Re: [ISN] A Dictionary For Vulnerabilities

From: InfoSec News (isnat_private)
Date: Wed Jun 25 2003 - 00:39:50 PDT

  • Next message: InfoSec News: "Re: [ISN] A Dictionary For Vulnerabilities"

    Forwarded from: Kurt Seifried <kurtat_private>
    
    http://security.ziffdavis.com/article2/0,3973,1134336,00.asp
    
    Actually the hope is that vendors come to Mitre requesting CVE CAN
    numbers, i.e. you find a vulnerability, you go to SANS/Mitre/etc,
    start the process, get a CAN entry, that way when you release it has a
    standard name. If Mitre is left to reactively gather entries and
    research them (i.e. is this a new issue? already covered? what is it
    related to? etc.)then of course it will be "old". As for the CAN ->
    CVE process this isn't that important, the number is still kept, i.e.
    CAN-2003-0001 -> CVE-2003-0001. The CVE designation simply means that
    the issue is "closed", i.e. the vendor has addressed it. The CVE/CAN
    designation is a rather moot point and non critical item in my
    opinion.
    
    As someone who works for a security vendor I can say that the CVE
    project reduces my workload measureably (i.e. several hours a week,
    significantly), people use different terminology and names all the
    time, as soon as I see a CVE number I can find out in about 1 second
    what it actually is, as opposed to spending minutes or hours tracing
    down what a vulnerbaility/fix actually is.
    
    BTW, how would having a group to name viruses slow down research, even
    if it takes them a while to agree on a name?
    
    This is one of the most poorly written and researched "security"
    articles I have ever read, and I've read a lot of bad articles in my
    time.
    
    Kurt Seifried, kurtat_private
    A15B BEE5 B391 B9AD B0EF
    AEB0 AD63 0B4E AD56 E574
    http://seifried.org/security/
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Jun 25 2003 - 03:07:08 PDT