• The engineers behind the CVE and NVD initiative have also created the Open Vulnerability Assessment Language. OVAL standardizes vulnerability queries in a three-step XML-based process that eliminates the time-consuming and mistake-laden need for network administrators to interpret a panoply of text-based information from various vendors, public agencies, and consultants.
• Legislative and regulatory bodies have adopted stringent reporting standards around laws such as Sarbanes-Oxley and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Standardizing network auditing around CVE standards represents a next step toward accepting universal nomenclature of network weaknesses.
• The international community has taken to the CVE nomenclature, which is decided upon by an editorial board of industry, research, and academic experts. Bob Martin, MITRE's CVE Compatibility Lead, says more than 300 products and services from 23 nations are CVE-compatible.
• CVE-compatible products have shown themselves to be cost-effective. Larry Pesce, manager of information systems security for Care New England, a Rhode Island-based healthcare network, says the use of a CVE-compatible penetration testing tool by vendor Core Security probably saves the organization the cost of one to two full-time employees a year. Billy Austin, chief security officer of Saint, a CVE-compatible vendor, says using such tools saves the typical security administrator 2.5 hours per vulnerability over doing manual searches.
• Common Weakness Enumeration ( www.cve.mitre.org/cwe/about/index.html). CWE includes not only CVE information but also community-commissioned information intended to serve as a standard taxonomic base for measuring common classes of flaws and their mitigation tools.
• Common Malware Enumeration ( http://cme.mitre.org). CME is still in its initial operational phase. It's intended to standardize virus nomenclature. As with pre-CVE vulnerabilities, different vendors often call the same virus by different names.