[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Counting on CVEs
On Thu, 8 Mar 2012, Art Manion wrote: : The questions remain IMO: : : 1. What level of abstraction is appropriate for CVE? Their current method of abstraction is appropriate. It is well defined and consistent. : 2. What level of completeness is appropriate for CVE? I don't think "appropriate" is relevant. I think everyone wants it to be "absolutely complete". For our business and research, that is the only appropriate completeness. : Is there desire/need for an accurate count of vulnerabilities? OSVDB : either abstracts a little more narrowly than CVE and/or collects more : vulnerabilities, so OSVDB has higher numbers. OSVDB does both, but our abstraction is more than "a little more narrow". We abstract per vulnerability, where CVE will group similiar. So take a single CVE that lists 10 scripts vulnerable to SQL Injection, and we will create 10 entries. OSVDB abstracts more than any other VDB, but as I said, that is not always suitable depending on a person's needs. : If CVE or any other database were to try to name and count all publicly : disclosed vulnerabilities, it would be important to be able to : distinguish between a vulnerability that is one of a dozen XSS bugs in a : PHP web app and a vulnerability that is a straight up stack buffer : overflow in httpd. Sure, count them all, but be able to say that out of : 20K vulnerabilities named this year, 61% were XSS or SQLi in web apps : with low distribution. In theory, that is where CVSS (or another classification scheme) could come in. Combined, that data could be used to pick out 'relevant' or more critical issues. : I'm guessing at some numbers in the above example, but this is a big : reason IMO that CVE numbers have declined. Vulnerabilities "worth : tracking with a CVE" have declined, not the total number of : vulnerabilities. Another way to look at it might be that thee criteria : for "worth tracking with a CVE" has changed. Based on my chats with CVE, I don't think it is that. I don't believe they shy away from an issue due to severity. I think that the issue is that CVE monitors a list of sources for vulnerabilities, and their resources do not permit them to look at more. For example, they monitor Bugtraq, but not Full-Disclosure. Over the years, many researchers have started posting to F-D without CCing Bugtraq (for a variety of reasons). Add to that sites like Exploit-DB and other exploit aggregation sites that aren't being monitored, and the numbers quickly explain themselves. OSVDB has a long list, but we don't have the resources to monitor all of them in a timely manner. We use a weighted system for checking them as time permits, so the ones we consider critical (ICS-CERT) get hit daily, but a changelog or bug tracker may get checked yearly at best.