SECURITY TOOLS - DEFENCE & MANAGEMENT
OpenSource
- Intigrity bugbounty - EU sponsored, e.g. addressing:
- LibreOffice office suite
- Mastodon open-source social network server based on ActivityPub
- Odoo ERP business management solution with a eCommerce and CRM system built in
- Cryptpad is a secure and encrypted open-source collaboration platform
- LEOS is a software tool helping those involved in drafting legislation, which is usually a complex process requiring eļ¬cient online collaboration
- CVEsearch
- CVE search service from CIRCL.lu - based on CVEsearch
- OpenScap.org
- Lynis - Linux
- Chekov - infrastructure as code - cloud
US
General
CVE, CVSS, CWE, CPE, CCE, SCAP
Covers:
- Vulnerabilities - CVE - Common Vulnerabilities and Exposures
- Vulnerability Scoring - CVSS - Common Vulnerability Scoring System
- Weaknesses - CWE - Common Weakness Enumeration
- Platforms - CPE - Common Platform Enumeration
- Configurations - CCE - Common Configuration Enumeration
- Automation - SCAP - Security Content Automation Protocol
CVE
Basics
CVE provides a reference-method for publicly known information-security vulnerabilities and exposures.
The Security Content Automation Protocol uses CVE, and CVE IDs are listed on Mitre's system as well as in the US National Vulnerability Database.
There is one CVE Record for each vulnerability on the CVE List. Vulnerabilities are first discovered, then reported to the CVE Program. The reporter requests a CVE ID, which is then reserved for the reported vulnerability. Once the reported vulnerability is confirmed by the identification of the minimum required data elements for a CVE Record, the record is published to the CVE List. CVE Records are published by CVE Program partners from around the world.
Official websites
Tools
CVSS
Basics
The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.
CVSS is designed to measure the severity of a vulnerability and should not be used alone to assess risk.
CVSS is an open framework for communicating the characteristics and severity of software vulnerabilities. It consists of three metric groups:
- Base, representing the intrinsic qualities of a vulnerability that are constant over time and across user environments,
- Temporal, representing the characteristics of a vulnerability that change over time,
- Environmental, representing the characteristics of a vulnerability that are unique to a user's environment.
The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics.
Official websites
CWE
A community-developed list of software and hardware weakness types. CWE has over 600 categories, including classes for buffer overflows, path/directory tree traversal errors, race conditions, cross-site scripting, hard-coded passwords, and insecure random numbers.
CPE
A structured naming scheme for ICT systems, software, and packages. Based upon the syntax for URIs, CPE includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name.
CCE
SCAP
SCAP allows a.o. to create a 'SCAP Security Guide (SSG)', an umbrella term for a security policy written in a form of SCAP documents. 'SCAP content' typically refers to documents in the XCCDF, OVAL and Source DataStream formats.