Cloud & Telecom Security

Oct.18 2009(Beijing time), China CCTV news reported the release of national vulnerability database of China.

Along with the upsoaring of the Internet applications, the vulnerability number is also in a sharp growth. So the update and automation of vulnerability information is becoming more and more critical for the whole information ssytems. Vulnerability Database is used to research, collect, release, automate the lifecycle of vulnerability management, which is regarded the core of the related activities. Although there have been a series of open source vulnerability database(e.g. OSVDB, etc.), commercial maintained vulnerailibity database(e.g. CERT CVE, Bugtraq, NSFocus VDB, etc.), it’s still regarded very essential to setup one authoritive database for the industry, particularly for government and research organizations. Read more…

5月30日，NIST（美国技术标准局）推出了一个用于对安全配置进行打分的草案，其全称是：NIST IR-7502 DRAFT The Common Configuration Scoring System (CCSS) 。

CCSS是用于对有关软件安全配置问题（Issue）的特征和影响提供的一个标准测量集合。CCSS可以帮助企业组织在解决安全问题时做出正确的决定，另外，它还可以提供数据以便对主机的安全状况进行量化的评估。从体系上看，CCSS借鉴了CVSS，但是针对软件的安全配置问题做了特别调整（CVSS专注于软件缺陷和漏洞）。我们知道，一个软件系统的安全性，不仅仅是软件本身的安全问题，很大程度上还决定于安装、配置和运行管理。

据报道，NIST还计划扩展CCSS，将环境度量也包含进来。点击下载原文。