Re: Level of Abstraction Issue: Similar Applications, "Same" Vulnerability

[Aleph One <aleph1@underground.org>]

On Mon, Jun 28, 1999 at 04:43:16PM -0400, Steven M. Christey wrote:
> 
> I believe that the Same Attack approach has more practical, everyday
> usage than Spaf's Same Codebase perspective, since (a) it's at the
> level that IDSes and scanners would operate at; and (b) it's at the
> level that (in my experience) sysadmins like to see it at, especially
> as they pore through the voluminous results of security tools.  I
> believe that as long as we make sure that the description identifies
> all affected applications, then the current CVE content decision
> remains the most appropriate for the community at large, especially
> when considering the "end users."
> 
> Comments?

Both approaches are reasonable, but as you clearly explain the serve
difference audiences. So I guess we have to make a decision. Is the
CVE going to be a scientific study of vulnerabilities, or are we
going to make things easy for the sys admins? Having just dealt with
creating a vulnerability database with the sysadmin in mind I would
opt for the  Same Attack level of abstraction. As you also point out
selecting "Same Codebase" may not be easy in practice. Hell we don't
even know if a codebase changed between product revision numbers.
Unless we are omniscient we do not have enough information to
go with Same Codebase without making a lot of assumptions (which 
translates into the CVE containing errors or at least not being
accurate).

> 
> - Steve
> 

-- 
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01