RE: Counting on CVEs

To: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Subject: RE: Counting on CVEs
From: security curmudgeon <jericho@attrition.org>
Date: Fri, 9 Mar 2012 20:51:22 -0600
Delivery-Date: Fri Mar 9 21:52:22 2012
In-Reply-To: <2F43C4D2BE8AD24C8AC17D8C64B379B30F9B16@IMCMBX01.MITRE.ORG>
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <CB7CD170.2DC8A%kent_landfield@mcafee.com> <2F43C4D2BE8AD24C8AC17D8C64B379B30F9B16@IMCMBX01.MITRE.ORG>
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)

Couple of responses to Dave's points, and one new one for consideration 
(that may deserve it's own thread).

On Fri, 9 Mar 2012, Mann, Dave wrote:

: 1) GLOBAL VULNERABILITY REPORTING - In my opinion, one thing that CVE 

: global vulnerability reporting problem.  But one thing I'm very sure of 
: is that this solution, if it exists, will need to evolve organically by 
: knitting together various regional capabilities.

Definitely.

: I think the best thing that we, the CVE community, can do to help 
: facilitate the emergence of a global vulnerability reporting capability 
: is to be able to speak clearly about what we can and can't do and to try 
: to make as many of our lessons learned available to others as possible.

Agreed. I think this will be in the form of announcing what vulnerability 
disclosure sources are monitored at the very least. After that, perhaps an 
average time it takes to issue an identifier after disclosure.

The other thing to consider is that if the regional entities share exports 
of references, it would be considerably easier to do matching. One thing 
OSVDB has done for vendors that wanted was to exchange such dumps. We'd 
provide a list of OSVDB - CVE - Secunia - BID - XSS cross references, they 
would provide a list of CVE - internal_id references. Each side could then 
import the other's data set to add a new set of references. OSVDB did this 
for example with Tenable for both Nessus and PVS. In a matter of hours, 
OSVDB could reference some 5,000 PVS references along with 40,000+ Nessus 
references.

Think of this on a bigger scale. If CVE and JP-CERT do that, and CVE 
shares with OSVDB, and OSVDB and Secunia swap data sets frequently, then 
each VDB and regional entity would have a solid framework that achieves 
two things:

1. They have good cross-references, which helps avoid duplicate 
assignments.

2. Each entity has a concise list of CVE (or any other shared ID) that are 
*not* in their database, and they can investigate why.

: 2) VULNERABILITY SOURCES - We've talked internally at great length on 
: the subject of vendors, products and sources.  We've also talked a bit 
: about this as a Board.  In my opinion, we'll drive ourselves bonkers if 
: we talk about vendors and products.

Totally spitballing here:

With the creation of so many other VDBs that do daily monitoring, perhaps 
CVE should dramatically change the focus. Rather than trying to monitor a 
percentage of disclosure sources, why not monitor a handful off VDBs? By 
watching Secunia, BID, and ISS, CVE could create an entry with a certain 
level of confidence (especially if monitoring Secunia). Further, they 
could have the original disclosure and three VDB references with each CVE 
coming out of the gate. In turn, each of those VDBs can scrape CVE and 
import the assignment since their ID is already in the mix.

In short, CVE could become a different style of meta-VDB.

--

The other point I have brought up privately, and publicly to some degree, 
is the CVE / NVD relationship. I know the following is kind of a unicorn 
at best, because of government bureaucracy, but I think it would be 
considerably better for the industry and those that use CVE.

NVD needs to go away. Completely. The money they receive from NIST should 
be re-assigned to CVE. Hell, the existing contract could stay in place so 
very little is actually changed. For those not aware, NVD outsources the 
CVSS scoring to Booze-Allen junior analysts. The only real value NVD 
brings to the table, that so many rely on them for, is CVSS scoring. 
Having those same analysts report to MITRE instead of NIST would eliminate 
another issue many in the industry have, that being the extra day or three 
delay between CVE assignment and CVSS scoring. If CVE had those analysts, 
they could get a score affiliated with a CVE assignment that much quicker, 
not have to go through the daily push of data to NVD who then pushes it on 
to BA.

Again, its the government, two agencies and two contractors that make up 
the mess of funding and actual work. I know it is a small miracle to make 
big changes like that (on paper).

.b

References:
- Counting on CVEs
  - From: <Kent_Landfield@McAfee.com>
- RE: Counting on CVEs
  - From: "Mann, Dave" <damann@mitre.org>

Prev by Date: RE: Counting on CVEs
Next by Date: CVE and NVD WAS: Counting on CVEs
Prev by thread: RE: Counting on CVEs
Next by thread: CVE and NVD WAS: Counting on CVEs
Index(es):
- Date
- Thread

Page Last Updated: November 06, 2012

Common Vulnerabilities and Exposures

RE: Counting on CVEs