[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Sources: Full and Partial Coverage

Here is a response from one of our internal vulnerability tracking managers:

For the list below, only a couple I see that do not seem prioritized as I'd expect: Red Hat, McAfee and Symantec.  McAfee and Symantec actual products (not the Security Focus lists) are widely used enterprise and government products with a global presence.  And additional emphasis because they are security products that immediately impact an organization's security state.  Not talking about AV signatures or threat vulnerability reporting services, but actual vulnerabilities in their products can have severe impacts.
 
Red Hat is the other; a good bellwether for multiple products.  Also widely used, and from our experience we often see new vulnerabilities, fixes and security advisories/updates from them prior to the other Linux vendors or the open source community (linux.orgkernel.org…).  Those vulnerabilities also spin off to the many Red Hat derivatives also widely used like CentOS and MonteVista for embedded Linux versions.  Not sure why they are considered a challenge to cover.  Seems to me like they are solid in their security practices and open/public reporting.
 
Possibly one other is FreeBSD; it is still pretty widely used for hosting web services, particularly with smaller service providers.  And it is another of those bellwether products like Red Hat, that if there is a vulnerability in FreeBSD, it will impact and carry over to all those products built on FreeBSD, i.e. if you cover them you don’t really need to cover all the derivatives but you have them covered.  Would not cover the ports collection, just the base OS.

Andy

On May 10, 2012, at 2:50 PM, Mann, Dave wrote:

Folks,

Three comments...

1) Our language has moved from "must have/nice to have" to "fully covered/partially covered".

2) In our current discussion, we are only considering sources that you all identified as "must haves" in our prior discussion.   The list that I posted last Friday broke your previous "must haves" into 2 sub-groups:  sources that the CVE team agrees should be "fully covered" and sources that the CVE team believes should be demoted to "partially covered status".   

THE PRIMARY QUESTIONS WE'RE SEEKING GUIDANCE ON ARE:
A) SHOULD ANY OF OUR SUGGESTED PARTIALLY COVERED SOURCES BE PROMOTED BACK TO FULLY COVERED STATUS?
B) ARE THERE ANY OTHER SOURCES YOU BELIEVE SHOULD BE FULLY COVERED?

3) As you consider these questions, please bear in mind that we have a very long list of sources previously designated as "nice to have".   We would ask that you hold your suggestions for other partially covered sources (aka nice to have) source for later when we consider the full list of partially covered sources (in addition to those we suggest demoting).



Here are the lists again, along with a list of sources that have been nominated as needing to be fully covered.  We would like more discussion on the fully covered sets.  Note, we may not be able to cover all of the sources being nominated as full coverage, so please consider and defend your nominations in that light.


SHOULD BE FULLY COVERED
-----------------------
US-CERT: Technical Cyber Security Alerts
RealNetworks (real.com)
Apple
EMC, as published through Bugtraq
VMware
Google: Google Chrome (includes WebKit)
IBM: issues in IBM ISS X-Force Database
Internet Systems Consortium (ISC)
MIT Kerberos
Adobe
Apache Software Foundation: Apache HTTP Server
Cisco: Security Advisories/Responses
HP: Security Bulletins                         
Microsoft: Security Bulletins/Advisories
Mozilla
Oracle                                      


SHOULD BE MONITORED BUT SELECTIVELY COVERED (being demoted)
-------------------------------------------
US-CERT: Vulnerability Notes [1]
Symantec: SecurityFocus BugTraq (securityfocus.com/archive/1) [1]
Symantec: SecurityFocus Bugtraq ID (securityfocus.com/bid) [1]   
Full Disclosure [1]
OSVDB [1]                                       
SecurityTracker [1]                             
FreeBSD [2]                                    
NetBSD [2]                                  
OpenBSD [2]                                    
Mandriva [2]                                   
oss-security [3]
IBM: issues not in IBM ISS X-Force Database [4]


PRESENT BIG CHALLENGES THAT MERIT DISCUSSION AT A LATER TIME
------------------------------------------------------------
Debian
Red Hat                                      
Attachmate: SUSE                                        
Ubuntu (Linux)                              



Requests for Additional Fully-Covered Sources
----------------------------------------------
Juniper - JTAC Technical Bulletins
Citrix / Xen
ASF: Apache Tomcat
Samba Security Updates and Information
PHP
FoxIt Support Center - Security Advisories
Symantec Security (Not BIDs but actual Symantec Advisories)
McAfee Security
Exploit Database (for entries containing exploit code)

-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:damann@mitre.org | cell:781.424.6003
==================================================================

Page Last Updated or Reviewed: November 06, 2012