[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE Must-Have Coverage

To: "Mann, Dave" <damann@mitre.org>
Subject: Re: CVE Must-Have Coverage
From: Andrew Balinsky <balinsky@cisco.com>
Date: Thu, 13 Oct 2011 23:11:29 -0500
CC: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Delivery-Date: Fri Oct 14 00:11:59 2011
In-Reply-To: <3FF9F74E63A7484EB3B88F04329CBEDC04448C426C@IMCMBX1.MITRE.ORG>
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <3FF9F74E63A7484EB3B88F04329CBEDC04448C426C@IMCMBX1.MITRE.ORG>
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>

Tracking vulnerabilities in the following would be good, too, as their use is spread quite widely:

ISC Bind / dhcpd

OpenSSL

Kerberos

potentially other core technologies, such as zlib, which have low frequency vulnerabilities, but wide impact.

Also, perhaps something to track things zero day-ish things that aren't reported to vendors:

http://www.exploit-db.com or similar.

My 2 cents.

Andy

On Oct 11, 2011, at 3:03 PM, Mann, Dave wrote:

Folks,

Below, please find a somewhat stabilizing set of vulnerability sources.

I've tried to capture the best consensus (not pure votes but close).

Please review the list and holler loudly and quickly if you see something you can't live with.   This is a living document so nothing is cast in stone. Still gaining a level of agreement on the scope is a necessary first step.

I'm particularly concerned at the almost complete lack of desktop or enterprise software packages being called out by vendor.

Some are listed but by no means the majority. The implication to me is that we're very much relying on non-vendor sources to shed light on these types of software.

-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:damann@mitre.org | cell:781.424.6003
==================================================================

CVE VULNERABILITY INFORMATION SOURCES - PRIORITY

Government & Related Information Sources
Must Have
   US-CERT Advisories (aka CERT-CC Advisories)
   US-CERT Vulnerability Notes (CERT-CC)
   US-CERT Bulletins (aka Cyber-Notes)
   CMU/CERT-CC
   DoD IAVAs
Nice To Have
   NISCC
   AUS-CERT
   DOE CIRC (formerly CIAC)

Vendor Published Information
Must Have
   Microsoft
   RedHat
   Apache
   Apple OSX
   Oracle
   Solaris
   Suse
   Mandriva
   HP-UX
   AIX
   Cisco IOS
   Free BSD
   Open BSD
   Net BSD
   Gentoo (Linux)
   Ubuntu (Linux)
   Adobe
   Mozilla
   Google Chrome
Nice To Have
   Debian
   SCO
   Cisco

Mailing Lists & VDBs
Must Have
   Bugtraq
   Full Disclosure
   Security Focus
   Security Tracker
   OSVDB
   Oss-security
Nice To Have
   ISS X-Force
   FRSIRT (VUPEN)
   Secunia
   SecuriTeam
   Metasploit
   Snort
   Contagiodump.blogspot.com
Ignore
   Vuln-Watch
   VulnDev
   Packet Storm
   SANS Mailing List (Qualys)                  ]
   Neohapsis (Security Threat Watch)

This is a digitally signed message part

Follow-Ups:
- Re: CVE Must-Have Coverage
  - From: Mark J Cox <mjc@redhat.com>
- Re: CVE Must-Have Coverage
  - From: "Steven M. Christey" <coley@rcf-smtp.mitre.org>

References:
- CVE Must-Have Coverage
  - From: "Mann, Dave" <damann@mitre.org>

Prev by Date: Re: CVE Response Time
Next by Date: Re: CVE Must-Have Coverage
Prev by thread: RE: CVE Must-Have Coverage
Next by thread: Re: CVE Must-Have Coverage
Index(es):
- Date
- Thread