[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVEs for FinTech

On Sun, 1 May 2016, Scott Lawler wrote:

: Something to think about is whether or not CVE should be tracking 
: is systems-of-systems (like SWIFT) or do we stay at the lower level 
: operating systems, application software, etc.
: There are thousands of larger systems made up of an infinite set of 
: vulnerable sub components--with common vuls.

Vulns should be assigned base on 'where the flaw is'. If that is in a 
third-party component, that should be tracked ideally. Failing to have 
that information, we can only assign for the larger software package 
bundles the rest.

I've found it is helpful when approaching companies to explain the 
of them 'blaming the third-party code' so to speak, that in the long 
vulnerability stats don't reflect as poorly on them. A bit of 
for them to come clean, at least enough to confirm the issue isn't in 
their code.

I also had an offlist discussion with Kurt on this last night, and so 
the articles available do not positively show there is a vuln in SWIFT. 
Rather, the articles talk about the attackers obtaining legitimate 
credentials to the system, where they had access to manipulate the 
software (e.g. phishing -> malware). If so, that wouldn't warrant a CVE 

Page Last Updated or Reviewed: May 02, 2016