On Thursday, October 21, 1999 10:09 AM, Ted Doty said:
> I don't think the CVE quite gets us to a common definition of
> what is or is not a vulnerability. Different people are concerned with
> different things, and something not of interest to one person may be very
> important to another.
Damn right.
So perhaps there should be alternate schemes.
Only the media/press not understanding things will see them in competition,
as they did with OpenLook/Motif. Remember what happened then? After
Motif won they decided that different version of Motif were in competition.
Sounds like a cancer to me. But then if it isn't a issue it doesn't make
headlines, does it?
> However, it's become pretty clear that there often isn't a
> one-to-one mapping of CVE names to our checks, for what we think
> are pretty good reasons (CVE doesn't provide everything that our customers need).
Taxonomies are often hierarchical.
One of the wonders of computers is that the same thing can appear
in different places in the hierarchy, rather like (sym-)links in a
UNIX file system. If this is a taxonomy rather than a database,
then its working by classification. If there is a one-to-one
mapping then its ONLY a listing or database. A taxonomy may
encompass a database. There may also be items in the database
for which there is no taxa.
Thank you for saying that this doesn't provide everything
the customers need. It may bring the media down on you,
but it also avoids this being touted as a universal panacea.
I hope the various groups involved will not fall prey to the
marketing disease and think they have a One True Solution.
> A narrow interpretation of what a CVE reference means probably
> limits its value, maybe substantially.
The more I hear of this the less I think its really a taxonomy.
Since a taxonomy implies categorisation that reflects an
underlying nature of things and offers an insight into why
things are the way they are. If its just a list, a one to one
mapping, like the names of kings or presidents and their dates
when they held office, it tells us nothing about the underlying
nature of things. We can do statistics ("yes, there were more
bug fixes published for LINUX than Windows NT, therefore LINUX
must be buggier than NT"; "the were fewer people executed for
murder under that administration therefore the violent crime
rate must have been lower"). If I'm incorrect in this view,
please point out how CVE is really a taxonomy rather then just
an enumerated listing.
--------------------------------------------------------------------
Anton J Aylward, CISSP | The Internet is not the greatest
System Integrity | threat to information security;
InfoSec Auditing & Consulting | stupidity is the greatest threat
Voice: (416) 421-8182 | to information security.
ajaat_private | Will Spencer <will.spencerat_private>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:44:37 PDT