[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE Must-Have Coverage



Tracking vulnerabilities in the following would be good, too, as their use is spread quite widely:
ISC Bind / dhcpd
OpenSSL
Kerberos
potentially other core technologies, such as zlib, which have low frequency vulnerabilities, but wide impact.

Also, perhaps something to track things zero day-ish  things that aren't reported to vendors:

My 2 cents. 
Andy

On Oct 11, 2011, at 3:03 PM, Mann, Dave wrote:

Folks,

Below, please find a somewhat stabilizing set of vulnerability sources.

I've tried to capture the best consensus (not pure votes but close).

Please review the list and holler loudly and quickly if you see something you can't live with.   This is a living document so nothing is cast in stone.  Still gaining a level of agreement on the scope is a necessary first step.

I'm particularly concerned at the almost complete lack of desktop or enterprise software packages being called out by vendor.

Some are listed but by no means the majority.  The implication to me is that we're very much relying on non-vendor sources to shed light on these types of software.


-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:damann@mitre.org | cell:781.424.6003
==================================================================

CVE VULNERABILITY INFORMATION SOURCES - PRIORITY


Government & Related Information Sources
 Must Have
   US-CERT Advisories (aka CERT-CC Advisories)
   US-CERT Vulnerability Notes (CERT-CC)
   US-CERT Bulletins (aka Cyber-Notes)   
   CMU/CERT-CC                                 
   DoD IAVAs                             
 Nice To Have
   NISCC                                 
   AUS-CERT                              
   DOE CIRC (formerly CIAC)               


Vendor Published Information
 Must Have
   Microsoft                                   
   RedHat                                      
   Apache                                      
   Apple OSX                                   
   Oracle                                      
   Solaris                                     
   Suse                                        
   Mandriva                                    
   HP-UX                                       
   AIX                                         
   Cisco IOS                                   
   Free BSD                                    
   Open BSD                                    
   Net BSD                                     
   Gentoo (Linux)                              
   Ubuntu (Linux)                              
   Adobe
   Mozilla
   Google Chrome
 Nice To Have  
   Debian                                      
   SCO     
   Cisco


Mailing Lists & VDBs
 Must Have
   Bugtraq                                     
   Full Disclosure                             
   Security Focus                              
   Security Tracker                            
   OSVDB                                       
   Oss-security                                
 Nice To Have
   ISS X-Force                                 
   FRSIRT  (VUPEN)                             
   Secunia                                     
   SecuriTeam                                  
   Metasploit                                  
   Snort                                       
   Contagiodump.blogspot.com                   
 Ignore
   Vuln-Watch                                  
   VulnDev                                     
   Packet Storm                                
   SANS Mailing List (Qualys)                  ]
   Neohapsis (Security Threat Watch)           

This is a digitally signed message part


 
Page Last Updated: November 06, 2012