[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CVE Information Sources & Scope

Virtually every aspect of vuln processing can be automated, including:

* searching by keyword on any website or mailing list archive (marc.info works great as long as keyword is at least 3 char)
* monitoring web pages (ie. vendor security and support home pages) and mailing lists for updates
* using google or other search engine to monitor smaller vendor sites, support forums, bugtracking systems
* keyword searching on pastebin
* IRC channel logging, and search through published logs
* monitoring twitter feeds for new twitter feeds and for links to websites with vuln content
* loading of a vuln queue based on content culled from above actions
* filtering noise out of vuln queue
* CVE assignment, after very brief cursory review by human

In the end, it becomes a matter of manpower vs acceptable level of accuracy.

In my experience, I have found that vendors modify their security and support page locations and formats so often that frequent manual review is necessary.  I've also found that queue filtering is best left to human SMEs.

Even SMEs though can automate portions of their work by using custom browser add-ons and features, mail client filters, etc.

All said (and I'm certain that Steve would agree with me), there's simply no automated substitute for a quality SME who is obsessed with accuracy and thoroughness.  :)

Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
wilja22@ca.com - 816-914-4225

-----Original Message-----
From: Mann, Dave [mailto:damann@mitre.org] 
Sent: Wednesday, October 05, 2011 11:21 AM
To: Williams, James K; cve-editorial-board-list
Subject: RE: CVE Information Sources & Scope

>editorial-board-list@lists.mitre.org] On Behalf Of Williams, James K 
>Good points, Art.  In particular, quicker issuance of CVE identifiers 
>would be great.

I triple promise that we're going to have the speed of issuance discussion.   Promise.

>As far as monitoring of twitter and blogs goes, we also need to 
>* pastebin,
>* smaller vendor bugtracking systems (I find vulns every week, in 
>widely used software, that never makes it to BugTraq, Secunia, or CVE),
>* discussion forums (in a variety of languages, and many require 
>* reddit,
>* IRC,
>* and whatever other communication/dissemination mediums become popular 
>(again) next month.
>When expanding monitoring of these types of sources, extensive 
>automation is necessary.

James, could you talk more about automation techniques for monitoring these sources?

David Mann | Principal Infosec Scientist | The MITRE Corporation
e-mail:damann@mitre.org | cell:781.424.6003 ==================================================================

Page Last Updated or Reviewed: November 06, 2012