1. How to confirm whether the system involves vulnerabilities
During the maintenance process, the application system will inevitably be regularly missed by the customer, and the operation and maintenance needs to give feedback on whether it is involved and whether it can be rectified based on the customer's scan results.
In the security technology against hacking, real-time intrusion detection and vulnerability scanning and evaluation technologies and products have begun to occupy an increasingly important position. The main methods based on real-time intrusion detection and vulnerability scanning assessment are "known intrusion method detection" and "known vulnerability scanning", in other words, knowledge-based technology. Since there is no taxonomy for these scanner platforms, it is very difficult to directly compare their databases. Using a common name can help users share data in various independent vulnerability databases and vulnerability assessment tools. CVE came into being in such an environment.
CVE is the abbreviation of Common Vulnerabilities and Exposures, which means "common vulnerability disclosure". It is an organization initiated by companies such as Microsoft and Google to collect security vulnerability information and disclose it to the public through websites such as GitHub. The format of CVE is similar to WISE, which is also a list of letters and numbers, which is used to identify the severity level and impact scope of the vulnerability.
CVE official website:
China's CVE vulnerability database is constructed and maintained by the China Information Security Evaluation Center (CNNVD), which collects and shares known security vulnerability information, including software, hardware, network, and database.
CNNVD official website: