Managing vulnerabilities in your commercial-off-the-shelf (COTS) systems using an industry standards effort

Organizations around the world, in every type of industry and market, are moving towards networks that are based on the Internet protocols. In addition, third-party commercial and open source software has become a critical element to these organizations and the infrastructure of networks, utilities, and services they rely upon to function. That means the software problems in these commercial-off-the-shelf (COTS) software products can quickly cause significant difficulties for any organization. When such software problems have security implications, they are referred to as "vulnerabilities." This paper discusses the ways of finding out about the vulnerabilities that exist in the COTS and open source software products used by an organization, or by the infrastructures that the organization is dependent upon. CVE, the common vulnerabilities and exposures initiative [cve.mitre.org], is a new international, community-based effort from industry, government, and academia that is working to create an organizing mechanism to make finding and fixing these COTS and open source software product vulnerabilities more rapid and efficient.