|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: CVE Information Sources & Scope
Ken noted: >All said (and I'm certain that Steve would agree with me), there's simply >no automated substitute for a quality SME who is obsessed with accuracy and >thoroughness. :)> We all three are in agreement. I just presented a paper at a conference making roughly this same point. I stole this line from Matt Burton (who I hope returns to security work) who said we need to focus on effective computer augmentation, not merely computer automation. -Dave ================================================================== David Mann | Principal Infosec Scientist | The MITRE Corporation ------------------------------------------------------------------ e-mail:damann@mitre.org | cell:781.424.6003 ================================================================== >-----Original Message----- >From: Williams, James K [mailto:James.Williams@ca.com] >Sent: Wednesday, October 05, 2011 1:33 PM >To: Mann, Dave; cve-editorial-board-list >Subject: RE: CVE Information Sources & Scope > >Virtually every aspect of vuln processing can be automated, including: > >* searching by keyword on any website or mailing list archive (marc.info >works great as long as keyword is at least 3 char) >* monitoring web pages (ie. vendor security and support home pages) and >mailing lists for updates >* using google or other search engine to monitor smaller vendor sites, >support forums, bugtracking systems >* keyword searching on pastebin >* IRC channel logging, and search through published logs >* monitoring twitter feeds for new twitter feeds and for links to websites >with vuln content >* loading of a vuln queue based on content culled from above actions >* filtering noise out of vuln queue >* CVE assignment, after very brief cursory review by human > >In the end, it becomes a matter of manpower vs acceptable level of >accuracy. > >In my experience, I have found that vendors modify their security and >support page locations and formats so often that frequent manual review is >necessary. I've also found that queue filtering is best left to human >SMEs. > >Even SMEs though can automate portions of their work by using custom >browser add-ons and features, mail client filters, etc. > > >All said (and I'm certain that Steve would agree with me), there's simply >no automated substitute for a quality SME who is obsessed with accuracy and >thoroughness. :)> > >Thanks and regards, >Ken Williams, Director >CA Technologies Product Vulnerability Response Team >CA Technologies Business Unit Operations >wilja22@ca.com - 816-914-4225 > > >-----Original Message----- >From: Mann, Dave [mailto:damann@mitre.org] >Sent: Wednesday, October 05, 2011 11:21 AM >To: Williams, James K; cve-editorial-board-list >Subject: RE: CVE Information Sources & Scope > >>editorial-board-list@lists.mitre.org] On Behalf Of Williams, James K >>Good points, Art. In particular, quicker issuance of CVE identifiers >>would be great. > >I triple promise that we're going to have the speed of issuance discussion. >Promise. > > > >>As far as monitoring of twitter and blogs goes, we also need to >>consider >>monitoring: >>* pastebin, >>* smaller vendor bugtracking systems (I find vulns every week, in >>widely used software, that never makes it to BugTraq, Secunia, or CVE), >>* discussion forums (in a variety of languages, and many require >>registration), >>* reddit, >>* IRC, >>* and whatever other communication/dissemination mediums become popular >>(again) next month. >> >>When expanding monitoring of these types of sources, extensive >>automation is necessary. > >James, could you talk more about automation techniques for monitoring these >sources? > > > >-Dave >================================================================== >David Mann | Principal Infosec Scientist | The MITRE Corporation >------------------------------------------------------------------ >e-mail:damann@mitre.org | cell:781.424.6003 >================================================================== > >
|
||||
