One reason I was curious about the CVE database is that I'm trying to figure out how it might work into varous books I'm working on (a new one on authentication and an update of "Internet Cryptography"). Now that I've looked closer, I realize CVE is NOT a taxonomy, it's simply intended as a listing of vulnerabilities or "exposures" at a particular level of abstraction. (Since people tend to think of "vulnerabilities" as exploitable weaknesses, an "exposure" is a weakness that may or may not be exploitable, depending on circumstances). Clearly, I can use the database as a representation of identified vulnerabilities. It's good to have a list of known problems to work from. The descriptions aren't always very detailed, but they generally refer to other sources and reports. So it's a good piece of reference material. If I'm wondering how many different buffer overflows have been reported (so far), it's a good place to work from. Further, there's the question of whether it's worthwhile to associate CVE identifiers with vulnerabilities I talk about within the book. It's probably a Bad Idea. Don't get me wrong -- I see some real value in what they're doing. But I need to hit a certain level of abstraction and talk about "buffer overflows" or "buffer overflows in Unix Internet servers." The CVE talks about "buffer overflows in ping" and has separate identifiers for each affected software component. That's too low a level of detail for my use. Rick. smithat_private "Internet Cryptography" at http://www.visi.com/crypto/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:44:16 PDT