|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: Level of Abstraction Issue: Similar Applications, "Same" Vulnerability
On Mon, Jun 28, 1999 at 04:43:16PM -0400, Steven M. Christey wrote: > > I believe that the Same Attack approach has more practical, everyday > usage than Spaf's Same Codebase perspective, since (a) it's at the > level that IDSes and scanners would operate at; and (b) it's at the > level that (in my experience) sysadmins like to see it at, especially > as they pore through the voluminous results of security tools. I > believe that as long as we make sure that the description identifies > all affected applications, then the current CVE content decision > remains the most appropriate for the community at large, especially > when considering the "end users." > > Comments? Both approaches are reasonable, but as you clearly explain the serve difference audiences. So I guess we have to make a decision. Is the CVE going to be a scientific study of vulnerabilities, or are we going to make things easy for the sys admins? Having just dealt with creating a vulnerability database with the sysadmin in mind I would opt for the Same Attack level of abstraction. As you also point out selecting "Same Codebase" may not be easy in practice. Hell we don't even know if a codebase changed between product revision numbers. Unless we are omniscient we do not have enough information to go with Same Codebase without making a lot of assumptions (which translates into the CVE containing errors or at least not being accurate). > > - Steve > -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
|
||||
