Vulnerability management is the process of identifying, locating, and rectifying software security and vulnerability issues in the enterprise. There are three main steps in this process:
The following terms are used throughout the HPCA vulnerability management solution:
Term | Definition |
---|---|
vulnerability | A weakness in a system, its configuration, or its software that allows an individual to compromise the system’s integrity to gain unauthorized access to its resources. |
exposure | Exposure can refer to a measurement of the various vulnerabilities in an environment. It also can be used to refer to a piece of software that provides information or capabilities that a hacker might use to attack or exploit a system. |
CVE | Common Vulnerabilities and Exposures The CVE is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities and exposures. The CVE was started in 1999. It is currently sponsored by the United States Department of Homeland Security and managed by the MITRE Corporation. For more information, see http://cve.mitre.org |
NVD | National Vulnerability Database The NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance. For more information, see http://nvd.nist.gov |
CVSS | Common Vulnerability Scoring System The CVSS is a standard severity scoring system for information security vulnerabilities. CVSS includes three groups of metrics: Base, Temporal, and Environmental. For more information, see http://www.first.org/cvss |
OVAL | Open Vulnerability and Assessment Language OVAL is the standard used to encode and transmit security information and system details. It is based on three XML schemas that represent the three security vulnerability assessment process steps: representing system configuration, expressing a specific machine state, and reporting the results of the assessment. The purpose of the CVE is to catalog all known vulnerabilities. The purpose of OVAL is to describe how to identify specific vulnerabilities. Most OVAL definitions are based on a CVE, but some are not. HP Live Network transmits information in OVAL and CVE format to HPCA. For more information, see http://oval.mitre.org/ |