Re: [ISN] NIST creates forum to comment on software vulnerabilities

From: InfoSec News (alerts@private)
Date: Tue Sep 12 2006 - 22:36:03 PDT


Forwarded from: security curmudgeon <jericho (at) attrition.org> 

: http://www.gcn.com/online/vol1_no1/41907-1.html
:
: By William Jackson
: GCN Staff
: 09/07/06
:
:
: The National Institute of Standards and Technology today launched a
: service within its National Vulnerability Database that will allow 
: vendors to discuss the impact of vulnerabilities on their products.

: "The service is designed to be a public forum for vendors to comment on
: the vulnerabilities, and to have those comments embedded in databases
: and discussions," said NVD program manager Peter Mell.

: "There hasn't been a public forum for software vendors where they can
: say, here's some more information," Mell said.

But there has, OSVDB announced the exact same feature on Apr 13, 2006
[1]. This was done to let vendors AND users add comments to
vulnerabilities and it has proven very helpful in adding another
method for people to provide feedback and additional
information/clarification on published vulnerabilities. So far, it has
been very useful and allowed us to update many entries with additional
information.

: The impetus for the program came from Mark J. Cox, security response
: director for Red Hat Inc. of Raleigh, N.C., which sells open-source
: software including Red Hat Linux and SELinux.

I have no doubt Mark Cox came up with this idea, but I imagine that
like many ideas, it wasn't published in any fashion leading to
multiple people/projects 'inventing' it on their own. That said, just
to be a bit snarky (come on, people expect it from me), perhaps NVD
could implement another of Mr. Cox's suggestions [2]? And yes, OSVDB
has been doing it since day one, with a long standing bugzilla to
enhance it even further. =)

: NIST provides a Web portal for vendors with accounts that lets them post
: official statements about vulnerabilities. These can include information
: on what versions and products are affected or not affected, guidance on
: configuration and remediation, analysis, explanations and disputes. The
: statements appear on the same page as the vulnerability being described.

Why do you only allow vendors to comment on them? Surely NVD doesn't think
that vendors are the only ones qualified to add analysis and information
to a vulnerability?

If you allow comments from anyone, of course you get to deal with the
usual blog style spam and random quacks that tend to reply "OMG THIS IZ
NOT REAL U SUK", but it's no worse than dealing with a blog. On the other
hand, you also tend to get vendors that don't want to create accounts,
researchers that can add information, as well as other VDBs that care
about accurate information (*gasp*).

: NIST verifies designated vendor officials who receive the accounts on
: the service and authenticates users accessing the service to make posts.

Does NIST propogate these comments back to CVE in the case of correcting
an error in the original CVE description/references, which are the basis
for NVD?

: Cox said Red Hat will evangelize the service, which he expects will be
: particularly helpful to the open-source community.
:
: "This is really useful for software that is shipped by multiple
: vendors," he said. "But the service is going to be open for everyone."

It depends on what you count as the 'service'. If the 'service' is
being able to comment on a vulnerability, then no, the service is open for
registered and verified vendors.

- jericho


[1] http://osvdb.org/news.php#comments
[2] http://attrition.org/pipermail/vim/2006-May/000777.html



_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Tue Sep 12 2006 - 22:53:58 PDT