Vulnerability Management

Vulnerability management is the process of identifying, locating, and rectifying software security and vulnerability issues in the enterprise. There are three main steps in this process:

  1. Obtain updated vulnerability definitions and scanner.
  2. Scan the managed devices in the enterprise for the presence of vulnerabilities.
  3. Report the vulnerability assessment of the devices scanned, including summary information for the enterprise as a whole.

The following terms are used throughout the HPCA vulnerability management solution:

Vulnerability Management Terms
Term Definition
vulnerability A weakness in a system, its configuration, or its software that allows an individual to compromise the system’s integrity to gain unauthorized access to its resources.
exposure Exposure can refer to a measurement of the various vulnerabilities in an environment. It also can be used to refer to a piece of software that provides information or capabilities that a hacker might use to attack or exploit a system.
CVE Common Vulnerabilities and Exposures The CVE is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities and exposures. The CVE was started in 1999. It is currently sponsored by the United States Department of Homeland Security and managed by the MITRE Corporation. For more information, see http://cve.mitre.org
NVD National Vulnerability Database The NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance. For more information, see http://nvd.nist.gov
CVSS Common Vulnerability Scoring System The CVSS is a standard severity scoring system for information security vulnerabilities. CVSS includes three groups of metrics: Base, Temporal, and Environmental. For more information, see http://www.first.org/cvss
OVAL Open Vulnerability and Assessment Language OVAL is the standard used to encode and transmit security information and system details. It is based on three XML schemas that represent the three security vulnerability assessment process steps: representing system configuration, expressing a specific machine state, and reporting the results of the assessment. The purpose of the CVE is to catalog all known vulnerabilities. The purpose of OVAL is to describe how to identify specific vulnerabilities. Most OVAL definitions are based on a CVE, but some are not. HP Live Network transmits information in OVAL and CVE format to HPCA. For more information, see http://oval.mitre.org/


© 2003 - 2012 Hewlett-Packard Development Company, L.P.