[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CD PROPOSAL: SYSCON (Interim Decision 8/24)



> Content Decision: SYSCON (System Administrator Consideration)
> -------------------------------------------------------------

 VOTE:  REJECT

I think this appears to go away from our "inclusive" idea.  I recall
reading in our vision of the CVE that "the CVE is independent of
perspective."  This proposal is contrary to that idea.  While the focus
of the CVE is practical in nature, I do not believe that applying this
rule will be of any help in that regard.

Content should be based, regardless of perspective, on the criteria:

if a vulnerability meets the inclusive definintion (universal or not);
if it is validated;
if it is accepted/modified by 50% of board;
and at least 2 or 3 (depending how that vote goes) of the voting board
members are not Mitre;

then the vulnerability can be added.

As long as all board members recognize that their perspective is not the
only one, that the CVE is not a taxonomy or a database, and that the CVE
includes ALL perspectives and does not bias content on perspective, then
it can reflect the desired inclusiveness of vulnerability enumeration.
 
> (Member may vote ACCEPT, MODIFY, REJECT, or NOOP.)
> 
> Short Description
> -----------------
> 
> All content decisions and individual CVE vulnerabilities must be
> considered in light of system administrators and security analysts,
> who are the ultimate beneficiaries of the CVE.
> 
> Rationale
> ---------
> 
> Security tools (such as assessment tools and IDSes), vulnerability
> databases, and academic research all have an ultimate goal of helping
> an enterprise to make itself more secure from attack.  Within the
> enterprise, system administrators and security analysts are the
> individuals who perform the bulk of the work involved in securing
> systems - applying patches, conducting assessments, keeping current
> with new vulnerabilities, etc.
> 
> One of the goals of the CVE is to facilitate data sharing among
> security tools and databases.  Therefore, its content decisions and
> individual vulnerability entries should consider the impact and usage
> to system administrators and security analysts, despite the
> expectation that they might not use the CVE directly itself.

-- 
 ------------------------------------------------------------
 David W. Baker
 INFOSEC Engineer                           bakerd@mitre.org
 G023 - Secure Information Technology      (703) 883-3658
 The MITRE Corporation                     (703) 883-1397 FAX
 1820 Dolley Madison Blvd, Mailstop W422    McLean, VA, 22102
 ------------------------------------------------------------
 "Cyberspace. A consensual hallucination experienced daily by
 billions of legitimate operators, in every nation, by 
 children being taught mathematical concepts... A graphic
 representation of data abstracted from the banks of every
 computer in the human system.  Unthinkable complexity.  Lines 
 of light ranged in the nonspace of the mind, clusters and
 constellations of data.  Like city lights, receding..."
 - William Gibson, "Neuromancer" 
 
 "640K ought to be enough for anybody." - Bill Gates, 1981 
 -------------------------------------------------------------

Page Last Updated or Reviewed: May 22, 2007