Vendor Provided Validation Details - nCircle Network Security Inc.  IP360 v6.8

The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.

Statement of SCAP Implementation

nCircle IP360 implements the SCAP standard by implementing Common Vulnerability Enumeration (CVE), Common Platform Enumeration (CPE), and the Common Vulnerability Scoring System (CVSS). nCircle IP360 implements the CVE standard by assigning appropriate CVE identifiers to every detectable vulnerability for which such an identifier exists, and by given users access to this identifier via vulnerability search. nCircle IP360 implements the CPE standard by assigning appropriate CPE identifiers to every detectable application for which such an identifier exists, and by providing a product-generated list of these applications nCircle IP360 implements the CVSS standard by assigning a CVSS (Version 2) score to every detectable vulnerability for which such a score exists. For those vulnerabilities whose scores have not yet been officially calculated by NIST, nCircle calculates scores based on NIST guidelines. Whenever new scores are calculated by NIST, nCircle replaces its scores with the official NIST-calculated scores. In addition, CVSS Temporal Scores are calculated using NIST guidelines.

nCircle IP360 provides a set of features including Unauthenticated Vulnerability Scanner. The CVSS standard is implemented according to NIST guidelines.

Statement of CVE Implementation  

nCircle IP360 implements the CVE standard by assigning appropriate CVE identifiers to every detectable vulnerability for which such an identifier exists. IP360 provides user access to this implementation via the following mechanisms:

• IP360's Vulnerability Search feature supports advanced options that allow the vulnerability database to be searched using multiple criteria, including CVE identifiers. The Vulnerability Search is capable of searching for both full and partial CVE identifiers.

• IP360 reports display a list of all detected vulnerabilities, along with an accompanying list of any relevant CVE identifiers. Users can easily determine which CVE identifiers correspond to a given vulnerability.

• Individual vulnerability entries include a list of externally published advisories. If the vulnerability has a relevant CVE identifier, the CVE identifier is included in this list as a direct, external link to the corresponding NIST CVE entry. Clicking on this link will display information from online CVE content in a new browser window.

 

Statement of CPE Implementation

nCircle IP360 uses various application detection techniques in order to enhance the accuracy and reliability of vulnerability determination. Moreover, detected applications can be used to improve overall network security by identifying unauthorized or unexpected applications. IP360 uses CPE to label these detected applications. Specifically, nCircle IP360 implements the CPE standard by assigning appropriate CPE identifiers to every detectable application for which such an identifier exists. Whenever the official CPE dictionary is revised, new CPE identifiers are appended to application descriptions that did not previously have associated CPE identifiers, based on the dictionary revisions.

IP360 provides user access to this implementation via the following mechanisms:

• IP360 reports display a list of all detected applications, including operating systems and system services. For any given application, users can examine details of the detected application, which includes a description of the application. The description contains, where available, a CPE identifier that exists within the official CPE dictionary, as provided by NIST.

• A separate product dictionary that contains a list of all applications that have CPE identifiers is provided.

 

Statement of CVSS Implementation   

nCircle IP360 implements the CVSS standard by assigning a CVSS (Version 2) score to every detectable vulnerability for which such a score exists. For those vulnerabilities whose scores have not yet been officially calculated by NIST, nCircle calculates scores based on NIST guidelines. Whenever new scores are calculated by NIST, nCircle replaces its scores with the official NIST-calculated scores.

IP360 provides user access to this implementation via the following mechanisms:

• IP360 reports display a list of all detected vulnerabilities. Individual vulnerabilities include a list of externally published advisories. If the vulnerability has an official CVSS score, this score is included in the list. The CVSS Base Vector is also included in this list. The CVSS Base Vector is included in the list as a direct, external link to the CVSS Version 2 Calculator. The list also includes an nCircle CVSS Temporal Score and associated Vector, which is calculated according to NIST CVSS (Version 2) guidelines.