RE: The Common Vulnerabilities and Exposures taxonomy

From: Doty, Ted (ISSAtlanta) (TDotyat_private)
Date: Thu Oct 21 1999 - 07:08:30 PDT

Next message: Eric Toll: "HAMMER = BAN ! :-) RE: Tcp port 7 spam from Doubleclick"

Previous message: Ivan Fox: "vulnerability of non-standard ports"
Maybe in reply to: Rick Smith: "The Common Vulnerabilities and Exposures taxonomy"
Next in thread: Anton J Aylward: "RE: The Common Vulnerabilities and Exposures taxonomy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wednesday, October 20, 1999 1:14 PM, Russ Cooper <Russ.Cooperat_private>
wrote:

> As far as people not being willing to share information (Marcus' claim
> that NFR would have to put 500 new entries into the CVE for them to be
> able to map to it), so be it. I hosted what we called the "Balkan VdB
> Owners" discussion at the last CERIAS conference. We came up with many
> reasons why people would not want to share information. We also
> recognized, and the CVE Editorial Board was formed as a result of this
> recognition, that many vendors will claim to detect far more
> "vulnerabilities" than they actually do. The CVE Editorial Board's

I don't think the CVE quite gets us to a common definition of what is or is
not a vulnerability.  Different people are concerned with different things,
and something not of interest to one person may be very important to
another.

One example of where this impacts the CVE is the way the CVE sometimes
summarizes many issues into a single entry.  For example, one NT entry is
something like "Auditing permissions set incorrectly" (sorry, I can't
remember the exact number).  This assumes that everyone will be want to have
the exact same settings, which likely isn't the case.  If you really want to
do an audit to see if someone is complying with their (local) security
policy, you have to take this into account.

>From the vendor's viewpoint, a product that helps people who want to do this
will have to check, track, and report many different audit settings, and
provide the user the ability to tune the settings to fit.  Whether you call
this one check or many, a useful product simply has to provide this.

Not that the CVE isn't a win in general - we're coming out with a point
release for Internet Scanner (6.0.1) that will provide full CVE
searchability.  However, it's become pretty clear that there often isn't a
one-to-one mapping of CVE names to our checks, for what we think are pretty
good reasons (CVE doesn't provide everything that our customers need).  A
narrow interpretation of what a CVE reference means probably limits its
value, maybe substantially.

Obdisclaimer: I'm the Internet Scanner product manager.

- Ted

-----------------------------------------------------------------------
Ted Doty, Internet Security Systems 	     | Phone: +1 678 443-6000
6600 Peachtree Dunwoody Road, 300 Embassy Row  | Fax:   +1 678 443-6479
Atlanta, GA 30328  USA              	     | Web: http://www.iss.net
-----------------------------------------------------------------------
PGP key fingerprint: 362A EAC7 9E08 1689  FD0F E625 D525 E1BE

Next message: Eric Toll: "HAMMER = BAN ! :-) RE: Tcp port 7 spam from Doubleclick"
Previous message: Ivan Fox: "vulnerability of non-standard ports"
Maybe in reply to: Rick Smith: "The Common Vulnerabilities and Exposures taxonomy"
Next in thread: Anton J Aylward: "RE: The Common Vulnerabilities and Exposures taxonomy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:44:28 PDT