twenty is a SANS/FBI consensus list of the Twenty Most Critical Internet Security Vulnerabilities, which "enables cyber security professionals to tune their defensive systems to reflect the most important new vulnerabilities that attackers are exploiting to take over computers and steal sensitive or valuable information." The list includes CVE Identifiers to uniquely identify the vulnerabilities it describes.

WASC Web Security Threat Classification - http://www.webappsec.org/projects/threat/
The Web Application Security Consortium’s (WASC) Threat Classification is "a cooperative effort to clarify and organize the threats to the security of a Web site." The members of the WASC have created this project to "develop and promote industry standard terminology for describing these issues. Application developers, security professionals, software vendors, and compliance auditors will have the ability to access a consistent language for Web security related issues."

Common Announcement Interchange Format (CAIF) - http://www.caif.info
CAIF is an XML-based format created by RUS-CERT at the University of Stuttgart, Germany, to store and exchange security announcements in a normalized way. It provides a basic but comprehensive set of elements designed to describe the main aspects of an issue related to security. The set of elements can easily be extended to reflect temporary, exotic, or new requirements in a per-document manner. CAIF documents are able to incorporate OVAL Definitions.

Common Vulnerability Scoring System (CVSS) - http://www.first.org/cvss/
Commissioned by the U.S. National Infrastructure Advisory Council (NIAC) in support of the global Vulnerability Disclosure Framework and currently maintained by the Forum of Incident Response and Security Teams (FIRST), CVSS is a "vendor agnostic, industry open standard designed to convey vulnerability severity and help determine urgency and priority of response. It solves the problem of multiple, incompatible scoring systems and is usable and understandable by anyone."

DMTF’s Common Information Model (CIM) - http://www.dmtf.org/standards/cim/
DMTF’s Common Information Model (CIM) "is a common data model of an implementation-neutral schema for describing overall management information in a network/enterprise environment."

DMTF’s Web-Based Enterprise Management (WBEM) - http://www.dmtf.org/standards/wbem/
DMTF’s Web-Based Enterprise Management (WBEM) "is a set of management and Internet standard technologies developed to unify the management of enterprise computing environments."

DMTF’s Web Services for Management (WS-Management) - http://www.dmtf.org/standards/wsman/
DMTF’s Web Services for Management (WS-Management) specification "promotes interoperability between management applications and managed resources by identifying a core set of Web service specifications and usage requirements to expose a common set of operations that are central to all systems management."

DMTF’s Systems Management Architecture for Server Hardware (SMASH) - http://www.dmtf.org/standards/smash/
"DMTF’s Systems Management Architecture for Server Hardware (SMASH) initiative is a suite of specifications that deliver architectural semantics, industry standard protocols and profiles to unify the management of the data center."

Extensible Configuration Checklist Description Format (XCCDF) - http://nvd.nist.gov/xccdf.cfm
XCCDF was created by the U.S. National Security Agency (NSA) and National Institute of Standards and Technology (NIST) to be a specification language for providing a "uniform foundation for expression of security checklists, benchmarks, and other configuration guidance [to] foster more widespread application of good security practices." The default configuration checking technology for XCCDF is OVAL.

Incident Object Description and Exchange Format (IODEF) - http://xml.coverpages.org/iodef.html
IODEF is a specification format for Computer Security Incident Response Teams (CSIRTs) to exchange operational and statistical incident information among themselves, their constituency, and their collaborators being developed by the Internet Engineering Task Force (IETF) Extended Incident Handling Working Group. IODEF can be used to provide a single data schema that can represent information from a variety of subordinate teams or CSIRTs; a common incident data format that facilities collaboration among affected members of the security community (e.g., users, vendors, response teams, law enforcement); and it can simplify the building of an incident correlation and statistics system that process incident reports from different CSIRTs.

Intrusion Detection Message Exchange Format (IDMEF) - http://xml.coverpages.org/idmef.html
IDMEF is a specification being developed by the Intrusion Detection Working Group, chartered by the Internet Engineering Task Force (IETF), which defines data formats and exchange procedures for sharing information of interest to intrusion detection and response systems, and to the management systems which may need to interact with them. Data exchanges are done using XML. The data formats are specified using an XML DTD.

Microsoft’s Dynamic Systems Initiative (DSI) - http://www.microsoft.com/windowsserversystem/dsi/default.mspx
"The Dynamic Systems Initiative (DSI) is a commitment from Microsoft and its partners to deliver "self-managing dynamic systems" to help IT teams capture and use knowledge to design more manageable systems and automate ongoing operations, resulting in reduced costs and more time to proactivelyfocus on what is most important to the organization."

Microsoft’s System Definition Model (SDM) - http://www.microsoft.com/windowsserversystem/dsi/sdm.mspx
System Definition Model (SDM) is a unifying thread enabling integrated innovation from Microsoft and its partners across application development tools, operating systems, applications, hardware, and management tools. SDM is a model that is used to create definitions of distributed systems. The SDM "blueprint can be created and manipulated with various software tools and is used to define system elements and capture data pertinent to development, deployment, and operations so that the data becomes relevant across the entire IT life cycle."

OMG Semantics of Business Vocabulary and Business Rules (SBVR) - http://www.omg.org/cgi-bin/doc?dtc/2006-08-05
Object Management Group’s (OMG) SBVR specification "defines the vocabulary and rules for documenting the semantics of business vocabulary, business facts, and business rules; as well as an XMI schema for the interchange of business vocabularies and business rules among organizations and between software tools."

Security Description and Exchange Format (SecDEF) Initiative
The UK Security Description and Exchange Format (SecDEF) initiative was "a federated effort to encourage the crystallisation of various XML-based description and exchange formats to support information exchange requirements related to security information where there is a need to cross management domains."

This work is now being consolidated with other efforts by the Central Sponsor for Information Assurance (CSIA), including the forthcoming revision UK e-Government IA framework which sets out a method to assure the availability, integrity and confidentiality of e-Government services.

Build-Security-In - http://buildsecurityin.us-cert.gov
Build Security In (BSI) is a project of the Software Assurance (SwA) Strategic Initiatives (SI) National Cyber Security Division (NCSD) of the U.S. Department of Homeland Security (DHS). "BSI content is based on the principle that software security is fundamentally a software engineering problem and must be addressed in a systematic way throughout the software development life cycle. BSI contains and links to a broad range of information about best practices, tools, guidelines, rules, principles, and other knowledge to help organizations build secure and reliable software."

Center for Internet Security (CIS) Benchmarks - http://www.cisecurity.org
The CIS Benchmarks are "consensus best practice standards for security configuration and are widely accepted by U.S. government agencies for FISMA compliance, and by auditors for compliance with the ISO standard as well as GLB, SOx, HIPAA, FIRPA and other the regulatory requirements for information security. For the first time ever, a large group of user organizations, information security professionals, auditors and software vendors have defined consensus technical control specifications that represent a prudent level of due care and best-practice security configurations for computers connected to the Internet."

CERIAS/Perdue University’s Cassandra - https://cassandra.cerias.purdue.edu/main/index.html
CERIAS/Purdue University’s free Cassandra tool monitors changes and updates to the U.S National Vulnerabilities Database (formerly ICAT) and the Secunia vulnerability databases. Cassandra saves lists of products, vendors, and keywords from these sources into "profiles" and emails any updates to subscribers. Users can create as many profiles as they want for networks, typical installs, important hosts, or any other areas of interest. CVE Change Logs, another free CERIAS tool, monitors changes to the CVE List.

CERT Secure Coding Standards - https://www.securecoding.cert.org/
This web site exists to support the development of secure coding standards for commonly used programming languages such as C and C++. These standards are being developed through a broad-based community effort including the CERT Secure Coding Initiative and members of the software development and software security communities.

DISA Security Technical Implementation Guides (STIGS) - http://iase.disa.mil/stigs/index.html
The U.S. Department of Defense’s (DOD) Defense Information Systems Agency’s (DISA) Security Technical Implementation Guides (STIGS) are configuration standards for DOD information assurance and information assurance-enabled devices and systems.

National Vulnerability Database (NVD) - http://nvd.nist.gov/nvd.cfm
The U.S. National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD) "is a comprehensive cyber security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources. It is based on and synchronized with the CVE vulnerability naming standard." NVD also includes OVAL-IDs as references and is searchable by CVE-ID and OVAL-ID.

NIST Information Security Automation Program (ISAP) and Security Content Automation Protocol (SCAP) - http://nvd.nist.gov/scap.cfm
ISAP is a U.S. government multi-agency initiative led by NIST to enable automation and standardization of technical security operations. SCAP is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance). NVD is the U.S. government content repository for ISAP and SCAP.

NIST Security Configuration Checklists - http://checklists.nist.gov
The U.S. National Institute of Standards and Technology (NIST) Security Configuration Checklists Program for IT Products are checklists of settings and options selections that minimize the security risks associated with computer hardware and software systems used within the federal government. "Such checklists, when combined with well-developed guidance, leveraged with high-quality security expertise, vendor product knowledge, operational experience, and accompanied with tools, can markedly reduce the vulnerability exposure of an organization."

ISO/IEC 24772, Guidance for Avoiding Vulnerabilities through Language Selection and Use - http://aitc.aitcnet.org/isai/
All programming languages have constructs that are undefined, imperfectly defined, implementation-dependent, or difficult to use correctly. As a result, software programs can execute differently than intended by the writer. In some cases, these vulnerabilities can be exploited by an attacker to compromise the safety, security, and privacy of a system. The international standards project to write ISO/IEC 24722 (sometimes called OWGV) is preparing comparative guidance spanning multiple programming languages, so that application developers will be better able to avoid the programming errors that lead to vulnerabilities in these languages and their attendant consequences. This guidance can also be used by developers to select source code evaluation tools that can discover and eliminate coding errors that lead to vulnerabilities. The ISO/IEC Technical Report is tentatively scheduled for publication in January 2009.

US-CERT Vulnerability Notes, Technical Alerts, and Security Bulletins - http://www.us-cert.gov
US-CERT publishes information on a wide variety of vulnerabilities, descriptions of which are available from the US-CERT Web site in a searchable database format, and are published as "US-CERT Vulnerability Notes" at http://www.kb.cert.org/vuls/. US-CERT also publishes "Technical Cyber Security Alerts" at http://www.us-cert.gov/cas/techalerts/ that provide timely information about current security issues, vulnerabilities, and exploits, and "Cyber Security Bulletins" at http://www.us-cert.gov/cas/bulletins/ that provide weekly summaries of new vulnerabilities along with patch information when available.

Anti-Spyware Coalition - http://www.antispywarecoalition.org
ASC is "dedicated to building a consensus about definitions and best practices in the debate surrounding spyware and other potentially unwanted technologies. Composed of anti-spyware software companies, academics, and consumer groups, ASC seeks to bring together a diverse array of perspective on the problem of controlling spyware and other potentially unwanted technologies."

NIST FISMA Standards Efforts - http://csrc.nist.gov/sec-cert/
The Federal Information Security Management Act (FISMA) Implementation Project was established in January 2003 to produce several key security standards and guidelines required by Congressional legislation. These publications include FIPS 199, FIPS 200, and NIST Special Publications 800-53, 800-59, and 800-60. Additional security guidance documents are being developed in support of the project while not called out directly in the FISMA legislation. These publications include NIST Special Publications 800-37, 800-53, and 800-53A. The U.S. National Institute of Standards and Technology (NIST) Computer Security Division continues to produce other security standards and guidelines in support of FISMA available at http://csrc.nist.gov/publications/nistpubs/.

NIST Software Assurance Metrics and Tool Evaluation (SAMATE) Project - https://samate.nist.gov/
The U.S. National Institute of Standards and Technology’s (NIST) SAMATE project supports the Department of Homeland Security’s Software Assurance Tools and R&D Requirements Identification Program. The objective is the identification, enhancement, and development of software assurance tools that ensure that software processes and products conform to requirements, standards, and procedures. "NIST is leading in (A) testing software evaluation tools, (B) measuring the effectiveness of tools, and (C) identifying gaps in tools and methods."

US Air Force Enterprise Agreement with Microsoft - http://www.gcn.com/print/24_1/31468-1.html
The U.S. Air Force in January 2005 entered into two service-wide contracts with Microsoft Corporation in which all software on Air Force desktop computers are configured to one of three security setting configurations that meet Air Force requirements. Microsoft is responsible for identifying vulnerabilities and implementing fixes across the enterprise.

UK Central Sponsor for Information Assurance (CSIA) - http://www.csia.gov.uk
CSIA is a unit of the UK Government’s Cabinet Office and works with partners in the public and private sectors, as well as its international counterparts, to help safeguard the nation’s IT and telecommunications services. It provides a central focus for information assurance (IA)in promoting the understanding that it is essential for government and business alike to maintain reliable, secure and resilient national information systems.

UK Centre for Protection of National Infrastructure (CPNI) - http://www.cpni.gov.uk
The role of CPNI (formerly NISCC) is to reduce the vulnerability of the national infrastructure to terrorism and other threats, keeping the UK?s essential services (delivered by the communications, emergency services, energy, finance, food, government, health, transport and water sectors) safer. Without these services, the UK could suffer serious consequences, including severe economic damage, grave social disruption, or even large scale loss of life. CPNI advice is targeted primarily at the critical national infrastructure (CNI) — those key elements of the national infrastructure which are crucial to the continued delivery of essential services to the UK.

UK CESG - http://www.cesg.gov.uk
CESG is the Information Assurance (IA) arm of GCHQ, based in Cheltenham, Gloucestershire, UK. CESG are the UK Government’s National Technical Authority for IA, responsible for enabling secure and trusted knowledge sharing to help our customers achieve their business aims.

Distributed Management Task Force (DMTF) - http://www.dmtf.org
The Distributed Management Task Force, Inc. (DMTF) is an international, industry "organization dedicated to the development of management standards and the promotion of interoperability for enterprise and Internet environments." DMTF standards "provide common management infrastructure components for instrumentation, control and communication in a platform-independent and technology neutral way."

Open Web Application Security Project (OWASP) - http://www.owasp.org
Open Web Application Security Project (OWASP) is an open community effort dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. OWASP "advocates approaching application security as a people, process, and technology problem because the most effective approaches to application security includes improvements in all of these areas." Similar to other open-source software projects, OWASP produces many types of materials in a collaborative, open way and all of its tools, documents, forums, and chapters are free and open to anyone interested in improving application security.

TERENA Computer Security Incident Response Teams Task Force (TF-CSIRT) - http://www.terena.nl/activities/tf-csirt/
The Trans-European Research and Education Networking Association (TERENA) is an association of organisations are involved with "the provision and use of computer network infrastructure and services for research and education in Europe. TERENA’s principal members are the National Research and Education Networking organisations (NRENs) of a large number of countries in and around Europe." TERENA’s TF-CSIRT Task Force "promotes the collaboration between Computer Security Incident Response Teams (CSIRTs) in Europe. The main goals of the Task Force are to provide a forum for exchanging experiences and knowledge, establish pilot services for the European CSIRTs community, promote common standards and procedures for responding to security incidents, and assist the establishment of new CSIRTs and the training of CSIRTs staff."