About CVE

Terminology
Documents
FAQs
CVE List

About CVE Identifiers
Search CVE
Search NVD
Updates & RSS Feeds
Request a CVE-ID
CVE In Use

CVE Adoption
CVE-Compatible Products
NVD for CVE Fix Information
More…
News & Events

Calendar
Free Newsletter
Community

CVE Editorial Board
Sponsor
Contact Us

Search the Site

CVE Community

Editorial Board
Mail List & Meetings Archive
Roles, Tasks, & Qualifications
Adding New Members
Sponsor

CVE In Use

CVE Compatible Products and Services
More . . .

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The CVE-10K Problem

To: pmeunier <pmeunier@cerias.net>, "Mann, Dave" <damann@mitre.org>
Subject: Re: The CVE-10K Problem
From: Alfred Huger <alfred_huger@symantec.com>
Date: Tue, 16 Jan 2007 17:42:18 -0700
Cc: "Steven M. Christey" <coley@rcf-smtp.mitre.org>, cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Delivery-Date: Tue Jan 16 19:42:25 2007
In-Reply-To: <45AD5BD0.9000603@cerias.net>
Thread-Index: Acc50FcQlZ5tzKXDEdukPQAWy5lChQ==
Thread-Topic: The CVE-10K Problem
User-Agent: Microsoft-Entourage/11.3.3.061214



This seems like a great deal of conversation for a pretty simple issue.
Steve, perhaps you could solve it unilaterally?




On 1/16/07 4:12 PM, "pmeunier" <pmeunier@cerias.net> wrote:

> Dave,
> "It doesn't scale" are words that I've heard too often to discredit
> something out-of-hand.  Expecting a constant effort to be able to handle
> any number of vulnerabilities doesn't make sense.  However, the effort
> necessary to enumerate products should scale linearly with the number of
> products.  So should enumerating already discovered vulnerabilities (not
> discovering them).  If you see any reason why this wouldn't work, please
> enlighten me (I assume this is what you mean by "doesn't scale"?).  The
> question is how to get resources proportional to the number of
> discovered vulnerabilities.  Not increasing the funding of the CVE
> effort when the number of vulnerabilities increases so dramatically
> doesn't make sense, and we've had many years of that.
> 
> To continue your metaphor, if the U.S. keeps playing alone, there is no
> doubt that we'll drown.  You'll have to try to guess which products are
> the most used or deployed and it will be ugly.  Involving other
> countries and requesting participation (i.e., funding) proportional to
> the number of products they develop, which should be roughly
> proportional to the number of vulnerabilities overall, is the way to go.
>   I don't know how to make it all happen but it doesn't matter.  I know
> how to start:  by engaging people from different countries.  Some of
> them will know how to make it happen in their home countries.  The U.S.
> should stop trying to be the Lone Ranger, and should recruit to create a
> cavalry regiment.
> 
> Regards,
> Pascal
> 
> 
> Mann, Dave wrote:
>> pmeunier wrote:
>>> Funding for the CVE should be a requirement for the DHS, at whatever
>>> level is needed for it to function correctly and without undue stress
>>> on team members.  The CVE is a necessary foundation for vulnerability
>>> handling and research (or as I said before, "the key"), and many
>>> aspects of security.
>> 
>> 
>> Paraphrasing a quote that my wife used to have taped on our
>> refrigerator door when we were in grad school...
>>    Of the making of software packages there is no end, and
>>    much vulnerability research is a weariness of the flesh.
>> 
>> (It's from the last chapter of Ecclesiastes and originally stated
>> about the making and study of books, for those dying to know).
>> 
>> I see this as being much, much bigger than a DHS or US Government
>> funding issue.  
>> 
>> As you've correctly noted Pascal, software is being authored
>> globally at a mindblowing rate.  I have this picture in my
>> mind.  It's of the little Dutch boy with his fingers in the
>> leaking dike.  And on the other side of the dike, is the
>> massive tsunami wave of the global software market.  I don't
>> think the problem of software package identification is
>> scalable in this new world, much less the problem of
>> vulnerability identification *within* those packages.
>> 
>> My sense is that end consumers of vulnerability management
>> solutions have learned that their limited dollars will only
>> buy partial coverage and are willing to settle for coverage
>> of the most important (to them) issues.  Dan Geer (and others)
>> has said that enumerative security models don't scale and I
>> tend to agree with him.
>> 
>> This is why I don't think this is *only* a government
>> funding issue.  More generally, I don't think the world is
>> willing to pay for coverage of all vulnerabilities in
>> all software packages at any part of the VM life-cycle.
>> 
>> 
>> We are all ears on ways to restructure the CVE id assignment
>> process to reduce the bottle neck.  I think we can make
>> substantial progress but I think we all must recognize that
>> a wave is coming.  Here is a list of things for us all to consider
>> and discuss...
>> 
>> + Can we agree on a list of "must be covered and covered quickly"
>>   set of software?  This would allow CVE to better focus it's
>>   energy.  But other things will be excluded.
>> 
>> + Can we streamline or automate the Candidate Naming process?
>>   And if this introduces more errors and duplicates, to what
>>   extent can the community deal with errors?
>> 
>> + Can we figure out reasonable ways to divide up the problem
>>   as Pascal suggests?
>> 
>> Thoughts?
>> 
>> -Dave
>> ==================================================================
>> David Mann     |   CVE Project Lead   |  The MITRE Corporation
>> ------------------------------------------------------------------
>>      e-mail:damann@mitre.org    |      cell:781.424.6003
>> ==================================================================
>> 
>>

Follow-Ups:
- Re: The CVE-10K Problem
  - From: pmeunier <pmeunier@cerias.net>

References:
- Re: The CVE-10K Problem (fwd)
  - From: pmeunier <pmeunier@cerias.net>

Prev by Date: Re: The CVE-10K Problem (fwd)
Next by Date: Re: The CVE-10K Problem
Prev by thread: Re: The CVE-10K Problem (fwd)
Next by thread: Re: The CVE-10K Problem
Index(es):
- Date
- Thread

Page Last Updated: May 22, 2007