[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: The CVE-10K Problem (fwd)

pmeunier wrote:
> Funding for the CVE should be a requirement for the DHS, at whatever
> level is needed for it to function correctly and without undue stress
> on team members.  The CVE is a necessary foundation for vulnerability
> handling and research (or as I said before, "the key"), and many
> aspects of security.   


Paraphrasing a quote that my wife used to have taped on our 
refrigerator door when we were in grad school... 
   Of the making of software packages there is no end, and 
   much vulnerability research is a weariness of the flesh.

(It's from the last chapter of Ecclesiastes and originally stated
about the making and study of books, for those dying to know).

I see this as being much, much bigger than a DHS or US Government
funding issue.   

As you've correctly noted Pascal, software is being authored
globally at a mindblowing rate.  I have this picture in my 
mind.  It's of the little Dutch boy with his fingers in the
leaking dike.  And on the other side of the dike, is the
massive tsunami wave of the global software market.  I don't
think the problem of software package identification is
scalable in this new world, much less the problem of 
vulnerability identification *within* those packages.

My sense is that end consumers of vulnerability management
solutions have learned that their limited dollars will only
buy partial coverage and are willing to settle for coverage
of the most important (to them) issues.  Dan Geer (and others) 
has said that enumerative security models don't scale and I
tend to agree with him.  

This is why I don't think this is *only* a government
funding issue.  More generally, I don't think the world is
willing to pay for coverage of all vulnerabilities in
all software packages at any part of the VM life-cycle.


We are all ears on ways to restructure the CVE id assignment
process to reduce the bottle neck.  I think we can make
substantial progress but I think we all must recognize that
a wave is coming.  Here is a list of things for us all to consider 
and discuss...

+ Can we agree on a list of "must be covered and covered quickly"
  set of software?  This would allow CVE to better focus it's
  energy.  But other things will be excluded.

+ Can we streamline or automate the Candidate Naming process?
  And if this introduces more errors and duplicates, to what 
  extent can the community deal with errors?

+ Can we figure out reasonable ways to divide up the problem
  as Pascal suggests?

Thoughts?

-Dave
==================================================================
David Mann     |   CVE Project Lead   |  The MITRE Corporation
------------------------------------------------------------------
     e-mail:damann@mitre.org    |      cell:781.424.6003
==================================================================
Page Last Updated or Reviewed: May 22, 2007