[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IMPORTANT: MITRE plans CVE "big splash" at SANS-NS '99 (Oct 3-10)

All:

It became clear during the latest CVE Review meetings that not
everyone realizes that we will make our "Big Splash" for the CVE at
SANS-Network Security '99, October 3-10 in New Orleans.  We've
mentioned this several times, but the message may not have registered
with people in the volume of discussions we've been having.

SANS-NS 99 is where MITRE will make the CVE known to the ultimate
beneficiaries, i.e. the sysadmins and security analysts.  We consider
SANS-NS 99 to be a hard deadline.  The biggest statement may be in the
form of the CVE "interoperability demo," which is discussed in the
slides for yesterday's meeting.

At a minimum, the splash will take the form of two Birds of a Feather
sessions, one to discuss the benefits of the CVE to end users, and
another to discuss CVE to potential mappers (e.g. vendors or
vulnerability database owners).

We are also looking into obtaining a booth where various Board members
can discuss the CVE Interoperability Demo (or whatever we'll call it).
While the demo may not be very mature by early October, it could
highlight all the different places where the CVE - and vendors and
other Board members - could play a role.  As discussed over the two
Review meetings, the scenario might involve CERT providing a list of
10 CVE names of significant problems (a "wild list" if you will),
conducting risk management using L-3 Expert, network assessment using
Netect/Bindview HackerShield, IDS from Axent (NetProwler?), further
research with the ISS X-Force database, and reports of incident
information.  Of course, this is just an example using those Board
members who've discussed the Interoperability Demo; I believe there is
room for anyone who wants to participate, e.g. with further indexed
access to the *Bugtraq's, a suite of network/host-based assessment
tools and IDSes by multiple vendors, taxonomical information provided
by academics, etc.  Since the tools won't be ready to "speak" CVE by
then, some of the demo may just be on poster board.  But with a small
number of 10 CVE vulnerabilities or so, it might be useful to list the
different names that the different products use, showing different
pieces of different vulnerability databases, though tools with
comma-separated output formats may lend themselves to a usable CVE
translation.

If other Board members want to participate, let us know.  We need to
refine the current Interoperability Demo slides and shape them into
something that marketing (and the sysadmins) will understand.

Below is the original message which describes the other high-level
goals we've had for the next few months.  The schedule has slipped
slightly but as I said before, we consider SANS to be a hard deadline,
and we'd like to be ready as close to RAID as possible.

Note that the Review meeting attendees tentatively agreed to have a
meeting on Sunday, October 3rd, in preparation for the week's
activities.

- Steve





From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Mon, 26 Jul 1999 14:57:50 -0400 (EDT)
Subject: High-level schedule of future CVE release activities

All:

MITRE has been working behind the scenes in preparation for the public
release of the CVE.  Following is a list of the activities that we
expect to undertake.  Note that the public release date may change as
events dictate.

1) CVE Review meetings - July 29-30, Aug 12-13

2) Begin working with all marketing contacts for Board members - early
August

3) CVE web site ready for Editorial Board review - early August

4) Editorial Board discussion and draft of Board membership
requirements, roles and responsibilities, etc. - mid-late August

5) CVE ready for public release - September 1.  Press releases
expected to occur sometime around this date.

6) Paper accepted for RAID-99 - "Building a Common Vulnerability
Enumeration" - September 7-9, Purdue.  This is the "debut" of the CVE
to security experts, at least in the IDS world.  Some Editorial Board
members will already be in attendance.  See
http://www.zurich.ibm.com/pub/Other/RAID

7) Birds-of-a-Feather session(s) at SANS-Network Security, New
Orleans, October 3-10.  This is the "debut" of the CVE to system
administrators and security analysts.  A number of Board members will
also be present.  See http://www.sans.org/ns99/ns99.htm

- Steve
Page Last Updated or Reviewed: May 22, 2007