RE: CVE Information Sources & Scope

• To: "Williams, James K" <James.Williams@ca.com>, cve-editorial-board-list<cve-editorial-board-list@LISTS.MITRE.ORG>
• Subject: RE: CVE Information Sources & Scope
• From: "Mann, Dave" <damann@mitre.org>
• Date: Wed, 5 Oct 2011 15:17:54 -0400
• Accept-Language: en-US
• acceptlanguage: en-US
• Delivery-Date: Wed Oct 5 15:18:22 2011
• In-Reply-To: <ED311CBEE6993C428563DEDF6D083BC801DA32@usilms113b.ca.com>
• List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
• List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
• List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
• List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
• References: <3FF9F74E63A7484EB3B88F04329CBEDC04448126E0@IMCMBX1.MITRE.ORG> <4E8B482F.2090602@cert.org> <ED311CBEE6993C428563DEDF6D083BC801CEAB@usilms113b.ca.com> <ED311CBEE6993C428563DEDF6D083BC801CF15@usilms113b.ca.com> <3FF9F74E63A7484EB3B88F04329CBEDC0444812B2E@IMCMBX1.MITRE.ORG> <ED311CBEE6993C428563DEDF6D083BC801DA32@usilms113b.ca.com>
• Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
• Thread-Index: AQHMgr6TpbdY+fwsQ3q+w22wYsQdkJVseVKggAAHGHCAAW038IAADdGQgAAlbJA=
• Thread-Topic: CVE Information Sources & Scope

Ken noted:
>All said (and I'm certain that Steve would agree with me), there's simply
>no automated substitute for a quality SME who is obsessed with accuracy and
>thoroughness.  :)>

We all three are in agreement.

I just presented a paper at a conference making roughly this same point.  I stole this line from Matt Burton (who I hope returns to security work) who said we need to focus on effective computer augmentation, not merely computer automation.

-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:damann@mitre.org | cell:781.424.6003
==================================================================


>-----Original Message-----
>From: Williams, James K [mailto:James.Williams@ca.com]
>Sent: Wednesday, October 05, 2011 1:33 PM
>To: Mann, Dave; cve-editorial-board-list
>Subject: RE: CVE Information Sources & Scope
>
>Virtually every aspect of vuln processing can be automated, including:
>
>* searching by keyword on any website or mailing list archive (marc.info
>works great as long as keyword is at least 3 char)
>* monitoring web pages (ie. vendor security and support home pages) and
>mailing lists for updates
>* using google or other search engine to monitor smaller vendor sites,
>support forums, bugtracking systems
>* keyword searching on pastebin
>* IRC channel logging, and search through published logs
>* monitoring twitter feeds for new twitter feeds and for links to websites
>with vuln content
>* loading of a vuln queue based on content culled from above actions
>* filtering noise out of vuln queue
>* CVE assignment, after very brief cursory review by human
>
>In the end, it becomes a matter of manpower vs acceptable level of
>accuracy.
>
>In my experience, I have found that vendors modify their security and
>support page locations and formats so often that frequent manual review is
>necessary.  I've also found that queue filtering is best left to human
>SMEs.
>
>Even SMEs though can automate portions of their work by using custom
>browser add-ons and features, mail client filters, etc.
>
>
>All said (and I'm certain that Steve would agree with me), there's simply
>no automated substitute for a quality SME who is obsessed with accuracy and
>thoroughness.  :)>
>
>Thanks and regards,
>Ken Williams, Director
>CA Technologies Product Vulnerability Response Team
>CA Technologies Business Unit Operations
>wilja22@ca.com - 816-914-4225
>
>
>-----Original Message-----
>From: Mann, Dave [mailto:damann@mitre.org]
>Sent: Wednesday, October 05, 2011 11:21 AM
>To: Williams, James K; cve-editorial-board-list
>Subject: RE: CVE Information Sources & Scope
>
>>editorial-board-list@lists.mitre.org] On Behalf Of Williams, James K
>>Good points, Art.  In particular, quicker issuance of CVE identifiers
>>would be great.
>
>I triple promise that we're going to have the speed of issuance discussion.
>Promise.
>
>
>
>>As far as monitoring of twitter and blogs goes, we also need to
>>consider
>>monitoring:
>>* pastebin,
>>* smaller vendor bugtracking systems (I find vulns every week, in
>>widely used software, that never makes it to BugTraq, Secunia, or CVE),
>>* discussion forums (in a variety of languages, and many require
>>registration),
>>* reddit,
>>* IRC,
>>* and whatever other communication/dissemination mediums become popular
>>(again) next month.
>>
>>When expanding monitoring of these types of sources, extensive
>>automation is necessary.
>
>James, could you talk more about automation techniques for monitoring these
>sources?
>
>
>
>-Dave
>==================================================================
>David Mann | Principal Infosec Scientist | The MITRE Corporation
>------------------------------------------------------------------
>e-mail:damann@mitre.org | cell:781.424.6003
>==================================================================
>
>

• References:
  • CVE Information Sources & Scope
    • From: "Mann, Dave" <damann@mitre.org>
  • Re: CVE Information Sources & Scope
    • From: Art Manion <amanion@cert.org>
  • RE: CVE Information Sources & Scope
    • From: "Williams, James K" <James.Williams@ca.com>
  • RE: CVE Information Sources & Scope
    • From: "Williams, James K" <James.Williams@ca.com>
  • RE: CVE Information Sources & Scope
    • From: "Mann, Dave" <damann@mitre.org>
  • RE: CVE Information Sources & Scope
    • From: "Williams, James K" <James.Williams@ca.com>

• Prev by Date: RE: CVE Information Sources & Scope
• Next by Date: Re: Update Disclosure Sources List - Please Vote!
• Prev by thread: RE: CVE Information Sources & Scope
• Next by thread: Re: CVE Information Sources & Scope
• Index(es):
  • Date
  • Thread