RE: Counting on CVEs
Couple of responses to Dave's points, and one new one for consideration
(that may deserve it's own thread).
On Fri, 9 Mar 2012, Mann, Dave wrote:
: 1) GLOBAL VULNERABILITY REPORTING - In my opinion, one thing that CVE
: global vulnerability reporting problem. But one thing I'm very sure of
: is that this solution, if it exists, will need to evolve organically by
: knitting together various regional capabilities.
: I think the best thing that we, the CVE community, can do to help
: facilitate the emergence of a global vulnerability reporting capability
: is to be able to speak clearly about what we can and can't do and to try
: to make as many of our lessons learned available to others as possible.
Agreed. I think this will be in the form of announcing what vulnerability
disclosure sources are monitored at the very least. After that, perhaps an
average time it takes to issue an identifier after disclosure.
The other thing to consider is that if the regional entities share exports
of references, it would be considerably easier to do matching. One thing
OSVDB has done for vendors that wanted was to exchange such dumps. We'd
provide a list of OSVDB - CVE - Secunia - BID - XSS cross references, they
would provide a list of CVE - internal_id references. Each side could then
import the other's data set to add a new set of references. OSVDB did this
for example with Tenable for both Nessus and PVS. In a matter of hours,
OSVDB could reference some 5,000 PVS references along with 40,000+ Nessus
Think of this on a bigger scale. If CVE and JP-CERT do that, and CVE
shares with OSVDB, and OSVDB and Secunia swap data sets frequently, then
each VDB and regional entity would have a solid framework that achieves
1. They have good cross-references, which helps avoid duplicate
2. Each entity has a concise list of CVE (or any other shared ID) that are
*not* in their database, and they can investigate why.
: 2) VULNERABILITY SOURCES - We've talked internally at great length on
: the subject of vendors, products and sources. We've also talked a bit
: about this as a Board. In my opinion, we'll drive ourselves bonkers if
: we talk about vendors and products.
Totally spitballing here:
With the creation of so many other VDBs that do daily monitoring, perhaps
CVE should dramatically change the focus. Rather than trying to monitor a
percentage of disclosure sources, why not monitor a handful off VDBs? By
watching Secunia, BID, and ISS, CVE could create an entry with a certain
level of confidence (especially if monitoring Secunia). Further, they
could have the original disclosure and three VDB references with each CVE
coming out of the gate. In turn, each of those VDBs can scrape CVE and
import the assignment since their ID is already in the mix.
In short, CVE could become a different style of meta-VDB.
The other point I have brought up privately, and publicly to some degree,
is the CVE / NVD relationship. I know the following is kind of a unicorn
at best, because of government bureaucracy, but I think it would be
considerably better for the industry and those that use CVE.
NVD needs to go away. Completely. The money they receive from NIST should
be re-assigned to CVE. Hell, the existing contract could stay in place so
very little is actually changed. For those not aware, NVD outsources the
CVSS scoring to Booze-Allen junior analysts. The only real value NVD
brings to the table, that so many rely on them for, is CVSS scoring.
Having those same analysts report to MITRE instead of NIST would eliminate
another issue many in the industry have, that being the extra day or three
delay between CVE assignment and CVSS scoring. If CVE had those analysts,
they could get a score affiliated with a CVE assignment that much quicker,
not have to go through the daily push of data to NVD who then pushes it on
Again, its the government, two agencies and two contractors that make up
the mess of funding and actual work. I know it is a small miracle to make
big changes like that (on paper).