SECURITY TOOLS - DEFENCE & MANAGEMENT
- Intigrity bugbounty - EU sponsored, e.g. addressing:
- LibreOffice office suite
- Mastodon open-source social network server based on ActivityPub
- Odoo ERP business management solution with a eCommerce and CRM system built in
- Cryptpad is a secure and encrypted open-source collaboration platform
- LEOS is a software tool helping those involved in drafting legislation, which is usually a complex process requiring eﬃcient online collaboration
- CVE search service from CIRCL.lu - based on CVEsearch
- Lynis - Linux
- Chekov - infrastructure as code - cloud
CVE, CVSS, CWE, CPE, CCE, SCAP
- Vulnerabilities - CVE - Common Vulnerabilities and Exposures
- Vulnerability Scoring - CVSS - Common Vulnerability Scoring System
- Weaknesses - CWE - Common Weakness Enumeration
- Platforms - CPE - Common Platform Enumeration
- Configurations - CCE - Common Configuration Enumeration
- Automation - SCAP - Security Content Automation Protocol
CVE provides a reference-method for publicly known information-security vulnerabilities and exposures.
The Security Content Automation Protocol uses CVE, and CVE IDs are listed on Mitre's system as well as in the US National Vulnerability Database.
There is one CVE Record for each vulnerability on the CVE List. Vulnerabilities are first discovered, then reported to the CVE Program. The reporter requests a CVE ID, which is then reserved for the reported vulnerability. Once the reported vulnerability is confirmed by the identification of the minimum required data elements for a CVE Record, the record is published to the CVE List. CVE Records are published by CVE Program partners from around the world.
The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.
CVSS is designed to measure the severity of a vulnerability and should not be used alone to assess risk.
CVSS is an open framework for communicating the characteristics and severity of software vulnerabilities. It consists of three metric groups:
The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics.
- Base, representing the intrinsic qualities of a vulnerability that are constant over time and across user environments,
- Temporal, representing the characteristics of a vulnerability that change over time,
- Environmental, representing the characteristics of a vulnerability that are unique to a user's environment.
A community-developed list of software and hardware weakness types. CWE has over 600 categories, including classes for buffer overflows, path/directory tree traversal errors, race conditions, cross-site scripting, hard-coded passwords, and insecure random numbers.
A structured naming scheme for ICT systems, software, and packages. Based upon the syntax for URIs, CPE includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name.
SCAP allows a.o. to create a 'SCAP Security Guide (SSG)', an umbrella term for a security policy written in a form of SCAP documents. 'SCAP content' typically refers to documents in the XCCDF, OVAL and Source DataStream formats.