[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVEs for FinTech



On Sun, 1 May 2016, Scott Lawler wrote:

: Something to think about is whether or not CVE should be tracking 
vuls 
: is systems-of-systems (like SWIFT) or do we stay at the lower level 
of 
: operating systems, application software, etc.
: 
: There are thousands of larger systems made up of an infinite set of 
: vulnerable sub components--with common vuls.

Vulns should be assigned base on 'where the flaw is'. If that is in a 
third-party component, that should be tracked ideally. Failing to have 
that information, we can only assign for the larger software package 
that 
bundles the rest.

I've found it is helpful when approaching companies to explain the 
benefit 
of them 'blaming the third-party code' so to speak, that in the long 
run, 
vulnerability stats don't reflect as poorly on them. A bit of 
motivation 
for them to come clean, at least enough to confirm the issue isn't in 
their code.

I also had an offlist discussion with Kurt on this last night, and so 
far 
the articles available do not positively show there is a vuln in SWIFT. 
Rather, the articles talk about the attackers obtaining legitimate 
credentials to the system, where they had access to manipulate the 
SWIFT 
software (e.g. phishing -> malware). If so, that wouldn't warrant a CVE 
ID.


Page Last Updated or Reviewed: May 02, 2016