RE: Sources: Full and Partial Coverage
Let me just add a comment from a vendor who has been doing this work for a long time.
Our customers don't think about sources of intelligence, they think about coverage for a particular application or platform; Our researchers are the ones that think in terms of vulnerability disclosure sources and threat intelligence.
Back to the customer perspective for a second, without even thinking that much, I can tell you the top X and I will rattle off this:
* Adobe Reader / Acrobat
* Mozilla Firefox
* Oracle RDBS
* Cisco IOS & ASA
While I may have missed some, I can tell you this is the conversations I have with customers who use our products to find vulnerabilities.
When I speak to researchers about this, it is a different conversation because 1) the conversation has already be scoped to bias toward these sets and 2) the question then becomes which sources of intelligence about these platforms serve the researcher best when trying to be accurate and complete.
Tim "TK" Keanini, CTO ... nCircle Inc. ... mbl (415) 328-2722 ...
From: owner-cve-editorial-board-list@LISTS.MITRE.ORG [mailto:owner-cve-editorial-board-list@LISTS.MITRE.ORG] On Behalf Of security curmudgeon
Sent: Thursday, May 17, 2012 3:57 PM
To: Booth, Harold
Subject: RE: Sources: Full and Partial Coverage
On Thu, 17 May 2012, Booth, Harold wrote:
: > However, if you say "CVE, monitor ProductX", and due to an incomplete list of sources
: > being monitored, they end up issuing an ID for only 70% of the vulnerabilities disclosed
: > in ProductX, has that met your need?
: No, it has not. But then CVE and everyone else will know that, since the
: goal has been defined in terms of "monitor ProductX". Changes to process
: and tools will be made to get the number closer to 100%. If the goal is
: defined as "monitor sources X, Y and Z" which result in an ID for 70% of
: the vulnerabilities disclosed for ProductX there is likely no explicit
: step in the process to improve coverage of ProductX. "What gets
: measured, gets done," and I believe measuring in terms of products
: instead of sources will lead to more desirable results.
That is a good point, but not sure if either of us can justify our positions short of "CVE would have to try it" =)
In my mind, if you monitor the right sources, you approach 100% for more products in a repeatable fashion, than if you try to go off a list of products first.