[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Sources: Full and Partial Coverage
- To: Damir Rajnovic <gaus@cisco.com>
- Subject: Re: Sources: Full and Partial Coverage
- From: Adam Shostack <adam@homeport.org>
- Date: Mon, 11 Jun 2012 12:07:02 -0400
- CC: security curmudgeon <jericho@attrition.org>, cve-editorial-board-list<cve-editorial-board-list@LISTS.MITRE.ORG>
- Delivery-Date: Mon Jun 11 12:08:42 2012
- In-Reply-To: <20120521133539.GD9865@MacGaus.cisco.com>
- List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <2F43C4D2BE8AD24C8AC17D8C64B379B316E94C@IMCMBX01.MITRE.ORG> <CBD696D8.32CFA%kent_landfield@mcafee.com> <2F43C4D2BE8AD24C8AC17D8C64B379B3172CB9@IMCMBX01.MITRE.ORG> <D7A0423E5E193F40BE6E94126930C4930B994ABB80@MBCLUSTER.xchange.nist.gov> <20120518104737.GT9865@MacGaus.cisco.com> <alpine.LNX.2.00.1205181251230.11561@forced.attrition.org> <20120521133539.GD9865@MacGaus.cisco.com>
- Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
- User-Agent: Mutt/1.5.13 (2006-08-11)
Sorry to come back into this discussion late. I'd like to share a recent use case where coverage by product would have been insufficient. My goal was to study how computers become compromised. As a proxy for one subset of that, I was using the Contagio "overview of exploit packs" [1]. Foreach element in that list, I was investigating when it became publicly known, when it was patched, and several other properties of the vuln and the update. The searches for which I had CVEs took me 5-10 minutes per CVE. Several of the ones for which I didn't have CVEs took between 2 hours and failed to finish. The vulns exploited by exploit packs are selected by the authors of the packs, with a goal of compromising a large number of computers. I don't believe any product-centered view of the world would be sufficient. We could, perhaps, define this work as outside the goal of CVE, but I think that might be putting a patch management goal above a vuln management goal. We should not do that accidentally, nor do I think it's a good prioritization. We could work around it by adding things like exploit kits as 'products', but I believe that stretches the definition of products that most people here seem to have in mind. Adam [1] http://contagiodump.blogspot.com/2010/06/overview-of-exploit-packs-update.html On Mon, May 21, 2012 at 02:35:39PM +0100, Damir Rajnovic wrote: | Hi, | | No, not really. By definition CVE is the best effort project. It is so | because we rely on others (i.e., vendors, researches) to provide the information. | Until we have vendors comitted assigning CVE themselves that will continue | to be so. | | Estimating how many vulnerabilities are not covered can also be questioned. | Some vendors may quietly fix things and never admitting that fact. Would | you count that as lack of coverage? I would _if_ I manage to establish that | this really happened. What are other ways that vulnerability may 'escape'? | | The bottom line is that I am a pragmatist and will take what there is available | to get the job done. If we cannot reliably estimate coverage I would still | use CVE. | | Gaus | | | On Fri, May 18, 2012 at 12:51:56PM -0500, security curmudgeon wrote: | > On Fri, 18 May 2012, Damir Rajnovic wrote: | > | > : Hear, hear! Defining the goal in the scope of products is much better | > : than sources and I am saying this as a consumer of CVEs. I have a piece | > : of SW and I would like to know what is going with it. If the currently | > : used sources do not cover the product 100% then the workaround can be to | > : publicly say "we cover product X to an estimate 80% (or whatever)". That | > : way CVE consumers are told of the situation. | > | > Does your answer change if the percentage cannot be answered with any | > certainty at all? | | ============== | Damir Rajnovic <psirt@cisco.com>, PSIRT Incident Manager, Cisco Systems | <http://www.cisco.com/go/psirt> Telephone: +44 7715 546 033 | 200 Longwater Avenue, Green Park, Reading, Berkshire RG2 6GB, GB | ============== | There are no insolvable problems. | The question is can you accept the solution? | | | Incident Response and Product Security | http://www.ciscopress.com/bookstore/product.asp?isbn=1587052644 | | | - - - - | Cisco.com - http://www.cisco.com/global/UK | | This e-mail may contain confidential and privileged material for the sole | use of the intended recipient. Any review, use, distribution or disclosure by | others is strictly prohibited. If you are not the intended recipient (or | authorized to receive for the recipient), please contact the sender by reply | e-mail and delete all copies of this message. | | Cisco Systems Limited (Company Number: 02558939), is registered in England | and Wales with its registered office at 1 Callaghan Square, Cardiff, | South Glamorgan CF10 5BT | | For corporate legal information go to: | http://www.cisco.com/web/about/doing_business/legal/cri/index.html
- Follow-Ups:
- Re: Sources: Full and Partial Coverage
- From: Damir Rajnovic <gaus@cisco.com>
- Re: Sources: Full and Partial Coverage
- Prev by Date: RE: Sources: Full and Partial Coverage
- Next by Date: Re: Sources: Full and Partial Coverage
- Prev by thread: RE: Sources: Full and Partial Coverage
- Next by thread: Re: Sources: Full and Partial Coverage
- Index(es):
