论文信息 - Common Platform Enumeration (CPE) - Specification

Common Platform Enumeration (CPE) - Specification

Following security best practices is essential to maintaining the security of IT systems. To this end, several specification languages exist for describing vulnerabilities, testing system state, and expressing security checklists. But descriptions of vulnerabilities and configuration best practices have greater utility when all participants share common names for the entities described. Further, use of consistent and meaningful names can speed application development, foster interoperability, improve correlation of test results, and ease gathering of metrics. All vulnerability and configuration information items have an important distinction that affects their use: they apply only to a particular range of IT systems, platforms, or applications. This is so obvious that IT managers and security administrators sometimes forget about how critical it can be. When a new vulnerability is announced, the first question most practitioners will ask is: " which systems are vulnerable? " In prose vulnerability descriptions, informal or colloquial names for IT platforms are adequate. Experienced system administrators and security analysts can understand and use ad hoc names. There is a strong trend toward automation in security practice. Automated systems cannot work with informal or ad hoc names. To foster effective automation, the community needs a more formal, consistent, and uniform naming scheme that allows tools (as well as human analysts and authors) to clearly identify the IT platforms to which a vulnerability or element of guidance applies. Today, a popular and widespread naming scheme exists for vulnerabilities; the Common Vulnerabilities and Exposures (CVE) naming scheme is widely used for identifying and describing IT platform vulnerabilities. A somewhat similar scheme also exists for IT platform configuration statements: the Common Configuration Enumeration (CCE). This specification describes a structured naming scheme for IT platforms (hardware, operating systems, and applications): the Common Platform Enumeration (CPE). It is based on the generic syntax for Uniform Resource Identifiers [2]. The CPE Specification includes the naming syntax and conventions for constructing CPE Names from product information, a dictionary (and associated XML Schema) that holds a collection of all known CPE Names as well as a binding of descriptive and diagnostic information, a language for creating complex platform descriptions, and a matching algorithm. For the up-to-date CPE Dictionary, and for the complete list of abbreviations and formatted names to be used, please visit the CPE web site at: Using a clear and uniform naming specification, community members will be able to generate names for new IT platforms in a consistent …

A. Buttner | A. Buttner

[1] Roy T. Fielding,et al. Uniform Resource Identifiers (URI): Generic Syntax , 1998, RFC.

[2] Paul V. Mockapetris,et al. Domain names - implementation and specification , 1987, RFC.

[3] Mark Davis,et al. Tags for Identifying Languages , 2009, RFC.

[4] Roy T. Fielding,et al. Uniform Resource Identifier (URI): Generic Syntax , 2005, RFC.