Re: The CVE-10K Problem

• To: pmeunier <pmeunier@cerias.net>, "Mann, Dave" <damann@mitre.org>
• Subject: Re: The CVE-10K Problem
• From: Alfred Huger <alfred_huger@symantec.com>
• Date: Tue, 16 Jan 2007 17:42:18 -0700
• Cc: "Steven M. Christey" <coley@rcf-smtp.mitre.org>, cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
• Delivery-Date: Tue Jan 16 19:42:25 2007
• In-Reply-To: <45AD5BD0.9000603@cerias.net>
• Thread-Index: Acc50FcQlZ5tzKXDEdukPQAWy5lChQ==
• Thread-Topic: The CVE-10K Problem
• User-Agent: Microsoft-Entourage/11.3.3.061214

This seems like a great deal of conversation for a pretty simple issue.
Steve, perhaps you could solve it unilaterally?




On 1/16/07 4:12 PM, "pmeunier" <pmeunier@cerias.net> wrote:

> Dave,
> "It doesn't scale" are words that I've heard too often to discredit
> something out-of-hand.  Expecting a constant effort to be able to handle
> any number of vulnerabilities doesn't make sense.  However, the effort
> necessary to enumerate products should scale linearly with the number of
> products.  So should enumerating already discovered vulnerabilities (not
> discovering them).  If you see any reason why this wouldn't work, please
> enlighten me (I assume this is what you mean by "doesn't scale"?).  The
> question is how to get resources proportional to the number of
> discovered vulnerabilities.  Not increasing the funding of the CVE
> effort when the number of vulnerabilities increases so dramatically
> doesn't make sense, and we've had many years of that.
> 
> To continue your metaphor, if the U.S. keeps playing alone, there is no
> doubt that we'll drown.  You'll have to try to guess which products are
> the most used or deployed and it will be ugly.  Involving other
> countries and requesting participation (i.e., funding) proportional to
> the number of products they develop, which should be roughly
> proportional to the number of vulnerabilities overall, is the way to go.
>   I don't know how to make it all happen but it doesn't matter.  I know
> how to start:  by engaging people from different countries.  Some of
> them will know how to make it happen in their home countries.  The U.S.
> should stop trying to be the Lone Ranger, and should recruit to create a
> cavalry regiment.
> 
> Regards,
> Pascal
> 
> 
> Mann, Dave wrote:
>> pmeunier wrote:
>>> Funding for the CVE should be a requirement for the DHS, at whatever
>>> level is needed for it to function correctly and without undue stress
>>> on team members.  The CVE is a necessary foundation for vulnerability
>>> handling and research (or as I said before, "the key"), and many
>>> aspects of security.
>> 
>> 
>> Paraphrasing a quote that my wife used to have taped on our
>> refrigerator door when we were in grad school...
>>    Of the making of software packages there is no end, and
>>    much vulnerability research is a weariness of the flesh.
>> 
>> (It's from the last chapter of Ecclesiastes and originally stated
>> about the making and study of books, for those dying to know).
>> 
>> I see this as being much, much bigger than a DHS or US Government
>> funding issue.  
>> 
>> As you've correctly noted Pascal, software is being authored
>> globally at a mindblowing rate.  I have this picture in my
>> mind.  It's of the little Dutch boy with his fingers in the
>> leaking dike.  And on the other side of the dike, is the
>> massive tsunami wave of the global software market.  I don't
>> think the problem of software package identification is
>> scalable in this new world, much less the problem of
>> vulnerability identification *within* those packages.
>> 
>> My sense is that end consumers of vulnerability management
>> solutions have learned that their limited dollars will only
>> buy partial coverage and are willing to settle for coverage
>> of the most important (to them) issues.  Dan Geer (and others)
>> has said that enumerative security models don't scale and I
>> tend to agree with him.
>> 
>> This is why I don't think this is *only* a government
>> funding issue.  More generally, I don't think the world is
>> willing to pay for coverage of all vulnerabilities in
>> all software packages at any part of the VM life-cycle.
>> 
>> 
>> We are all ears on ways to restructure the CVE id assignment
>> process to reduce the bottle neck.  I think we can make
>> substantial progress but I think we all must recognize that
>> a wave is coming.  Here is a list of things for us all to consider
>> and discuss...
>> 
>> + Can we agree on a list of "must be covered and covered quickly"
>>   set of software?  This would allow CVE to better focus it's
>>   energy.  But other things will be excluded.
>> 
>> + Can we streamline or automate the Candidate Naming process?
>>   And if this introduces more errors and duplicates, to what
>>   extent can the community deal with errors?
>> 
>> + Can we figure out reasonable ways to divide up the problem
>>   as Pascal suggests?
>> 
>> Thoughts?
>> 
>> -Dave
>> ==================================================================
>> David Mann     |   CVE Project Lead   |  The MITRE Corporation
>> ------------------------------------------------------------------
>>      e-mail:damann@mitre.org    |      cell:781.424.6003
>> ==================================================================
>> 
>> 

• Follow-Ups:
  • Re: The CVE-10K Problem
    • From: pmeunier <pmeunier@cerias.net>

• References:
  • Re: The CVE-10K Problem (fwd)
    • From: pmeunier <pmeunier@cerias.net>

• Prev by Date: Re: The CVE-10K Problem (fwd)
• Next by Date: Re: The CVE-10K Problem
• Prev by thread: Re: The CVE-10K Problem (fwd)
• Next by thread: Re: The CVE-10K Problem
• Index(es):
  • Date
  • Thread