Re: Sources: Full and Partial Coverage (CNA increase)
On Mon, 25 Jun 2012, Art Manion wrote:
: On 6/25/12 11:38 AM, Mann, Dave wrote:
: > We haven't talked about increasing the number of CNAs yet, but that is definitely coming.
: > Increasing CNAs is a part of the "how" we cover what we cover discussion, as is quality of descriptions and minimum requirements.
: > First we need to get through the "what" we're going to cover part.
: OK, I'm trying to reconcile the products and sources approaches, and I
: don't think it matters much, unless we're already at the point of trying
: to distribute CNA coverage.
: What should CVE cover? CVE should cover vulnerabilities. I'd like CVE
: to cover, if not all, then the most important vulnerabilities. "Most
: important" gets a bit tricky, but one aspect should be the scope of the
: vulnerability -- the number of people affected, possibly within a
: constituency. A vulnerability affects one or more products, and we care
: about products because they are used by or affect (service) many (or
: few) people.
You are entirely right. And, you are using sketchy wording =)
: phpGolf? Affects few, don't include. (*)
: Microsoft XML Core Services? Affects many, include.
Siemens SIMATIC? Affects very few customers, don't include.
Siemens SIMATIC? Affects hundreds of millions of THEIR customers, include.
There are dozens of software packages that many haven't heard of, even in
the VDB world. Yet, they are embedded in hundreds or thousands of other
packages. Jetty, SPAW, and FckEditor just to name a few. There are more
that I can't think of right off, but I routinely see in changelogs of
bigger / more visible products.
: Other "importance" factors are the usual things like impact, ease of
: exploitation, related incident activity, ease of access, etc.
: CVSS-like stuff. I don't necessarily recommend this, but CVE should
: include all vulnerabilities with a CVSS environmental score of X or
: higher (with environment == the internet).
I don't think that is a valid criteria really, as XSS / LFI / RFI / SQLi
are all 5+. I use 5 as the example because of PCI; any of those will fail
a PCI certification test. I'd love to see someone do some quick stats on
the number of vulns broken out by CVSS score, but I'd wager 75%+ are CVSS
4+ (I think the actual PCI certification cutoff now?).