[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CVE Information Sources & Scope



Ken noted:
>All said (and I'm certain that Steve would agree with me), there's simply
>no automated substitute for a quality SME who is obsessed with accuracy and
>thoroughness.  :)>

We all three are in agreement.

I just presented a paper at a conference making roughly this same point.  I stole this line from Matt Burton (who I hope returns to security work) who said we need to focus on effective computer augmentation, not merely computer automation.

-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:damann@mitre.org | cell:781.424.6003
==================================================================


>-----Original Message-----
>From: Williams, James K [mailto:James.Williams@ca.com]
>Sent: Wednesday, October 05, 2011 1:33 PM
>To: Mann, Dave; cve-editorial-board-list
>Subject: RE: CVE Information Sources & Scope
>
>Virtually every aspect of vuln processing can be automated, including:
>
>* searching by keyword on any website or mailing list archive (marc.info
>works great as long as keyword is at least 3 char)
>* monitoring web pages (ie. vendor security and support home pages) and
>mailing lists for updates
>* using google or other search engine to monitor smaller vendor sites,
>support forums, bugtracking systems
>* keyword searching on pastebin
>* IRC channel logging, and search through published logs
>* monitoring twitter feeds for new twitter feeds and for links to websites
>with vuln content
>* loading of a vuln queue based on content culled from above actions
>* filtering noise out of vuln queue
>* CVE assignment, after very brief cursory review by human
>
>In the end, it becomes a matter of manpower vs acceptable level of
>accuracy.
>
>In my experience, I have found that vendors modify their security and
>support page locations and formats so often that frequent manual review is
>necessary.  I've also found that queue filtering is best left to human
>SMEs.
>
>Even SMEs though can automate portions of their work by using custom
>browser add-ons and features, mail client filters, etc.
>
>
>All said (and I'm certain that Steve would agree with me), there's simply
>no automated substitute for a quality SME who is obsessed with accuracy and
>thoroughness.  :)>
>
>Thanks and regards,
>Ken Williams, Director
>CA Technologies Product Vulnerability Response Team
>CA Technologies Business Unit Operations
>wilja22@ca.com - 816-914-4225
>
>
>-----Original Message-----
>From: Mann, Dave [mailto:damann@mitre.org]
>Sent: Wednesday, October 05, 2011 11:21 AM
>To: Williams, James K; cve-editorial-board-list
>Subject: RE: CVE Information Sources & Scope
>
>>editorial-board-list@lists.mitre.org] On Behalf Of Williams, James K
>>Good points, Art.  In particular, quicker issuance of CVE identifiers
>>would be great.
>
>I triple promise that we're going to have the speed of issuance discussion.
>Promise.
>
>
>
>>As far as monitoring of twitter and blogs goes, we also need to
>>consider
>>monitoring:
>>* pastebin,
>>* smaller vendor bugtracking systems (I find vulns every week, in
>>widely used software, that never makes it to BugTraq, Secunia, or CVE),
>>* discussion forums (in a variety of languages, and many require
>>registration),
>>* reddit,
>>* IRC,
>>* and whatever other communication/dissemination mediums become popular
>>(again) next month.
>>
>>When expanding monitoring of these types of sources, extensive
>>automation is necessary.
>
>James, could you talk more about automation techniques for monitoring these
>sources?
>
>
>
>-Dave
>==================================================================
>David Mann | Principal Infosec Scientist | The MITRE Corporation
>------------------------------------------------------------------
>e-mail:damann@mitre.org | cell:781.424.6003
>==================================================================
>
>




Page Last Updated or Reviewed: November 06, 2012