Security automation is a hot topic these days. Most organizations have many systems to patch and configure securely, with numerous versions of software and features enabled. Many security administrators are seeking ways to leverage standards and available tools to reduce the complexity and time necessary to respond to security advisories, assess their devices, and ensure compliance so they can allocate resources to focus on other areas of their network and security infrastructure.
Cisco is committed to protect customers by sharing critical security-related information in different formats.
Starting today, September 26, 2012, Cisco’s Product Security Incident Response Team (PSIRT) is including Open Vulnerability and Assessment Language (OVAL) definitions in Cisco IOS security advisories. Read More »
Tags: cvrf, ios bundle, OVAL, psirt, security, security advisories
This post is a continuation of The Missing Manual: CVRF 1.1 Part 1 of 2.
Praxis: Converting an existing document to CVRF
Now it’s time for some XML! Let’s take what you’ve learned and manually convert the Cisco RVS4000 and WRVS4400N Web Management Interface Vulnerabilities security advisory into a CVRF document. Please note that this process is meant to be instructive and somewhat of a stream-of-consciousness-narrative of how to manually build your first CVRF document. It is expected that, by and large, this process would itself be automated and CVRF document producers would have in-house code to parse their own documents and emit CVRF.
Read More »
Tags: automation, cvrf, intelligent automation, security, security advisories
In this post you will learn about some of the design decisions behind the 1.1 release of the Common Vulnerability Reporting Framework (CVRF). Particular attention is paid to explaining some of the required elements and the Product Tree. After those tasty tidbits, we will convert a recent Cisco security advisory into a well-formed and valid CVRF document. To close, you are treated to some of the items on the docket for future versions of CVRF. It bears mentioning that this paper is not meant to be an exhaustive explanation of the CVRF schemata. It is a rather capricious, if somewhat disorganized look at some outliers that aren’t fully explained elsewhere. It is assumed the reader has a working knowledge of the Common Vulnerability Reporting Framework and of XML.
Tags: cvrf, security, security automation