[
Date Prev][Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
RE: What is the future of CVE - Scope, Volume & Quality?
Folks,
Mark and Kent have both raised interesting questions, which I'll try to address briefly below. But the primary point of this note is to drive focus of the discussion to the twin questions of scope of information sources and vendor/product coverage. We really believe that before any other issue can be addressed adequately, the Editorial Board needs to come to agreement on these 2 questions.
First, let me attempt to address the 2 interesting issues in the hopes of quickly setting them aside.
RESOURCES
==========
Mark asked:
>It seems to me that the resource issue is a problem at the moment; for
>example we are building up a steady backlog of CNA allocated issues that
>are not yet in CVE (over 300 issues). Are there ways you can add staff
>to deal with specific tasks without increasing the chance of CVE
>duplications?
Our experience with the Common Malware Enumeration suggests that it is possible for a space to simply become overwhelmed by any enumerative approach. We are also very aware that the law of diminishing returns kicks in rather severely. Covering the most important information sources for the most important products is one thing. Covering everything is another. For this reason, it is absolutely essential that we come to agreement on what the "must haves" are and what can be considered "nice-to-have" in terms of sources and products covered.
Let me put this another way... There is no rational way to say that CVE's resourcing level is too low or too high unless we can compare CVE's performance to an agreed upon set of "must have" goals in terms of information sources and products covered. Mark, your example of CNA allocated issues is a good illustration. Are all CNA allocated issues "must haves"? Unless we can answer that question, we can't address resourcing.
ANALYSIS PROCESS
=================
Kent wrote:
>The problem is what is the future of CVE from a maturation
>perspective? How do we mature the effort so that we can put in place a
>useful vulnerability identification and analysis capability that will survive and
>continue to be a valuable resource for the next couple decades? Key word
>here is analysis. The analytic aspects is an important aspect of what CVE
>provides today. It cannot be watered down becoming nothing more than a
>simple reporting mechanism for vendor related disclosures.
We've been looking at the CVE project as an analytical capability for the past 4 years or so. Sure did take us a while! It turns out that a) MITRE has a lot experience in studying analysis processes and in creating tools to support analytical capabilities and b) the CVE team has several engagements with folks who do that sort of work with an eye on maturing the CVE analytical processes. Not surprisingly, different "must-haves" lead to different processes. In fact, the 4 questions we posed grew directly out of our internal work on analysis process review.
Let me emphasize that we agree with both questions. Resource discussions and analytical process are critical things for us to discuss as we consider CVE's future.
But until we can agree on the must haves, we can't make progress on those fronts.
We strongly suggest these are the 2 most important first questions:
1. Sources
a. Which sources of vulnerability disclosures should be considered
"must haves" for which we provide "reference complete" coverage?
b. Which sources should be considered "nice-to-haves"?
c. Which sources should be considered "can be safely ignored"
(e.g. they just cause noise)?
2. Coverage
a. Which vendors and software products should we consider "must haves"
in that we will provide coverage for all reliable vulnerability
reports for them?
b. Which products or vendors should be considered "nice-to-haves"?
c. Which ones should be considered "can be safely ignored" (e.g. php.golf)?
-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:damann@mitre.org | cell:781.424.6003
==================================================================
From owner-cve-editorial-board-list@LISTS.MITRE.ORG Tue Oct 4 10:39:55 2011
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77])
by linus.mitre.org (8.12.11/8.12.10) with ESMTP id p94Eds0Q018048;
Tue, 4 Oct 2011 10:39:54 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1])
by localhost (Postfix) with SMTP id D5A4021B1698;
Tue, 4 Oct 2011 10:39:49 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80])
by smtpksrv1.mitre.org (Postfix) with ESMTP id C302C21B1695;
Tue, 4 Oct 2011 10:39:49 -0400 (EDT)
Received: from lists (129.83.31.52) by IMCCAS03.MITRE.ORG (129.83.29.80) with
Microsoft SMTP Server id 14.1.270.1; Tue, 4 Oct 2011 10:39:49 -0400
Received: by LISTS.MITRE.ORG (LISTSERV-TCP/IP release 15.5) with spool id
2876980 for CVE-EDITORIAL-BOARD-LIST@LISTS.MITRE.ORG; Tue, 4 Oct
2011 10:39:49 -0400
Received: from [129.83.20.13] by LISTS.MITRE.ORG (SMTPL release 1.0w) with
TCP; Tue, 4 Oct 2011 10:39:49 -0400
Received: from smtpksrv1.mitre.org (198.49.146.77) by lists.mitre.org with
SMTP id 12402059; Tue, 04 Oct 2011 10:39:38 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by
localhost (Postfix) with SMTP id 82DE521B169A for
<cve-editorial-board-list@lists.mitre.org>; Tue, 4 Oct 2011
10:39:38 -0400 (EDT)
Received: from imchub2.MITRE.ORG (imchub2.mitre.org [129.83.29.74]) by
smtpksrv1.mitre.org (Postfix) with ESMTP id 7C7B921B1698 for
<cve-editorial-board-list@lists.mitre.org>; Tue, 4 Oct 2011
10:39:38 -0400 (EDT)
Received: from IMCMBX1.MITRE.ORG ([129.83.29.204]) by imchub2.MITRE.ORG
([129.83.29.74]) with mapi; Tue, 4 Oct 2011 10:39:38 -0400
From: "Mann, Dave" <damann@mitre.org>
To: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Date: Tue, 4 Oct 2011 10:39:37 -0400
Subject: CVE Information Sources & Scope
Thread-Topic: CVE Information Sources & Scope
Thread-Index: AcyCodv0pbdY+fwsQ3q+w22wYsQdkA==
Message-ID: <3FF9F74E63A7484EB3B88F04329CBEDC04448126E0@IMCMBX1.MITRE.ORG>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
Precedence: list
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by linus.mitre.org id p94Eds0Q018048
Content-Length: 2006
Status: R
X-Status: F
X-Keywords:
Folks,
I've been away at a conference and just back so thought I would nudge the conversation regarding CVE forward.
We really need to push further on questions of scope before we can talk about staffing, speed and quality issues.
Below (under my sig file) is a list of possible information sources that CVE could use. This list is not meant to be complete, or even framed in the most helpful way. But, I want to get some form of specifics out to foster more discussion.
I've organized this into 4 groups: Government Information Sources, CNA Published Information, Non-CNA Vendor Advisories, Mailing Lists & VDBs.
Please review each sub-list and categorize each information source as:
+ must have
+ nice to have
+ should be ignored
The yard-stick by which to consider these is, does CVE need to capture vulnerabilities from this source in order to full-fill its charter?
Also, if you see any "must have" or "nice to have" information source, please add them to the list and
-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:damann@mitre.org | cell:781.424.6003
==================================================================
Government Information Sources
US-CERT Advisories (aka CERT-CC Advisories)
US-CERT Vulnerability Notes (CERT-CC)
US-CERT Bulletins (aka Cyber-Notes)
DoD IAVAs
NISCC
AUS-CERT
CIAC
CNA Published Information
CMU/CERT-CC
Microsoft
RedHat
Debian
Apache
Apple OSX
Oracle
Non-CNA Vendor Advisories
Solaris
Suse
Mandriva
HP-UX
SCO
AIX
Cisco IOS
Free BSD
Open BSD
Net BSD
Gentoo (Linux)
Ubuntu (Linux)
Mailing Lists & VDBs
Bugtraq
Vuln-Watch
VulnDev
Full Disclosure
Security Focus
Security Tracker
OSVDB
ISS X-Force
FRSIRT
Secunia
Packet Storm
SecuriTeam
SANS Mailing List (Qualys)
Neohapsis (Security Threat Watch)
From owner-cve-editorial-board-list@LISTS.MITRE.ORG Tue Oct 4 11:24:21 2011
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77])
by linus.mitre.org (8.12.11/8.12.10) with ESMTP id p94FOKaA019023;
Tue, 4 Oct 2011 11:24:20 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1])
by localhost (Postfix) with SMTP id D4B8721B16EA;
Tue, 4 Oct 2011 11:24:15 -0400 (EDT)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81])
by smtpksrv1.mitre.org (Postfix) with ESMTP id BC93321B16E7;
Tue, 4 Oct 2011 11:24:15 -0400 (EDT)
Received: from lists (129.83.31.52) by IMCCAS04.MITRE.ORG (129.83.29.81) with
Microsoft SMTP Server id 14.1.270.1; Tue, 4 Oct 2011 11:24:15 -0400
Received: by LISTS.MITRE.ORG (LISTSERV-TCP/IP release 15.5) with spool id
2877818 for CVE-EDITORIAL-BOARD-LIST@LISTS.MITRE.ORG; Tue, 4 Oct
2011 11:24:15 -0400
Received: from [129.83.20.13] by LISTS.MITRE.ORG (SMTPL release 1.0w) with
TCP; Tue, 4 Oct 2011 11:24:15 -0400
Received: from smtpksrv1.mitre.org (198.49.146.77) by lists.mitre.org with
SMTP id 12402360; Tue, 04 Oct 2011 11:24:00 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by
localhost (Postfix) with SMTP id AFF6021B09CD for
<cve-editorial-board-list@lists.mitre.org>; Tue, 4 Oct 2011
11:24:00 -0400 (EDT)
Received: from imchub2.MITRE.ORG (imchub2.mitre.org [129.83.29.74]) by
smtpksrv1.mitre.org (Postfix) with ESMTP id AB8C321B0786 for
<cve-editorial-board-list@lists.mitre.org>; Tue, 4 Oct 2011
11:24:00 -0400 (EDT)
Received: from IMCMBX1.MITRE.ORG ([129.83.29.204]) by imchub2.MITRE.ORG
([129.83.29.74]) with mapi; Tue, 4 Oct 2011 11:24:00 -0400
From: "Mann, Dave" <damann@mitre.org>
To: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Date: Tue, 4 Oct 2011 11:24:02 -0400
Subject: Interviews - Heads Up
Thread-Topic: Interviews - Heads Up
Thread-Index: AcyCqPziCOdvnVf9TfOzQO0IGGvv2A==
Message-ID: <3FF9F74E63A7484EB3B88F04329CBEDC044481272B@IMCMBX1.MITRE.ORG>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
Precedence: list
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by linus.mitre.org id p94FOKaA019023
Content-Length: 697
Status: R
X-Status:
X-Keywords:
Folks,
Just wanted to let you all know that we (MITRE) may be contacting you to try to set up individual phone calls to discuss the CVE scoping issue.
It's incredibly important that we (as a Board) come to agreement about scope for CVE. While we encourage your engagement in the mailing list (fosters consensus), we also understand that it may be helpful to talk.
Thanks,
-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:damann@mitre.org | cell:781.424.6003
==================================================================
From owner-cve-editorial-board-list@LISTS.MITRE.ORG Tue Oct 4 12:14:51 2011
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77])
by linus.mitre.org (8.12.11/8.12.10) with ESMTP id p94GEmBo020201;
Tue, 4 Oct 2011 12:14:48 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1])
by localhost (Postfix) with SMTP id 7E3A721B0B31;
Tue, 4 Oct 2011 12:14:43 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80])
by smtpksrv1.mitre.org (Postfix) with ESMTP id 6A1ED21B09CA;
Tue, 4 Oct 2011 12:14:43 -0400 (EDT)
Received: from lists (129.83.31.52) by IMCCAS03.MITRE.ORG (129.83.29.80) with
Microsoft SMTP Server id 14.1.270.1; Tue, 4 Oct 2011 12:14:43 -0400
Received: by LISTS.MITRE.ORG (LISTSERV-TCP/IP release 15.5) with spool id
2878802 for CVE-EDITORIAL-BOARD-LIST@LISTS.MITRE.ORG; Tue, 4 Oct
2011 12:14:43 -0400
Received: from [129.83.20.13] by LISTS.MITRE.ORG (SMTPL release 1.0w) with
TCP; Tue, 4 Oct 2011 12:14:43 -0400
Received: from smtpksrv1.mitre.org (198.49.146.77) by lists.mitre.org with
SMTP id 12402759; Tue, 04 Oct 2011 12:14:22 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by
localhost (Postfix) with SMTP id 5973021B09CA for
<cve-editorial-board-list@lists.mitre.org>; Tue, 4 Oct 2011
12:14:22 -0400 (EDT)
Received: from na3sys009aog106.obsmtp.com (na3sys009aob106.obsmtp.com
[74.125.149.76]) by smtpksrv1.mitre.org (Postfix) with ESMTP id
8D50E21B09C5 for <cve-editorial-board-list@lists.mitre.org>; Tue, 4
Oct 2011 12:14:21 -0400 (EDT)
Received: from USILMS190.ca.com ([141.202.246.44]) (using TLSv1) by
na3sys009aob106.postini.com ([74.125.148.12]) with SMTP; Tue, 04 Oct
2011 09:14:21 PDT
Received: from USILMS170.ca.com (141.202.6.20) by USILMS190.ca.com
(141.202.246.44) with Microsoft SMTP Server (TLS) id 14.1.289.1;
Tue, 4 Oct 2011 12:14:20 -0400
Received: from USILMS113B.ca.com ([169.254.5.151]) by USILMS170.ca.com
([141.202.6.20]) with mapi id 14.01.0289.001; Tue, 4 Oct 2011
12:14:19 -0400
From: "Williams, James K" <James.Williams@ca.com>
To: "Mann, Dave" <damann@mitre.org>,
cve-editorial-board-list
<cve-editorial-board-list@LISTS.MITRE.ORG>
Subject: RE: CVE Information Sources & Scope
Thread-Topic: CVE Information Sources & Scope
Thread-Index: AcyCodv0pbdY+fwsQ3q+w22wYsQdkAADTCTw
Date: Tue, 4 Oct 2011 16:14:19 +0000
Message-ID: <ED311CBEE6993C428563DEDF6D083BC801CBF9@usilms113b.ca.com>
References: <3FF9F74E63A7484EB3B88F04329CBEDC04448126E0@IMCMBX1.MITRE.ORG>
In-Reply-To: <3FF9F74E63A7484EB3B88F04329CBEDC04448126E0@IMCMBX1.MITRE.ORG>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.132.5.158]
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379,
Antispam-Data: 2011.10.4.160314
X-MITRE-External: True
X-PerlMx-Spam: Gauge=IIIIIIII, Probability=8%, Report=' SUPERLONG_LINE 0.05,
BODY_SIZE_4000_4999 0, BODY_SIZE_5000_LESS 0,
BODY_SIZE_7000_LESS 0, FROM_NAME_PHRASE 0, WEBMAIL_SOURCE 0,
WEBMAIL_XOIP 0, WEBMAIL_X_IP_HDR 0, __ANY_URI 0,
__BOUNCE_CHALLENGE_SUBJ 0, __BOUNCE_NDR_SUBJ_EXEMPT 0,
__C230066_P5 0, __CT 0, __CTE 0, __CT_TEXT_PLAIN 0,
__HAS_MSGID 0, __HAS_XOIP 0, __IMS_MSGID 0, __MIME_TEXT_ONLY 0,
__MIME_VERSION 0, __SANE_MSGID 0, __TO_MALFORMED_2 0,
__URI_NO_PATH 0, __URI_NO_WWW 0, __URI_NS '
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
Precedence: list
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by linus.mitre.org id p94GEmBo020201
Content-Length: 3048
Status: R
X-Status:
X-Keywords:
Comments inline. Feel free to contact me if you have any questions or comments about my assignments.
Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
wilja22@ca.com - 816-914-4225
-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Mann, Dave
Sent: Tuesday, October 04, 2011 9:40 AM
To: cve-editorial-board-list
Subject: CVE Information Sources & Scope
Folks,
I've been away at a conference and just back so thought I would nudge the conversation regarding CVE forward.
We really need to push further on questions of scope before we can talk about staffing, speed and quality issues.
Below (under my sig file) is a list of possible information sources that CVE could use. This list is not meant to be complete, or even framed in the most helpful way. But, I want to get some form of specifics out to foster more discussion.
I've organized this into 4 groups: Government Information Sources, CNA Published Information, Non-CNA Vendor Advisories, Mailing Lists & VDBs.
Please review each sub-list and categorize each information source as:
+ must have
+ nice to have
+ should be ignored
The yard-stick by which to consider these is, does CVE need to capture vulnerabilities from this source in order to full-fill its charter?
Also, if you see any "must have" or "nice to have" information source, please add them to the list and
-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:damann@mitre.org | cell:781.424.6003 ==================================================================
Government Information Sources
+ must have US-CERT Advisories (aka CERT-CC Advisories)
+ must have US-CERT Vulnerability Notes (CERT-CC)
+ must have US-CERT Bulletins (aka Cyber-Notes)
+ must have DoD IAVAs
+ nice to have NISCC
+ nice to have AUS-CERT
+ nice to have CIAC
CNA Published Information
+ must have CMU/CERT-CC
+ must have Microsoft
+ must have RedHat
+ nice to have Debian
+ must have Apache
+ must have Apple OSX
+ must have Oracle
Non-CNA Vendor Advisories
+ must have Solaris
+ must have Suse
+ must have Mandriva
+ must have HP-UX
+ should be ignored SCO
+ must have AIX
+ must have Cisco IOS
+ must have Free BSD
+ must have Open BSD
+ must have Net BSD
+ must have Gentoo (Linux)
+ must have Ubuntu (Linux)
Mailing Lists & VDBs
+ must have Bugtraq
+ should be ignored Vuln-Watch
+ should be ignored VulnDev
+ must have Full Disclosure
+ must have Security Focus
+ must have Security Tracker
+ must have OSVDB
+ nice to have ISS X-Force
+ nice to have FRSIRT
+ must have Secunia
+ must have Packet Storm
+ nice to have SecuriTeam
+ should be ignored SANS Mailing List (Qualys)
+ should be ignored Neohapsis (Security Threat Watch)
From owner-cve-editorial-board-list@LISTS.MITRE.ORG Tue Oct 4 12:44:23 2011
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77])
by linus.mitre.org (8.12.11/8.12.10) with ESMTP id p94GiNKt020571;
Tue, 4 Oct 2011 12:44:23 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1])
by localhost (Postfix) with SMTP id 2CB3521B09C5;
Tue, 4 Oct 2011 12:44:18 -0400 (EDT)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81])
by smtpksrv1.mitre.org (Postfix) with ESMTP id 0FB9121B09CA;
Tue, 4 Oct 2011 12:44:18 -0400 (EDT)
Received: from lists (129.83.31.52) by IMCCAS04.MITRE.ORG (129.83.29.81) with
Microsoft SMTP Server id 14.1.270.1; Tue, 4 Oct 2011 12:44:17 -0400
Received: by LISTS.MITRE.ORG (LISTSERV-TCP/IP release 15.5) with spool id
2879223 for CVE-EDITORIAL-BOARD-LIST@LISTS.MITRE.ORG; Tue, 4 Oct
2011 12:44:17 -0400
Received: from [129.83.20.13] by LISTS.MITRE.ORG (SMTPL release 1.0w) with
TCP; Tue, 4 Oct 2011 12:44:17 -0400
Received: from smtpksrv1.mitre.org (198.49.146.77) by lists.mitre.org with
SMTP id 12402921; Tue, 04 Oct 2011 12:44:00 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by
localhost (Postfix) with SMTP id BFD6121B0AFF for
<cve-editorial-board-list@lists.mitre.org>; Tue, 4 Oct 2011
12:43:59 -0400 (EDT)
Received: from mail-iy0-f181.google.com (mail-iy0-f181.google.com
[209.85.210.181]) by smtpksrv1.mitre.org (Postfix) with ESMTP id
6B74621B099E for <cve-editorial-board-list@lists.mitre.org>; Tue, 4
Oct 2011 12:43:59 -0400 (EDT)
Received: by iaeo4 with SMTP id o4so888097iae.12 for
<cve-editorial-board-list@lists.mitre.org>; Tue, 04 Oct 2011
09:43:58 -0700 (PDT)
Received: by 10.231.61.76 with SMTP id s12mr2540502ibh.35.1317746638892; Tue,
04 Oct 2011 09:43:58 -0700 (PDT)
Received: by 10.231.19.134 with HTTP; Tue, 4 Oct 2011 09:43:58 -0700 (PDT)
MIME-Version: 1.0
In-Reply-To: <3FF9F74E63A7484EB3B88F04329CBEDC04448126E0@IMCMBX1.MITRE.ORG>
References: <3FF9F74E63A7484EB3B88F04329CBEDC04448126E0@IMCMBX1.MITRE.ORG>
Date: Tue, 4 Oct 2011 11:43:58 -0500
Message-ID: <CAMBE3TamsxO=JTj1rr=dygXaiT5eigcNYjb8NxqVm0zquzX9Mg@mail.gmail.com>
Subject: Re: CVE Information Sources & Scope
From: Tom Stracener <strace@gmail.com>
To: "Mann, Dave" <damann@mitre.org>
CC: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Content-Type: text/plain; charset="ISO-8859-1"
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379,
Antispam-Data: 2011.10.4.163314
X-MITRE-External: True
X-PerlMx-Spam: Gauge=IIIIIIII, Probability=8%,
Report=' BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_1200_1299 0,
BODY_SIZE_2000_LESS 0, BODY_SIZE_5000_LESS 0,
BODY_SIZE_7000_LESS 0, DATE_TZ_NA 0, DATE_TZ_NEG_0500 0,
NO_URI_FOUND 0, WEBMAIL_SOURCE 0, __BOUNCE_CHALLENGE_SUBJ 0,
__BOUNCE_NDR_SUBJ_EXEMPT 0, __CT 0, __CT_TEXT_PLAIN 0,
__FRAUD_WEBMAIL 0, __FRAUD_WEBMAIL_FROM 0, __FROM_GMAIL 0,
__HAS_MSGID 0, __HELO_GMAIL 0, __MIME_TEXT_ONLY 0,
__MIME_VERSION 0, __PHISH_SPEAR_HTTP_RECEIVED 0,
__PHISH_SPEAR_STRUCTURE_1 0, __PHISH_SPEAR_STRUCTURE_2 0,
__RDNS_GMAIL 0, __SANE_MSGID 0, __TO_MALFORMED_2 0'
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
Precedence: list
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
Content-Length: 1240
Status: R
X-Status:
X-Keywords:
Dave, Board,
My take on this:
Government Information Sources
+ must have US-CERT Advisories (aka CERT-CC Advisories)
+ must have US-CERT Vulnerability Notes (CERT-CC)
+ must have US-CERT Bulletins (aka Cyber-Notes)
+ must have DoD IAVAs
+ nice to have NISCC
+ nice to have AUS-CERT
+ nice to have CIAC
CNA Published Information
+ must have CMU/CERT-CC
+ must have Microsoft
+ must have RedHat
+ nice to have Debian
+ must have Apache
+ must have Apple OSX
+ must have Oracle
Non-CNA Vendor Advisories
+ must have Solaris
+ must have Suse
+ must have Mandriva
+ must have HP-UX
+ should be ignored SCO
+ must have AIX
+ must have Cisco IOS
+ must have Free BSD
+ must have Open BSD
+ must have Net BSD
+ must have Gentoo (Linux)
+ must have Ubuntu (Linux)
Mailing Lists & VDBs
+ must have Bugtraq
+ should be ignored Vuln-Watch
+ should be ignored VulnDev
+ nice to have Full Disclosure
+ must have Security Focus
+ must have Security Tracker
+ nice to have OSVDB
+ nice to have ISS X-Force
+ nice to have FRSIRT
+ nice to have Secunia
+ should be ignored Packet Storm
+ nice to have SecuriTeam
+ should be ignored SANS Mailing List (Qualys)
+ should be ignored Neohapsis (Security Threat Watch)
From owner-cve-editorial-board-list@LISTS.MITRE.ORG Tue Oct 4 13:54:00 2011
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77])
by linus.mitre.org (8.12.11/8.12.10) with ESMTP id p94HrxDx021687;
Tue, 4 Oct 2011 13:53:59 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1])
by localhost (Postfix) with SMTP id C98F021B1823;
Tue, 4 Oct 2011 13:53:54 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80])
by smtpksrv1.mitre.org (Postfix) with ESMTP id A967721B0DDB;
Tue, 4 Oct 2011 13:53:54 -0400 (EDT)
Received: from lists (129.83.31.52) by IMCCAS03.MITRE.ORG (129.83.29.80) with
Microsoft SMTP Server id 14.1.270.1; Tue, 4 Oct 2011 13:53:54 -0400
Received: by LISTS.MITRE.ORG (LISTSERV-TCP/IP release 15.5) with spool id
2880399 for CVE-EDITORIAL-BOARD-LIST@LISTS.MITRE.ORG; Tue, 4 Oct
2011 13:53:51 -0400
Received: from [129.83.20.13] by LISTS.MITRE.ORG (SMTPL release 1.0w) with
TCP; Tue, 4 Oct 2011 13:53:51 -0400
Received: from smtpksrv1.mitre.org (198.49.146.77) by lists.mitre.org with
SMTP id 12403400; Tue, 04 Oct 2011 13:53:43 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by
localhost (Postfix) with SMTP id DC4D321B011E for
<cve-editorial-board-list@LISTS.MITRE.ORG>; Tue, 4 Oct 2011
13:53:42 -0400 (EDT)
Received: from plainfield.sei.cmu.edu (plainfield.sei.cmu.edu [192.58.107.45])
by smtpksrv1.mitre.org (Postfix) with ESMTP id 8658021B0E9A for
<cve-editorial-board-list@LISTS.MITRE.ORG>; Tue, 4 Oct 2011
13:53:42 -0400 (EDT)
Received: from timber.sei.cmu.edu (timber.sei.cmu.edu [10.64.21.23]) by
plainfield.sei.cmu.edu (8.14.4/8.14.4/1294) with ESMTP id
p94HrgWr014909; Tue, 4 Oct 2011 13:53:42 -0400
Received: from berber.test.local (vpn-10-61-10-7.remote.cert.org [10.61.10.7])
by timber.sei.cmu.edu (8.14.4/8.14.4/1348) with ESMTP id
p94Hrf5Y032554; Tue, 4 Oct 2011 13:53:41 -0400
Message-ID: <4E8B482F.2090602@cert.org>
Date: Tue, 4 Oct 2011 13:53:51 -0400
From: Art Manion <amanion@cert.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0.1)
Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: "Mann, Dave" <damann@mitre.org>
CC: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Subject: Re: CVE Information Sources & Scope
References: <3FF9F74E63A7484EB3B88F04329CBEDC04448126E0@IMCMBX1.MITRE.ORG>
In-Reply-To: <3FF9F74E63A7484EB3B88F04329CBEDC04448126E0@IMCMBX1.MITRE.ORG>
X-Enigmail-Version: 1.3.2
OpenPGP: id=36C268A3
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379,
Antispam-Data: 2011.10.4.174514
X-MITRE-External: True
X-PerlMx-Spam: Gauge=IIIIIIII, Probability=8%,
Report=' BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_2000_2999 0,
BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, DATE_TZ_NA 0,
NO_URI_FOUND 0, __BOUNCE_CHALLENGE_SUBJ 0,
__BOUNCE_NDR_SUBJ_EXEMPT 0, __CT 0, __CTE 0, __CT_TEXT_PLAIN 0,
__HAS_MSGID 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0,
__MOZILLA_MSGID 0, __SANE_MSGID 0, __TO_MALFORMED_2 0,
__USER_AGENT 0'
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
Precedence: list
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
Content-Length: 2774
Status: R
X-Status:
X-Keywords:
On 2011-10-04 10:39, Mann, Dave wrote:
> The yard-stick by which to consider these is, does CVE need to capture vulnerabilities from this source in order to full-fill its charter?
IMO, the bigger discussion is the future of CVE, and therefore the
future (or revised, reviewed, refreshed) charter.
Is CVE looking for original sources of vul information? Or broad
coverage? Or efficient coverage of the "biggest" news in vuls?
The list below is adequate if a bit dated, and duplicative (CIAC changed
their name, CIAC and AusCERT only republish vul information IIRC).
We (CERT/CC) have a similarly adequate, but dated list. We're also
possibly more interested in the first hints of a new vul report instead
of something more authoritative that is ready for a CVE ID.
More new vul information comes out via twitter and blogs these days.
Seems most of it probably reaches the sources below at some point.
Exploit lists (metasploit, exploitdb) are other sources of new vul
information, depending on what CVE is looking for.
Back to the bigger picture, I'm on the side of issuing more CVE IDs
faster for more vul reports, having reasonable ways to distribute
assignment and manage duplicates and false alarms. Accurate analysis is
great, but can come a few days after the ID is issued. So my opinion is
that CVE should refocus on being *the* leading, fairly comprehensive
source of IDs (enumeration) for vul reports. Some other capability can
do analysis or add further value later.
Goals, in time order (and as more information about a vul report becomes
available):
1. Assign ID to vul report (More CNAs? More active CNAs?)
2. Manage duplicates, mistakes, etc.
3. Refine assignments (further duplicate resolution, merge/splits, final
arbitration)
4. Accurate analysis
Don't wait for #4 to issue a CVE ID. Users need to be able to talk
about "the thing" (a vul report), even (unfortunately) if "the thing"
turns out to be a duplicate or false alarm.
> Government Information Sources
> US-CERT Advisories (aka CERT-CC Advisories)
> US-CERT Vulnerability Notes (CERT-CC)
> US-CERT Bulletins (aka Cyber-Notes)
> DoD IAVAs
> NISCC
> AUS-CERT
> CIAC
>
>
> CNA Published Information
> CMU/CERT-CC
> Microsoft
> RedHat
> Debian
> Apache
> Apple OSX
> Oracle
>
>
> Non-CNA Vendor Advisories
> Solaris
> Suse
> Mandriva
> HP-UX
> SCO
> AIX
> Cisco IOS
> Free BSD
> Open BSD
> Net BSD
> Gentoo (Linux)
> Ubuntu (Linux)
>
>
>
> Mailing Lists & VDBs
> Bugtraq
> Vuln-Watch
> VulnDev
> Full Disclosure
> Security Focus
> Security Tracker
> OSVDB
> ISS X-Force
> FRSIRT
> Secunia
> Packet Storm
> SecuriTeam
> SANS Mailing List (Qualys)
> Neohapsis (Security Threat Watch)
- Art
From owner-cve-editorial-board-list@LISTS.MITRE.ORG Tue Oct 4 14:03:17 2011
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77])
by linus.mitre.org (8.12.11/8.12.10) with ESMTP id p94I3Gg1021892;
Tue, 4 Oct 2011 14:03:16 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1])
by localhost (Postfix) with SMTP id 6979121B0AE0;
Tue, 4 Oct 2011 14:03:11 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80])
by smtpksrv1.mitre.org (Postfix) with ESMTP id 49A2D21B0233;
Tue, 4 Oct 2011 14:03:11 -0400 (EDT)
Received: from lists (129.83.31.52) by IMCCAS03.MITRE.ORG (129.83.29.80) with
Microsoft SMTP Server id 14.1.270.1; Tue, 4 Oct 2011 14:03:10 -0400
Received: by LISTS.MITRE.ORG (LISTSERV-TCP/IP release 15.5) with spool id
2880596 for CVE-EDITORIAL-BOARD-LIST@LISTS.MITRE.ORG; Tue, 4 Oct
2011 14:03:07 -0400
Received: from [129.83.20.13] by LISTS.MITRE.ORG (SMTPL release 1.0w) with
TCP; Tue, 4 Oct 2011 14:03:07 -0400
Received: from smtpksrv1.mitre.org (198.49.146.77) by lists.mitre.org with
SMTP id 12403486; Tue, 04 Oct 2011 14:02:17 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by
localhost (Postfix) with SMTP id 5AF4C21B0A0F for
<cve-editorial-board-list@lists.mitre.org>; Tue, 4 Oct 2011
14:02:17 -0400 (EDT)
Received: from guardian.stonekeep.com (guardian.stonekeep.com [96.39.62.68])
by smtpksrv1.mitre.org (Postfix) with ESMTP id 373A321B1825 for
<cve-editorial-board-list@lists.mitre.org>; Tue, 4 Oct 2011
14:02:13 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by guardian.stonekeep.com
(Postfix) with ESMTP id 5CEE48F4009; Tue, 4 Oct 2011 14:02:12 -0400
(EDT)
Received: from guardian.stonekeep.com ([127.0.0.1]) by localhost
(guardian.stonekeep.com [127.0.0.1]) (amavisd-new, port
10024) with ESMTP id QyltQ+8ydIKN; Tue, 4 Oct 2011 14:02:11 -0400
(EDT)
Received: from boomer.homeport.org (boomer [172.16.1.2]) by
guardian.stonekeep.com (Postfix) with ESMTP id BD33E990158; Tue, 4
Oct 2011 14:02:11 -0400 (EDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by
boomer.homeport.org (Postfix) with ESMTP id A732017B52; Tue, 4 Oct
2011 14:02:11 -0400 (EDT)
Received: from boomer.homeport.org ([127.0.0.1]) by localhost
(boomer.homeport.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id Yg413EkZlMNJ; Tue, 4 Oct 2011 14:01:42 -0400 (EDT)
Received: by boomer.homeport.org (Postfix, from userid 125) id AB7F817B4B;
Tue, 4 Oct 2011 14:01:42 -0400 (EDT)
X-Virus-Scanned: Debian amavisd-new at guardian.stonekeep.com
X-Virus-Scanned: Debian amavisd-new at homeport.org - Happy Homeport Admins
Date: Tue, 4 Oct 2011 14:01:42 -0400
From: Adam Shostack <adam@homeport.org>
To: "Mann, Dave" <damann@mitre.org>
CC: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Subject: Re: CVE Information Sources & Scope
Message-ID: <20111004180142.GB1806@homeport.org>
References: <3FF9F74E63A7484EB3B88F04329CBEDC04448126E0@IMCMBX1.MITRE.ORG>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <3FF9F74E63A7484EB3B88F04329CBEDC04448126E0@IMCMBX1.MITRE.ORG>
User-Agent: Mutt/1.5.13 (2006-08-11)
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379,
Antispam-Data: 2011.10.4.174814
X-MITRE-External: True
X-PerlMx-Spam: Gauge=IIIIIIII, Probability=8%, Report=' BLOGSPOT_URI 0.05,
BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_1900_1999 0,
BODY_SIZE_2000_LESS 0, BODY_SIZE_5000_LESS 0,
BODY_SIZE_7000_LESS 0, DATE_TZ_NA 0, __ANY_URI 0,
__BOUNCE_CHALLENGE_SUBJ 0, __BOUNCE_NDR_SUBJ_EXEMPT 0, __CD 0,
__CT 0, __CT_TEXT_PLAIN 0, __HAS_MSGID 0, __MIME_TEXT_ONLY 0,
__MIME_VERSION 0, __SANE_MSGID 0, __SXL_SIG_TIMEOUT ,
__SXL_URI_TIMEOUT , __TO_MALFORMED_2 0, __URI_NO_MAILTO 0,
__URI_NO_PATH 0, __URI_NO_WWW 0, __URI_NS , __USER_AGENT 0'
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
Precedence: list
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
Content-Length: 1910
Status: R
X-Status: FA
X-Keywords:
I apologize, but I'm going to add to (must/should/ignore) a don't know
which I'll just indicate by a dash.
Government Information Sources
must US-CERT Advisories (aka CERT-CC Advisories)
must US-CERT Vulnerability Notes (CERT-CC)
must US-CERT Bulletins (aka Cyber-Notes)
- DoD IAVAs
- NISCC
must AUS-CERT
ignore CIAC (My understanding is that CIAC advisories are
sufficiently coordinated with CERT that the additional
interface is not high return)
CNA Published Information
must CMU/CERT-CC
must Microsoft
must RedHat
should Debian
must Apache
must Apple OSX
must Oracle
Non-CNA Vendor Advisories
? Solaris (Isn't Solaris now part of Oracle, a CNA?)
should Suse
ignore Mandriva
should HP-UX
ignore SCO
ignore AIX
must Cisco IOS
should Free BSD
should Open BSD
ignore Net BSD
should Gentoo (Linux)
should Ubuntu (Linux)
Mailing Lists & VDBs
must Bugtraq
- Vuln-Watch
- VulnDev
ignore Full Disclosure (see below)
- Security Focus
- Security Tracker
should OSVDB
must ISS X-Force
should FRSIRT
should Secunia
- Packet Storm
- SecuriTeam
- SANS Mailing List (Qualys)
- Neohapsis (Security Threat Watch)
Full disclosure list: So why am I advocating for the CVE team to
ignore full disclosure? It's not because I think the list is low
value, but because I expect that other groups are reading it,
processing it, and doing noise reduction.
I'll advocate as a should for three additional sources:
should: metasploit
should: Snort
should: Contagiodump.blogspot.com "Overview of exploit packs"
My logic for all three is that the attacks contained are likely to be
used (metasploit), things that Snort contributors think they should be
seeing (and thus which hit the initial CVE use case) and the exploit
pack data because those attacks are seen in the wild, and in my
current professional use of CVE, are the ones which I spend the most
time with.
Adam
From owner-cve-editorial-board-list@LISTS.MITRE.ORG Tue Oct 4 14:12:01 2011
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77])
by linus.mitre.org (8.12.11/8.12.10) with ESMTP id p94IBwF8021995;
Tue, 4 Oct 2011 14:11:58 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1])
by localhost (Postfix) with SMTP id 93FE121B16F4;
Tue, 4 Oct 2011 14:11:53 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80])
by smtpksrv1.mitre.org (Postfix) with ESMTP id 7418421B0DCE;
Tue, 4 Oct 2011 14:11:53 -0400 (EDT)
Received: from lists (129.83.31.52) by IMCCAS03.MITRE.ORG (129.83.29.80) with
Microsoft SMTP Server id 14.1.270.1; Tue, 4 Oct 2011 14:11:53 -0400
Received: by LISTS.MITRE.ORG (LISTSERV-TCP/IP release 15.5) with spool id
2880819 for CVE-EDITORIAL-BOARD-LIST@LISTS.MITRE.ORG; Tue, 4 Oct
2011 14:11:52 -0400
Received: from [129.83.20.13] by LISTS.MITRE.ORG (SMTPL release 1.0w) with
TCP; Tue, 4 Oct 2011 14:11:52 -0400
Received: from smtpksrv1.mitre.org (198.49.146.77) by lists.mitre.org with
SMTP id 12403588; Tue, 04 Oct 2011 14:11:45 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by
localhost (Postfix) with SMTP id AF6FB21B0D03 for
<cve-editorial-board-list@LISTS.MITRE.ORG>; Tue, 4 Oct 2011
14:11:45 -0400 (EDT)
Received: from plainfield.sei.cmu.edu (plainfield.sei.cmu.edu [192.58.107.45])
by smtpksrv1.mitre.org (Postfix) with ESMTP id 60B1521B10C5 for
<cve-editorial-board-list@LISTS.MITRE.ORG>; Tue, 4 Oct 2011
14:11:45 -0400 (EDT)
Received: from pawpaw.sei.cmu.edu (pawpaw.sei.cmu.edu [10.64.21.22]) by
plainfield.sei.cmu.edu (8.14.4/8.14.4/1294) with ESMTP id
p94IBiq7015301; Tue, 4 Oct 2011 14:11:44 -0400
Received: from berber.test.local (vpn-10-61-10-7.remote.cert.org [10.61.10.7])
by pawpaw.sei.cmu.edu (8.14.4/8.14.4/1348) with ESMTP id
p94IBirK023217; Tue, 4 Oct 2011 14:11:44 -0400
Message-ID: <4E8B4C6A.1050107@cert.org>
Date: Tue, 4 Oct 2011 14:11:54 -0400
From: Art Manion <amanion@cert.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0.1)
Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: "Mann, Dave" <damann@mitre.org>
CC: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Subject: Re: What is the future of CVE - Scope, Volume & Quality?
References: <3FF9F74E63A7484EB3B88F04329CBEDC04427F26D2@IMCMBX1.MITRE.ORG>
<1109151029550.30157@mjc.redhat.com>
<3FF9F74E63A7484EB3B88F04329CBEDC0444162351@IMCMBX1.MITRE.ORG>
In-Reply-To: <3FF9F74E63A7484EB3B88F04329CBEDC0444162351@IMCMBX1.MITRE.ORG>
X-Enigmail-Version: 1.3.2
OpenPGP: id=36C268A3
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379,
Antispam-Data: 2011.10.4.175715
X-MITRE-External: True
X-PerlMx-Spam: Gauge=IIIIIIII, Probability=8%,
Report=' BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_2000_2999 0,
BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, DATE_TZ_NA 0,
NO_URI_FOUND 0, __BOUNCE_CHALLENGE_SUBJ 0,
__BOUNCE_NDR_SUBJ_EXEMPT 0, __CT 0, __CTE 0, __CT_TEXT_PLAIN 0,
__HAS_MSGID 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0,
__MOZILLA_MSGID 0, __SANE_MSGID 0, __STOCK_PHRASE_8 0,
__TO_MALFORMED_2 0, __USER_AGENT 0'
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
Precedence: list
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
Content-Length: 2502
Status: R
X-Status:
X-Keywords:
Reading mail backwards today...
On 2011-09-19 14:46, Mann, Dave wrote:
> Let me emphasize that we agree with both questions. Resource discussions and analytical process are critical things for us to discuss as we consider CVE's future.
>
> But until we can agree on the must haves, we can't make progress on those fronts.
>
> We strongly suggest these are the 2 most important first questions:
>
> 1. Sources
> a. Which sources of vulnerability disclosures should be considered
> "must haves" for which we provide "reference complete" coverage?
> b. Which sources should be considered "nice-to-haves"?
> c. Which sources should be considered "can be safely ignored"
> (e.g. they just cause noise)?
>
> 2. Coverage
> a. Which vendors and software products should we consider "must haves"
> in that we will provide coverage for all reliable vulnerability
> reports for them?
> b. Which products or vendors should be considered "nice-to-haves"?
> c. Which ones should be considered "can be safely ignored" (e.g. php.golf)?
These are the same question, or 1. depends on 2. IOW, if we know what
vendors/products we want to cover, then we can figure out which sources
to monitor.
golf.php gets posted in bugtraq, as does a remote code execution bug in IIS.
US-CERT Alerts, as of the last several years, are mostly republication
of Microsoft, Oracle, Apple, and Adobe vulnerabilities.
"Reference complete" would be great, but perhaps not worth the
investment. OSVDB seems to be aiming for this.
What about:
1. big/core vendors/apps
2. anything a CNA assigns an ID for
3. everything else
Make 1 and 2 priorities (IOW, resource to meet 1 and 2). CNAs should be
expected to pony up some resources to assign and de-duplicate IDs.
Need to define 1, which is at least started in the list you sent out.
Leave 3 for a slow week, or really just ignore it, unless somebody
cares, in which case it should rise to the level of 2 when a CNA assigns
and ID for it.
And make it clear to CVE users that CVE is *not* reference complete, and
not trying to be. Make it clear that the count of CVE IDs per year is
at best a lower bound on the number of public vul reports that year.
Maybe another way to look at this is to decouple most of the analysis
from the assignment work. Yes, correct assignment requires at least
enough analysis to distinguish separate or related vul reports. Make
further analysis an add-on service, "CVE+analysis" or something.
- Art
From owner-cve-editorial-board-list@LISTS.MITRE.ORG Tue Oct 4 14:17:09 2011
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77])
by linus.mitre.org (8.12.11/8.12.10) with ESMTP id p94IH7TL022023;
Tue, 4 Oct 2011 14:17:07 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1])
by localhost (Postfix) with SMTP id D1F6621B0DAF;
Tue, 4 Oct 2011 14:17:02 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80])
by smtpksrv1.mitre.org (Postfix) with ESMTP id B4C6B21B0D03;
Tue, 4 Oct 2011 14:17:02 -0400 (EDT)
Received: from lists (129.83.31.52) by IMCCAS03.MITRE.ORG (129.83.29.80) with
Microsoft SMTP Server id 14.1.270.1; Tue, 4 Oct 2011 14:17:02 -0400
Received: by LISTS.MITRE.ORG (LISTSERV-TCP/IP release 15.5) with spool id
2880920 for CVE-EDITORIAL-BOARD-LIST@LISTS.MITRE.ORG; Tue, 4 Oct
2011 14:17:02 -0400
Received: from [129.83.20.13] by LISTS.MITRE.ORG (SMTPL release 1.0w) with
TCP; Tue, 4 Oct 2011 14:17:02 -0400
Received: from smtpksrv1.mitre.org (198.49.146.77) by lists.mitre.org with
SMTP id 12403643; Tue, 04 Oct 2011 14:16:43 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by
localhost (Postfix) with SMTP id 20D2121B0DAF for
<cve-editorial-board-list@LISTS.MITRE.ORG>; Tue, 4 Oct 2011
14:16:43 -0400 (EDT)
Received: from na3sys009aog101.obsmtp.com (na3sys009aog101.obsmtp.com
[74.125.149.67]) by smtpksrv1.mitre.org (Postfix) with ESMTP id
7B28F21B0DBF for <cve-editorial-board-list@LISTS.MITRE.ORG>; Tue, 4
Oct 2011 14:16:38 -0400 (EDT)
Received: from USILMS190.ca.com ([141.202.246.44]) (using TLSv1) by
na3sys009aob101.postini.com ([74.125.148.12]) with SMTP; Tue, 04 Oct
2011 11:16:38 PDT
Received: from USILMS172.ca.com (141.202.6.22) by USILMS190.ca.com
(141.202.246.44) with Microsoft SMTP Server (TLS) id 14.1.289.1;
Tue, 4 Oct 2011 14:16:36 -0400
Received: from USILMS113B.ca.com ([169.254.5.151]) by USILMS172.ca.com
([141.202.6.22]) with mapi id 14.01.0289.001; Tue, 4 Oct 2011
14:16:36 -0400
From: "Williams, James K" <James.Williams@ca.com>
To: Art Manion <amanion@cert.org>, "Mann, Dave" <damann@mitre.org>
CC: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Subject: RE: CVE Information Sources & Scope
Thread-Topic: CVE Information Sources & Scope
Thread-Index: AQHMgr6TpbdY+fwsQ3q+w22wYsQdkJVseVKg
Date: Tue, 4 Oct 2011 18:16:36 +0000
Message-ID: <ED311CBEE6993C428563DEDF6D083BC801CEAB@usilms113b.ca.com>
References: <3FF9F74E63A7484EB3B88F04329CBEDC04448126E0@IMCMBX1.MITRE.ORG>
<4E8B482F.2090602@cert.org>
In-Reply-To: <4E8B482F.2090602@cert.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.132.5.158]
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379,
Antispam-Data: 2011.10.4.180615
X-MITRE-External: True
X-PerlMx-Spam: Gauge=IIIIIIII, Probability=8%, Report=' SUPERLONG_LINE 0.05,
BODY_SIZE_5000_5999 0, BODY_SIZE_7000_LESS 0,
FROM_NAME_PHRASE 0, WEBMAIL_SOURCE 0, WEBMAIL_XOIP 0,
WEBMAIL_X_IP_HDR 0, __ANY_URI 0, __BOUNCE_CHALLENGE_SUBJ 0,
__BOUNCE_NDR_SUBJ_EXEMPT 0, __CT 0, __CTE 0, __CT_TEXT_PLAIN 0,
__HAS_MSGID 0, __HAS_XOIP 0, __IMS_MSGID 0, __MIME_TEXT_ONLY 0,
__MIME_VERSION 0, __SANE_MSGID 0, __SXL_SIG_TIMEOUT ,
__SXL_URI_TIMEOUT , __TO_MALFORMED_2 0, __URI_NO_PATH 0,
__URI_NO_WWW 0, __URI_NS '
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
Precedence: list
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by linus.mitre.org id p94IH7TL022023
Content-Length: 3701
Status: R
X-Status:
X-Keywords:
Good points, Art. In particular, quicker issuance of CVE identifiers would be great.
As far as monitoring of twitter and blogs goes, we also need to consider monitoring:
* pastebin,
* smaller vendor bugtracking systems (I find vulns every week, in widely used software, that never makes it to BugTraq, Secunia, or CVE),
* discussion forums (in a variety of languages, and many require registration),
* reddit,
* IRC,
* and whatever other communication/dissemination mediums become popular (again) next month.
When expanding monitoring of these types of sources, extensive automation is necessary.
Thanks and regards,
Ken
-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Art Manion
Sent: Tuesday, October 04, 2011 12:54 PM
To: Mann, Dave
Cc: cve-editorial-board-list
Subject: Re: CVE Information Sources & Scope
On 2011-10-04 10:39, Mann, Dave wrote:
> The yard-stick by which to consider these is, does CVE need to capture vulnerabilities from this source in order to full-fill its charter?
IMO, the bigger discussion is the future of CVE, and therefore the future (or revised, reviewed, refreshed) charter.
Is CVE looking for original sources of vul information? Or broad coverage? Or efficient coverage of the "biggest" news in vuls?
The list below is adequate if a bit dated, and duplicative (CIAC changed their name, CIAC and AusCERT only republish vul information IIRC).
We (CERT/CC) have a similarly adequate, but dated list. We're also possibly more interested in the first hints of a new vul report instead of something more authoritative that is ready for a CVE ID.
More new vul information comes out via twitter and blogs these days.
Seems most of it probably reaches the sources below at some point.
Exploit lists (metasploit, exploitdb) are other sources of new vul information, depending on what CVE is looking for.
Back to the bigger picture, I'm on the side of issuing more CVE IDs faster for more vul reports, having reasonable ways to distribute assignment and manage duplicates and false alarms. Accurate analysis is great, but can come a few days after the ID is issued. So my opinion is that CVE should refocus on being *the* leading, fairly comprehensive source of IDs (enumeration) for vul reports. Some other capability can do analysis or add further value later.
Goals, in time order (and as more information about a vul report becomes
available):
1. Assign ID to vul report (More CNAs? More active CNAs?) 2. Manage duplicates, mistakes, etc.
3. Refine assignments (further duplicate resolution, merge/splits, final
arbitration)
4. Accurate analysis
Don't wait for #4 to issue a CVE ID. Users need to be able to talk about "the thing" (a vul report), even (unfortunately) if "the thing"
turns out to be a duplicate or false alarm.
> Government Information Sources
> US-CERT Advisories (aka CERT-CC Advisories)
> US-CERT Vulnerability Notes (CERT-CC)
> US-CERT Bulletins (aka Cyber-Notes)
> DoD IAVAs
> NISCC
> AUS-CERT
> CIAC
>
>
> CNA Published Information
> CMU/CERT-CC
> Microsoft
> RedHat
> Debian
> Apache
> Apple OSX
> Oracle
>
>
> Non-CNA Vendor Advisories
> Solaris
> Suse
> Mandriva
> HP-UX
> SCO
> AIX
> Cisco IOS
> Free BSD
> Open BSD
> Net BSD
> Gentoo (Linux)
> Ubuntu (Linux)
>
>
>
> Mailing Lists & VDBs
> Bugtraq
> Vuln-Watch
> VulnDev
> Full Disclosure
> Security Focus
> Security Tracker
> OSVDB
> ISS X-Force
> FRSIRT
> Secunia
> Packet Storm
> SecuriTeam
> SANS Mailing List (Qualys)
> Neohapsis (Security Threat Watch)
- Art
From owner-cve-editorial-board-list@LISTS.MITRE.ORG Tue Oct 4 14:22:16 2011
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77])
by linus.mitre.org (8.12.11/8.12.10) with ESMTP id p94IMGnd022066;
Tue, 4 Oct 2011 14:22:16 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1])
by localhost (Postfix) with SMTP id F08D521B1848;
Tue, 4 Oct 2011 14:22:10 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80])
by smtpksrv1.mitre.org (Postfix) with ESMTP id DDDDC21B1846;
Tue, 4 Oct 2011 14:22:10 -0400 (EDT)
Received: from lists (129.83.31.52) by IMCCAS03.MITRE.ORG (129.83.29.80) with
Microsoft SMTP Server id 14.1.270.1; Tue, 4 Oct 2011 14:22:10 -0400
Received: by LISTS.MITRE.ORG (LISTSERV-TCP/IP release 15.5) with spool id
2880996 for CVE-EDITORIAL-BOARD-LIST@LISTS.MITRE.ORG; Tue, 4 Oct
2011 14:22:10 -0400
Received: from [129.83.20.13] by LISTS.MITRE.ORG (SMTPL release 1.0w) with
TCP; Tue, 4 Oct 2011 14:22:07 -0400
Received: from smtpksrv1.mitre.org (198.49.146.77) by lists.mitre.org with
SMTP id 12403677; Tue, 04 Oct 2011 14:21:57 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by
localhost (Postfix) with SMTP id 15FEB21B0E19 for
<cve-editorial-board-list@LISTS.MITRE.ORG>; Tue, 4 Oct 2011
14:21:57 -0400 (EDT)
Received: from shetland.sei.cmu.edu (shetland.sei.cmu.edu [192.58.107.44]) by
smtpksrv1.mitre.org (Postfix) with ESMTP id AD16A21B0CA7 for
<cve-editorial-board-list@LISTS.MITRE.ORG>; Tue, 4 Oct 2011
14:21:56 -0400 (EDT)
Received: from pawpaw.sei.cmu.edu (pawpaw.sei.cmu.edu [10.64.21.22]) by
shetland.sei.cmu.edu (8.14.4/8.14.4/1294) with ESMTP id
p94ILugg013670; Tue, 4 Oct 2011 14:21:56 -0400
Received: from berber.test.local (vpn-10-61-10-7.remote.cert.org [10.61.10.7])
by pawpaw.sei.cmu.edu (8.14.4/8.14.4/1348) with ESMTP id
p94ILuPE024098; Tue, 4 Oct 2011 14:21:56 -0400
Message-ID: <4E8B4ECD.3020103@cert.org>
Date: Tue, 4 Oct 2011 14:22:05 -0400
From: Art Manion <amanion@cert.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0.1)
Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: "Mann, Dave" <damann@mitre.org>
CC: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Subject: Re: CVE Information Sources & Scope
References: <3FF9F74E63A7484EB3B88F04329CBEDC04448126E0@IMCMBX1.MITRE.ORG>
In-Reply-To: <3FF9F74E63A7484EB3B88F04329CBEDC04448126E0@IMCMBX1.MITRE.ORG>
X-Enigmail-Version: 1.3.2
OpenPGP: id=36C268A3
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379,
Antispam-Data: 2011.10.4.181214
X-MITRE-External: True
X-PerlMx-Spam: Gauge=IIIIIIII, Probability=8%,
Report=' BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_2000_2999 0,
BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, DATE_TZ_NA 0,
NO_URI_FOUND 0, __BOUNCE_CHALLENGE_SUBJ 0,
__BOUNCE_NDR_SUBJ_EXEMPT 0, __CP_MEDIA_2_BODY 0, __CT 0,
__CTE 0, __CT_TEXT_PLAIN 0, __HAS_MSGID 0, __INT_PROD_QUALITY 0,
__MIME_TEXT_ONLY 0, __MIME_VERSION 0, __MOZILLA_MSGID 0,
__SANE_MSGID 0, __TO_MALFORMED_2 0, __USER_AGENT 0'
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
Precedence: list
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
Content-Length: 2180
Status: R
X-Status:
X-Keywords:
> Government Information Sources
> US-CERT Advisories (aka CERT-CC Advisories)
Must have. Although largely republication at the moment, we expect this
to change, and volume is fairly low.
> US-CERT Vulnerability Notes (CERT-CC)
Must have.
> US-CERT Bulletins (aka Cyber-Notes)
These are collections of already public reports, possibly generated from
CVE even?
> DoD IAVAs
Doubt usefulness. Republication well after CVE has been assigned?
> NISCC
Good to watch, new vul reports rarely come out.
> AUS-CERT
Almost exclusively republication. AusCERT even provides a list of what
products/vendors they monitor (or did).
> CIAC
Name changed, believe this is entirely republication.
> CNA Published Information
> CMU/CERT-CC
Must have, but included in US-CERT vul notes and Alerts above.
> Microsoft
> RedHat
> Debian
> Apache
> Apple OSX
> Oracle
Must have.
> Non-CNA Vendor Advisories
> Solaris
> Suse
> Mandriva
> HP-UX
> SCO
> AIX
> Cisco IOS
> Free BSD
> Open BSD
> Net BSD
> Gentoo (Linux)
> Ubuntu (Linux)
Must have, although as usual lots of duplication across linux/UNIX distros.
> Mailing Lists & VDBs
It's been a while since I watched any of these closely.
> Bugtraq
Must have.
> Vuln-Watch
> VulnDev
Not sure what these are like anymore. Seemed to be low signal.
> Full Disclosure
Lots of noise, but new reports come out. Must have.
> Security Focus
Bugtraq? Or other lists?
> Security Tracker
Not sure of current quality/signal.
> OSVDB
Must have, because they're trying to be reference complete.
> ISS X-Force
> FRSIRT
Changed name again -- VUPEN? If they provide original reports, then
must have.
> Secunia
Good to have.
> Packet Storm
No longer familiar, seems dated.
> SecuriTeam
No longer familiar.
> SANS Mailing List (Qualys)
Don't know about new vul reports here.
> Neohapsis (Security Threat Watch)
Only know about their archive service.
IMO, any and every source of "OC" (original content, original vul
reports) should be monitored, starting with major vendors, CNAs, and
sources with high quality signal (even if they are also noisy).
- Art
From owner-cve-editorial-board-list@LISTS.MITRE.ORG Tue Oct 4 14:36:59 2011
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77])
by linus.mitre.org (8.12.11/8.12.10) with ESMTP id p94IaxNj022465;
Tue, 4 Oct 2011 14:36:59 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1])
by localhost (Postfix) with SMTP id 6122A21B0E19;
Tue, 4 Oct 2011 14:36:54 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80])
by smtpksrv1.mitre.org (Postfix) with ESMTP id 412D921B0E15;
Tue, 4 Oct 2011 14:36:54 -0400 (EDT)
Received: from lists (129.83.31.52) by IMCCAS03.MITRE.ORG (129.83.29.80) with
Microsoft SMTP Server id 14.1.270.1; Tue, 4 Oct 2011 14:36:53 -0400
Received: by LISTS.MITRE.ORG (LISTSERV-TCP/IP release 15.5) with spool id
2881259 for CVE-EDITORIAL-BOARD-LIST@LISTS.MITRE.ORG; Tue, 4 Oct
2011 14:36:54 -0400
Received: from [129.83.20.13] by LISTS.MITRE.ORG (SMTPL release 1.0w) with
TCP; Tue, 4 Oct 2011 14:36:54 -0400
Received: from smtpksrv1.mitre.org (198.49.146.77) by lists.mitre.org with
SMTP id 12403773; Tue, 04 Oct 2011 14:36:38 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by
localhost (Postfix) with SMTP id 42DD221B10D6 for
<cve-editorial-board-list@LISTS.MITRE.ORG>; Tue, 4 Oct 2011
14:36:38 -0400 (EDT)
Received: from na3sys009aog114.obsmtp.com (na3sys009aog114.obsmtp.com
[74.125.149.211]) by smtpksrv1.mitre.org (Postfix) with ESMTP id
6625021B0E15 for <cve-editorial-board-list@LISTS.MITRE.ORG>; Tue, 4
Oct 2011 14:36:37 -0400 (EDT)
Received: from USILMS191.ca.com ([141.202.246.45]) (using TLSv1) by
na3sys009aob114.postini.com ([74.125.148.12]) with SMTP; Tue, 04 Oct
2011 11:36:37 PDT
Received: from USILMS174.ca.com (141.202.6.24) by USILMS191.ca.com
(141.202.246.45) with Microsoft SMTP Server (TLS) id 14.1.289.1;
Tue, 4 Oct 2011 14:36:35 -0400
Received: from USILMS113B.ca.com ([169.254.5.151]) by usilms174.ca.com
([141.202.6.24]) with mapi id 14.01.0289.001; Tue, 4 Oct 2011
14:36:32 -0400
From: "Williams, James K" <James.Williams@ca.com>
To: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Subject: RE: CVE Information Sources & Scope
Thread-Topic: CVE Information Sources & Scope
Thread-Index: AQHMgr6TpbdY+fwsQ3q+w22wYsQdkJVseVKggAAHGHA=
Date: Tue, 4 Oct 2011 18:36:32 +0000
Message-ID: <ED311CBEE6993C428563DEDF6D083BC801CF15@usilms113b.ca.com>
References: <3FF9F74E63A7484EB3B88F04329CBEDC04448126E0@IMCMBX1.MITRE.ORG>
<4E8B482F.2090602@cert.org>
<ED311CBEE6993C428563DEDF6D083BC801CEAB@usilms113b.ca.com>
In-Reply-To: <ED311CBEE6993C428563DEDF6D083BC801CEAB@usilms113b.ca.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.132.5.158]
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379,
Antispam-Data: 2011.10.4.182414
X-MITRE-External: True
X-PerlMx-Spam: Gauge=IIIIIIII, Probability=8%, Report=' SUPERLONG_LINE 0.05,
BODY_SIZE_6000_6999 0, BODY_SIZE_7000_LESS 0,
FROM_NAME_PHRASE 0, WEBMAIL_SOURCE 0, WEBMAIL_XOIP 0,
WEBMAIL_X_IP_HDR 0, __ANY_URI 0, __BOUNCE_CHALLENGE_SUBJ 0,
__BOUNCE_NDR_SUBJ_EXEMPT 0, __CT 0, __CTE 0, __CT_TEXT_PLAIN 0,
__HAS_MSGID 0, __HAS_XOIP 0, __IMS_MSGID 0, __INT_PROD_TV 0,
__MIME_TEXT_ONLY 0, __MIME_VERSION 0, __SANE_MSGID 0,
__TO_MALFORMED_2 0, __URI_NO_PATH 0, __URI_NO_WWW 0, __URI_NS '
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
Precedence: list
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by linus.mitre.org id p94IaxNj022465
Content-Length: 4571
Status: R
X-Status:
X-Keywords:
Btw, the list below was definitely not meant to be complete. I also frequently find new (to me) vuln info on Facebook, Google+, many non-security forums, etc, etc.
I also very regularly find unpublicized vulnerabilities in just about every networked device or software I own, including TVs, AV receivers, printers, cable boxes, and even the GM service manual software for my car (old version of Tomcat).
At the end of the day, we'll just need to select the business critical/important technologies to track, and ignore the rest.
Thanks and regards,
Ken
-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Williams, James K
Sent: Tuesday, October 04, 2011 1:17 PM
To: Art Manion; Mann, Dave
Cc: cve-editorial-board-list
Subject: RE: CVE Information Sources & Scope
Good points, Art. In particular, quicker issuance of CVE identifiers would be great.
As far as monitoring of twitter and blogs goes, we also need to consider monitoring:
* pastebin,
* smaller vendor bugtracking systems (I find vulns every week, in widely used software, that never makes it to BugTraq, Secunia, or CVE),
* discussion forums (in a variety of languages, and many require registration),
* reddit,
* IRC,
* and whatever other communication/dissemination mediums become popular (again) next month.
When expanding monitoring of these types of sources, extensive automation is necessary.
Thanks and regards,
Ken
-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Art Manion
Sent: Tuesday, October 04, 2011 12:54 PM
To: Mann, Dave
Cc: cve-editorial-board-list
Subject: Re: CVE Information Sources & Scope
On 2011-10-04 10:39, Mann, Dave wrote:
> The yard-stick by which to consider these is, does CVE need to capture vulnerabilities from this source in order to full-fill its charter?
IMO, the bigger discussion is the future of CVE, and therefore the future (or revised, reviewed, refreshed) charter.
Is CVE looking for original sources of vul information? Or broad coverage? Or efficient coverage of the "biggest" news in vuls?
The list below is adequate if a bit dated, and duplicative (CIAC changed their name, CIAC and AusCERT only republish vul information IIRC).
We (CERT/CC) have a similarly adequate, but dated list. We're also possibly more interested in the first hints of a new vul report instead of something more authoritative that is ready for a CVE ID.
More new vul information comes out via twitter and blogs these days.
Seems most of it probably reaches the sources below at some point.
Exploit lists (metasploit, exploitdb) are other sources of new vul information, depending on what CVE is looking for.
Back to the bigger picture, I'm on the side of issuing more CVE IDs faster for more vul reports, having reasonable ways to distribute assignment and manage duplicates and false alarms. Accurate analysis is great, but can come a few days after the ID is issued. So my opinion is that CVE should refocus on being *the* leading, fairly comprehensive source of IDs (enumeration) for vul reports. Some other capability can do analysis or add further value later.
Goals, in time order (and as more information about a vul report becomes
available):
1. Assign ID to vul report (More CNAs? More active CNAs?) 2. Manage duplicates, mistakes, etc.
3. Refine assignments (further duplicate resolution, merge/splits, final
arbitration)
4. Accurate analysis
Don't wait for #4 to issue a CVE ID. Users need to be able to talk about "the thing" (a vul report), even (unfortunately) if "the thing"
turns out to be a duplicate or false alarm.
> Government Information Sources
> US-CERT Advisories (aka CERT-CC Advisories)
> US-CERT Vulnerability Notes (CERT-CC)
> US-CERT Bulletins (aka Cyber-Notes)
> DoD IAVAs
> NISCC
> AUS-CERT
> CIAC
>
>
> CNA Published Information
> CMU/CERT-CC
> Microsoft
> RedHat
> Debian
> Apache
> Apple OSX
> Oracle
>
>
> Non-CNA Vendor Advisories
> Solaris
> Suse
> Mandriva
> HP-UX
> SCO
> AIX
> Cisco IOS
> Free BSD
> Open BSD
> Net BSD
> Gentoo (Linux)
> Ubuntu (Linux)
>
>
>
> Mailing Lists & VDBs
> Bugtraq
> Vuln-Watch
> VulnDev
> Full Disclosure
> Security Focus
> Security Tracker
> OSVDB
> ISS X-Force
> FRSIRT
> Secunia
> Packet Storm
> SecuriTeam
> SANS Mailing List (Qualys)
> Neohapsis (Security Threat Watch)
- Art
From owner-cve-editorial-board-list@LISTS.MITRE.ORG Tue Oct 4 16:25:42 2011
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77])
by linus.mitre.org (8.12.11/8.12.10) with ESMTP id p94KPgkL024294;
Tue, 4 Oct 2011 16:25:42 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1])
by localhost (Postfix) with SMTP id 4C43921B03E8;
Tue, 4 Oct 2011 16:25:37 -0400 (EDT)
Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79])
by smtpksrv1.mitre.org (Postfix) with ESMTP id 361A921B0E4D;
Tue, 4 Oct 2011 16:25:37 -0400 (EDT)
Received: from lists (129.83.31.52) by IMCCAS02.MITRE.ORG (129.83.29.79) with
Microsoft SMTP Server id 14.1.270.1; Tue, 4 Oct 2011 16:25:36 -0400
Received: by LISTS.MITRE.ORG (LISTSERV-TCP/IP release 15.5) with spool id
2883184 for CVE-EDITORIAL-BOARD-LIST@LISTS.MITRE.ORG; Tue, 4 Oct
2011 16:25:37 -0400
Received: from [129.83.20.13] by LISTS.MITRE.ORG (SMTPL release 1.0w) with
TCP; Tue, 4 Oct 2011 16:25:37 -0400
Received: from smtpksrv1.mitre.org (198.49.146.77) by lists.mitre.org with
SMTP id 12404528; Tue, 04 Oct 2011 16:25:23 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by
localhost (Postfix) with SMTP id 206B821B0E4D; Tue, 4 Oct 2011
16:25:23 -0400 (EDT)
Received: from imchub1.MITRE.ORG (imchub1.mitre.org [129.83.29.73]) by
smtpksrv1.mitre.org (Postfix) with ESMTP id 183A821B03E8; Tue, 4
Oct 2011 16:25:23 -0400 (EDT)
Received: from IMCMBX1.MITRE.ORG ([129.83.29.204]) by imchub1.MITRE.ORG
([129.83.29.73]) with mapi; Tue, 4 Oct 2011 16:25:23 -0400
From: "Mann, Dave" <damann@mitre.org>
To: Art Manion <amanion@cert.org>,
cve-editorial-board-list
<cve-editorial-board-list@LISTS.MITRE.ORG>
Date: Tue, 4 Oct 2011 16:24:36 -0400
Subject: CVE's Charter, Scope and the Role of CNAs
Thread-Topic: CVE's Charter, Scope and the Role of CNAs
Thread-Index: AcyCyFKPMWUHnnMdSOCpkZ3Nu07Elg==
Message-ID: <3FF9F74E63A7484EB3B88F04329CBEDC04448128E0@IMCMBX1.MITRE.ORG>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
Precedence: list
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by linus.mitre.org id p94KPgkL024294
Content-Length: 7631
Status: R
X-Status:
X-Keywords:
Art has raised some critically important points and questions that are worth addressing in order to keep the conversation moving forward.
Dave wrote:
>> The yard-stick by which to consider these is, does CVE need to capture
>vulnerabilities from this source in order to full-fill its charter?
Art wrote:
>IMO, the bigger discussion is the future of CVE, and therefore the
>future (or revised, reviewed, refreshed) charter.
Art, we're in total agreement.
CVE's original charter was to cover all publicly known vulnerabilities. We concede this is impossible as a practical matter. Internally, we've been discussing restricting this to all publicly known English-based vulnerability disclosures.
Please note, I don't mean to prematurely exclude non-English disclosures from consideration. I think it may eventually be possible to talk about non-English disclosures and, as you've indicated, more involvement of CNAs is going to be a part of the solution. But I want to ensure we're hitting the must-haves in the English-based sources first.
So, by all means, if you feel that there are non-English-based sources that are "must-haves", please call them out. More broadly, let's not restrict the scope or charter of CVE based on current processes in any way. Let's please discuss what needs to be covered by CVE first and then we talk about process to achieve that second.
>1. Assign ID to vul report (More CNAs? More active CNAs?)
>2. Manage duplicates, mistakes, etc.
>3. Refine assignments (further duplicate resolution, merge/splits, final
>arbitration)
>4. Accurate analysis
>
>Don't wait for #4 to issue a CVE ID. Users need to be able to talk
>about "the thing" (a vul report), even (unfortunately) if "the thing"
>turns out to be a duplicate or false alarm.
You're going in directions that our thinking is going too. If it's useful to think about solutions even as we discuss goals, I want to toss out 2 very, very hard problems that I think we should start thinking about now:
a) Economic incentives for SME produced content (specifically applied to CNAs)
b) Level of abstraction issues
ECONOMIC INCENTIVES - It is worth emphasizing that MITRE continually seeks the involvement of new CNAs. We are (and y'all should be) extremely grateful for all of the CNAs that participate. Our experience is that CNA relationships work out when an organization has mature enough vulnerability information practices and, as a result, they incur relatively low marginal costs in terms of issuing CVE IDs. This level of maturity varies widely, based on what we see.
In many other areas of cyber-security information provisioning, we see lots of appeals to various forms of "crowd-sourcing" content creation. The problem is, good content requires good SMEs and good SMEs are expensive. The question becomes, what are the economic incentives for organizations to fund SMEs to act as CVE CNAs?
We've been looking hard at many other identification systems that have successfully federated their content creation. Economically, we see 2 primary models: ISBN and VIN. ISBN numbers are produced by publishers because they are routine and easy to assign (compared to CVEs) and there is an economic benefit for doing so. VINs are assigned by manufacturers because (in the US) the DOT mandates it.
MITRE is already beating the bushes for CNAs and we have the set of CNAs that we have (and are grateful for). How do we expand that set?
LEVEL OF ABSTRACTION - There are 3 LoA questions to start thinking about. First, can we deal with significant drift in level of abstraction among CNAs? Will we be able to fix duplicates from different CNAs if/when they are assigning IDs at different LoAs?
Second, is CVE's current LoA (which grew out of vulnerability practices in the late 90s/early 2000s) too low for today's vulnerability management practices?
Third, combining these first two questions, can we live with a CNA that is committed to the ideal of "silent patching" and, in their role as a CNA, assigns CVE IDs on a "per patch" basis with no further information? Those of us who dealt with vulnerability information back in the 90s remember the "silent patch" days. Would it be acceptable moving forward?
-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:damann@mitre.org | cell:781.424.6003
==================================================================
>-----Original Message-----
>From: Art Manion [mailto:amanion@cert.org]
>Sent: Tuesday, October 04, 2011 1:54 PM
>To: Mann, Dave
>Cc: cve-editorial-board-list
>Subject: Re: CVE Information Sources & Scope
>
>On 2011-10-04 10:39, Mann, Dave wrote:
>
>> The yard-stick by which to consider these is, does CVE need to capture
>vulnerabilities from this source in order to full-fill its charter?
>
>IMO, the bigger discussion is the future of CVE, and therefore the
>future (or revised, reviewed, refreshed) charter.
>
>Is CVE looking for original sources of vul information? Or broad
>coverage? Or efficient coverage of the "biggest" news in vuls?
>
>The list below is adequate if a bit dated, and duplicative (CIAC changed
>their name, CIAC and AusCERT only republish vul information IIRC).
>
>We (CERT/CC) have a similarly adequate, but dated list. We're also
>possibly more interested in the first hints of a new vul report instead
>of something more authoritative that is ready for a CVE ID.
>
>More new vul information comes out via twitter and blogs these days.
>Seems most of it probably reaches the sources below at some point.
>Exploit lists (metasploit, exploitdb) are other sources of new vul
>information, depending on what CVE is looking for.
>
>Back to the bigger picture, I'm on the side of issuing more CVE IDs
>faster for more vul reports, having reasonable ways to distribute
>assignment and manage duplicates and false alarms. Accurate analysis is
>great, but can come a few days after the ID is issued. So my opinion is
>that CVE should refocus on being *the* leading, fairly comprehensive
>source of IDs (enumeration) for vul reports. Some other capability can
>do analysis or add further value later.
>
>Goals, in time order (and as more information about a vul report becomes
>available):
>
>1. Assign ID to vul report (More CNAs? More active CNAs?)
>2. Manage duplicates, mistakes, etc.
>3. Refine assignments (further duplicate resolution, merge/splits, final
>arbitration)
>4. Accurate analysis
>
>Don't wait for #4 to issue a CVE ID. Users need to be able to talk
>about "the thing" (a vul report), even (unfortunately) if "the thing"
>turns out to be a duplicate or false alarm.
>
>> Government Information Sources
>> US-CERT Advisories (aka CERT-CC Advisories)
>> US-CERT Vulnerability Notes (CERT-CC)
>> US-CERT Bulletins (aka Cyber-Notes)
>> DoD IAVAs
>> NISCC
>> AUS-CERT
>> CIAC
>>
>>
>> CNA Published Information
>> CMU/CERT-CC
>> Microsoft
>> RedHat
>> Debian
>> Apache
>> Apple OSX
>> Oracle
>>
>>
>> Non-CNA Vendor Advisories
>> Solaris
>> Suse
>> Mandriva
>> HP-UX
>> SCO
>> AIX
>> Cisco IOS
>> Free BSD
>> Open BSD
>> Net BSD
>> Gentoo (Linux)
>> Ubuntu (Linux)
>>
>>
>>
>> Mailing Lists & VDBs
>> Bugtraq
>> Vuln-Watch
>> VulnDev
>> Full Disclosure
>> Security Focus
>> Security Tracker
>> OSVDB
>> ISS X-Force
>> FRSIRT
>> Secunia
>> Packet Storm
>> SecuriTeam
>> SANS Mailing List (Qualys)
>> Neohapsis (Security Threat Watch)
>
>
>
> - Art
From owner-cve-editorial-board-list@LISTS.MITRE.ORG Wed Oct 5 06:07:19 2011
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77])
by linus.mitre.org (8.12.11/8.12.10) with ESMTP id p95A7ItV021478;
Wed, 5 Oct 2011 06:07:18 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1])
by localhost (Postfix) with SMTP id 7348021B186F;
Wed, 5 Oct 2011 06:07:13 -0400 (EDT)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81])
by smtpksrv1.mitre.org (Postfix) with ESMTP id 5E89F21B16E5;
Wed, 5 Oct 2011 06:07:13 -0400 (EDT)
Received: from lists (129.83.31.52) by IMCCAS04.MITRE.ORG (129.83.29.81) with
Microsoft SMTP Server id 14.1.339.1; Wed, 5 Oct 2011 06:07:13 -0400
Received: by LISTS.MITRE.ORG (LISTSERV-TCP/IP release 15.5) with spool id
2892885 for CVE-EDITORIAL-BOARD-LIST@LISTS.MITRE.ORG; Wed, 5 Oct
2011 06:07:13 -0400
Received: from [129.83.20.13] by LISTS.MITRE.ORG (SMTPL release 1.0w) with
TCP; Wed, 5 Oct 2011 06:07:13 -0400
Received: from smtpksrv1.mitre.org (198.49.146.77) by lists.mitre.org with
SMTP id 12408200; Wed, 05 Oct 2011 06:07:04 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by
localhost (Postfix) with SMTP id BCC3E2B78389 for
<cve-editorial-board-list@LISTS.MITRE.ORG>; Wed, 5 Oct 2011
06:07:03 -0400 (EDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
smtpksrv1.mitre.org (Postfix) with ESMTP id 5D89E21B0A88 for
<cve-editorial-board-list@LISTS.MITRE.ORG>; Wed, 5 Oct 2011
06:07:03 -0400 (EDT)
Received: from int-mx12.intmail.prod.int.phx2.redhat.com
(int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.25]) by
mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p95A72rU017709
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
Wed, 5 Oct 2011 06:07:02 -0400
Received: from ovpn-113-42.phx2.redhat.com (ovpn-113-42.phx2.redhat.com
[10.3.113.42]) by int-mx12.intmail.prod.int.phx2.redhat.com
(8.14.4/8.14.4) with ESMTP id p95A70Rk029869 (version=TLSv1/SSLv3
cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 5 Oct 2011
06:07:01 -0400
Date: Wed, 5 Oct 2011 11:06:59 +0100
From: Mark J Cox <mjc@redhat.com>
X-X-Sender: mjc@localhost.localdomain
To: "Mann, Dave" <damann@mitre.org>
CC: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Subject: Re: CVE Information Sources & Scope
In-Reply-To: <3FF9F74E63A7484EB3B88F04329CBEDC04448126E0@IMCMBX1.MITRE.ORG>
Message-ID: <1110051103160.15357@mjc.redhat.com>
References: <3FF9F74E63A7484EB3B88F04329CBEDC04448126E0@IMCMBX1.MITRE.ORG>
User-Agent: Unknown
X-PGP-Public-Key: http://www.awe.com/mark/pgpkey.asc
X-PGP-Fingerprint: 7B79 19FA 716B 8725 0E77 21E5 52D9 83BF
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format=flowed
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.25
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379,
Antispam-Data: 2011.10.5.95414
X-MITRE-External: True
X-PerlMx-Spam: Gauge=IIIIIIII, Probability=8%,
Report=' BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_1000_LESS 0,
BODY_SIZE_2000_LESS 0, BODY_SIZE_5000_LESS 0,
BODY_SIZE_600_699 0, BODY_SIZE_7000_LESS 0, NO_URI_FOUND 0,
__BOUNCE_CHALLENGE_SUBJ 0, __BOUNCE_NDR_SUBJ_EXEMPT 0, __CT 0,
__CT_TEXT_PLAIN 0, __FW_1LN_BOT_MSGID 0, __HAS_MSGID 0,
__MIME_TEXT_ONLY 0, __MIME_VERSION 0, __SANE_MSGID 0,
__TO_MALFORMED_2 0, __USER_AGENT 0'
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
Precedence: list
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
Content-Length: 641
Status: R
X-Status: F
X-Keywords:
> Government Information Sources
+ all 'must have'
> CNA Published Information
+ all 'must have' (otherwise shouldn't be a CNA)
> Non-CNA Vendor Advisories
+ all 'must have'
> Mailing Lists & VDBs
+ must > Bugtraq
+ ignored > Vuln-Watch
+ ignored > VulnDev
+ should > Full Disclosure
+ ignored > Security Focus
+ ignored > Security Tracker
+ ignored > OSVDB
+ ignored > ISS X-Force
+ ignored > FRSIRT
+ ignored > Secunia
+ ignored > Packet Storm
+ ignored > SecuriTeam
+ nice > SANS Mailing List (Qualys)
+ ignored Neohapsis (Security Threat Watch)
Additional
+ must "Oss-security" (although also covered by my "CNA" vote)
From owner-cve-editorial-board-list@LISTS.MITRE.ORG Wed Oct 5 09:43:13 2011
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77])
by linus.mitre.org (8.12.11/8.12.10) with ESMTP id p95DhCJj024266;
Wed, 5 Oct 2011 09:43:12 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1])
by localhost (Postfix) with SMTP id 4767C21B11BF;
Wed, 5 Oct 2011 09:43:07 -0400 (EDT)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81])
by smtpksrv1.mitre.org (Postfix) with ESMTP id 2AB7F21B0E31;
Wed, 5 Oct 2011 09:43:07 -0400 (EDT)
Received: from lists (129.83.31.52) by IMCCAS04.MITRE.ORG (129.83.29.81) with
Microsoft SMTP Server id 14.1.339.1; Wed, 5 Oct 2011 09:43:06 -0400
Received: by LISTS.MITRE.ORG (LISTSERV-TCP/IP release 15.5) with spool id
2895727 for CVE-EDITORIAL-BOARD-LIST@LISTS.MITRE.ORG; Wed, 5 Oct
2011 09:43:07 -0400
Received: from [129.83.20.13] by LISTS.MITRE.ORG (SMTPL release 1.0w) with
TCP; Wed, 5 Oct 2011 09:43:07 -0400
Received: from smtpksrv1.mitre.org (198.49.146.77) by lists.mitre.org with
SMTP id 12409115; Wed, 05 Oct 2011 09:42:47 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by
localhost (Postfix) with SMTP id 2978121B12CF for
<cve-editorial-board-list@lists.mitre.org>; Wed, 5 Oct 2011
09:42:47 -0400 (EDT)
Received: from plainfield.sei.cmu.edu (plainfield.sei.cmu.edu [192.58.107.45])
by smtpksrv1.mitre.org (Postfix) with ESMTP id A154021B0B50 for
<cve-editorial-board-list@lists.mitre.org>; Wed, 5 Oct 2011
09:42:44 -0400 (EDT)
Received: from pawpaw.sei.cmu.edu (pawpaw.sei.cmu.edu [10.64.21.22]) by
plainfield.sei.cmu.edu (8.14.4/8.14.4/1294) with ESMTP id
p95Dgit1032740; Wed, 5 Oct 2011 09:42:44 -0400
Received: from marble.local (vpn-10-61-10-5.remote.cert.org [10.61.10.5]) by
pawpaw.sei.cmu.edu (8.14.4/8.14.4/1348) with ESMTP id
p95DghCE009719; Wed, 5 Oct 2011 09:42:43 -0400
Message-ID: <4E8C5ED2.6010106@cert.org>
Date: Wed, 5 Oct 2011 09:42:42 -0400
From: Art Manion <amanion@cert.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:7.0.1)
Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: "Mann, Dave" <damann@mitre.org>
CC: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Subject: Re: CVE's Charter, Scope and the Role of CNAs
References: <3FF9F74E63A7484EB3B88F04329CBEDC04448128E0@IMCMBX1.MITRE.ORG>
In-Reply-To: <3FF9F74E63A7484EB3B88F04329CBEDC04448128E0@IMCMBX1.MITRE.ORG>
X-Enigmail-Version: 1.3.2
OpenPGP: id=36C268A3
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379,
Antispam-Data: 2011.10.5.133315
X-MITRE-External: True
X-PerlMx-Spam: Gauge=IIIIIIII, Probability=8%, Report=' SUPERLONG_LINE 0.05,
DATE_TZ_NA 0, NO_URI_FOUND 0, __BOUNCE_CHALLENGE_SUBJ 0,
__BOUNCE_NDR_SUBJ_EXEMPT 0, __CP_MEDIA_2_BODY 0, __CT 0,
__CTE 0, __CT_TEXT_PLAIN 0, __HAS_MSGID 0, __INT_PROD_LOC 0,
__MIME_TEXT_ONLY 0, __MIME_VERSION 0, __MOZILLA_MSGID 0,
__SANE_MSGID 0, __TO_MALFORMED_2 0, __USER_AGENT 0'
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
Precedence: list
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
Content-Length: 7170
Status: R
X-Status:
X-Keywords:
On 2011-10-04 16:24 , Mann, Dave wrote:
> CVE's original charter was to cover all publicly known vulnerabilities. We concede this is impossible as a practical matter. Internally, we've been discussing restricting this to all publicly known English-based vulnerability disclosures.
>
> Please note, I don't mean to prematurely exclude non-English disclosures from consideration. I think it may eventually be possible to talk about non-English disclosures and, as you've indicated, more involvement of CNAs is going to be a part of the solution. But I want to ensure we're hitting the must-haves in the English-based sources first.
Despite what probably comes over as criticism of CVE, we at CERT/CC have
faced exactly the same problems. For years we tried to cover everything
(I personally did this work), distinguish unique reports, duplicates,
"real" vulnerabilities, etc. Then XSS came along...
> So, by all means, if you feel that there are non-English-based sources that are "must-haves", please call them out. More broadly, let's not restrict the scope or charter of CVE based on current processes in any way. Let's please discuss what needs to be covered by CVE first and then we talk about process to achieve that second.
We do lightly monitor a handful of Chinese language blogs. Not sure I'd
call them must haves but in any automated collection, subscribe,
translate, and match up resulting English words with English words from
other sources (or a watchlist, or a search, or whatever).
> You're going in directions that our thinking is going too. If it's useful to think about solutions even as we discuss goals, I want to toss out 2 very, very hard problems that I think we should start thinking about now:
> a) Economic incentives for SME produced content (specifically applied to CNAs)
> b) Level of abstraction issues
I'm prone to jumping to conclusions/solutions :)
> ECONOMIC INCENTIVES - It is worth emphasizing that MITRE continually seeks the involvement of new CNAs. We are (and y'all should be) extremely grateful for all of the CNAs that participate. Our experience is that CNA relationships work out when an organization has mature enough vulnerability information practices and, as a result, they incur relatively low marginal costs in terms of issuing CVE IDs. This level of maturity varies widely, based on what we see.
>
> In many other areas of cyber-security information provisioning, we see lots of appeals to various forms of "crowd-sourcing" content creation. The problem is, good content requires good SMEs and good SMEs are expensive. The question becomes, what are the economic incentives for organizations to fund SMEs to act as CVE CNAs?
Yes, while crowd-sourcing has it's benefits (mostly leveraging others'
resources), we've all seen bad vul information get picked up and
rebroadcast. I think (but am not sure about this) that CVE will have to
accept some crowd-sourcing help (to distribute coverage and increase CVE
assignment speed, if those end up being goals). Perhaps having a
smaller crowd of mature CNAs will help, or having CNAs act more as
distribution centers and arbitrators, with MITRE being the ultimate
arbitrator (but not having to touch content decisions that a CNA handled
well/correctly).
> We've been looking hard at many other identification systems that have successfully federated their content creation. Economically, we see 2 primary models: ISBN and VIN. ISBN numbers are produced by publishers because they are routine and easy to assign (compared to CVEs) and there is an economic benefit for doing so. VINs are assigned by manufacturers because (in the US) the DOT mandates it.
>
> MITRE is already beating the bushes for CNAs and we have the set of CNAs that we have (and are grateful for). How do we expand that set?
CERT/CC acts as a proxy CNA for a couple other CSIRTs -- most likely
those CSIRTs could become successful CNAs with a little further
training/monitoring. Maybe the board could come up with a list of new
CNAs? As for incentives, the driver I'm familiar with is U.S.
Government and enterprise who want (need) to scan/patch/comply/manage
vulnerabilities, and the associated vendor space. So maybe the
"security vendor" space has a horse in the race? A handful of CSIRTs
and vulnerability databases might step up as they have inherent desire
to document things well.
Some vulnerability reporters/researchers (now we're getting to the
"crowd" more) often ask for CVE IDs, they also seem to want to document
their work properly, like ISBN.
Vendors whose customers are in the USG/enterprise set also seem to
recognize the value in proper documentation (including CVE ID) -- also
like the ISBN model. So vendors with mature vulnerability response
capabilities might be CNA candidates.
USG might not mandate CVE IDs (like VINs), but USG use of CVE IDs
encourages others to use them.
> LEVEL OF ABSTRACTION - There are 3 LoA questions to start thinking about. First, can we deal with significant drift in level of abstraction among CNAs? Will we be able to fix duplicates from different CNAs if/when they are assigning IDs at different LoAs?
>
> Second, is CVE's current LoA (which grew out of vulnerability practices in the late 90s/early 2000s) too low for today's vulnerability management practices?
>
> Third, combining these first two questions, can we live with a CNA that is committed to the ideal of "silent patching" and, in their role as a CNA, assigns CVE IDs on a "per patch" basis with no further information? Those of us who dealt with vulnerability information back in the 90s remember the "silent patch" days. Would it be acceptable moving forward?
I think CVE will have to deal with different LoA. Along with
"duplicates" and "false alarm" consider relationships like "extends" or
"is subset of". This could allow one CNA to assign an ID for a report
(of say multiple XSS vuls). If someone wants to go lower, a CNA can
assign IDs for specific XSS vuls, the IDs are related with a
well-defined predicate. As more information becomes available, CNAs or
MITRE (the ultimate CNA) can "fix" LoA without removing existing IDs.
Not sure I know if the current CVE LoA is too high or too low. I think
it needs to become more flexible. My suggestion is that a CVE ID names
a "report of one or more vulnerabilities." Ideally, this would be one
vulnerability, by some best LoA practice, probably similar to the
existing CVE rules. In practice, it won't always be just one
vulnerability, but the "is subset of" and other relationships might
allow drift, hopefully drift towards "accuracy," and at least tolerance
of multiple LoA for the same "vulnerability."
If a vendor is going to publish a patch with a CVD ID and no information
about the vulnerability -- what's the point? Is there anything to
identify? I guess there is, but there'd be little or no hope of ever
relating that ID to anything else useful (like Oracle fixing bugs and
not referencing public discussion of the bugs). I guess I'd like CVE to
strongly discourage such behavior, so maybe require CVE IDs have some
description/reference?
- Art
From owner-cve-editorial-board-list@LISTS.MITRE.ORG Wed Oct 5 12:21:18 2011
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77])
by linus.mitre.org (8.12.11/8.12.10) with ESMTP id p95GLEaE027316;
Wed, 5 Oct 2011 12:21:14 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1])
by localhost (Postfix) with SMTP id 0B21821B1199;
Wed, 5 Oct 2011 12:21:09 -0400 (EDT)
Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78])
by smtpksrv1.mitre.org (Postfix) with ESMTP id E356F21B1134;
Wed, 5 Oct 2011 12:21:08 -0400 (EDT)
Received: from lists (129.83.31.52) by IMCCAS01.MITRE.ORG (129.83.29.78) with
Microsoft SMTP Server id 14.1.339.1; Wed, 5 Oct 2011 12:21:08 -0400
Received: by LISTS.MITRE.ORG (LISTSERV-TCP/IP release 15.5) with spool id
2898703 for CVE-EDITORIAL-BOARD-LIST@LISTS.MITRE.ORG; Wed, 5 Oct
2011 12:21:08 -0400
Received: from [129.83.20.13] by LISTS.MITRE.ORG (SMTPL release 1.0w) with
TCP; Wed, 5 Oct 2011 12:21:08 -0400
Received: from smtpksrv1.mitre.org (198.49.146.77) by lists.mitre.org with
SMTP id 12410159; Wed, 05 Oct 2011 12:20:57 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by
localhost (Postfix) with SMTP id 91E2621B1146; Wed, 5 Oct 2011
12:20:57 -0400 (EDT)
Received: from imchub1.MITRE.ORG (imchub1.mitre.org [129.83.29.73]) by
smtpksrv1.mitre.org (Postfix) with ESMTP id 8D13F21B115D; Wed, 5
Oct 2011 12:20:57 -0400 (EDT)
Received: from IMCMBX1.MITRE.ORG ([129.83.29.204]) by imchub1.MITRE.ORG
([129.83.29.73]) with mapi; Wed, 5 Oct 2011 12:20:57 -0400
From: "Mann, Dave" <damann@mitre.org>
To: "Williams, James K" <James.Williams@ca.com>,
cve-editorial-board-list
<cve-editorial-board-list@LISTS.MITRE.ORG>
Date: Wed, 5 Oct 2011 12:20:56 -0400
Subject: RE: CVE Information Sources & Scope
Thread-Topic: CVE Information Sources & Scope
Thread-Index: AQHMgr6TpbdY+fwsQ3q+w22wYsQdkJVseVKggAAHGHCAAW038A==
Message-ID: <3FF9F74E63A7484EB3B88F04329CBEDC0444812B2E@IMCMBX1.MITRE.ORG>
References: <3FF9F74E63A7484EB3B88F04329CBEDC04448126E0@IMCMBX1.MITRE.ORG>
<4E8B482F.2090602@cert.org>
<ED311CBEE6993C428563DEDF6D083BC801CEAB@usilms113b.ca.com>
<ED311CBEE6993C428563DEDF6D083BC801CF15@usilms113b.ca.com>
In-Reply-To: <ED311CBEE6993C428563DEDF6D083BC801CF15@usilms113b.ca.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
Precedence: list
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by linus.mitre.org id p95GLEaE027316
Content-Length: 1185
Status: R
X-Status: F
X-Keywords:
>editorial-board-list@lists.mitre.org] On Behalf Of Williams, James K
>Good points, Art. In particular, quicker issuance of CVE identifiers would be
>great.
I triple promise that we're going to have the speed of issuance discussion. Promise.
>As far as monitoring of twitter and blogs goes, we also need to consider
>monitoring:
>* pastebin,
>* smaller vendor bugtracking systems (I find vulns every week, in widely
>used software, that never makes it to BugTraq, Secunia, or CVE),
>* discussion forums (in a variety of languages, and many require
>registration),
>* reddit,
>* IRC,
>* and whatever other communication/dissemination mediums become
>popular (again) next month.
>
>When expanding monitoring of these types of sources, extensive
>automation is necessary.
James, could you talk more about automation techniques for monitoring these sources?
-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:damann@mitre.org | cell:781.424.6003
==================================================================
From owner-cve-editorial-board-list@LISTS.MITRE.ORG Wed Oct 5 12:33:22 2011
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77])
by linus.mitre.org (8.12.11/8.12.10) with ESMTP id p95GXMuq027529;
Wed, 5 Oct 2011 12:33:22 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1])
by localhost (Postfix) with SMTP id 2F96A21B115D;
Wed, 5 Oct 2011 12:33:17 -0400 (EDT)
Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78])
by smtpksrv1.mitre.org (Postfix) with ESMTP id 110AE21B0F16;
Wed, 5 Oct 2011 12:33:17 -0400 (EDT)
Received: from lists (129.83.31.52) by IMCCAS01.MITRE.ORG (129.83.29.78) with
Microsoft SMTP Server id 14.1.339.1; Wed, 5 Oct 2011 12:33:16 -0400
Received: by LISTS.MITRE.ORG (LISTSERV-TCP/IP release 15.5) with spool id
2898905 for CVE-EDITORIAL-BOARD-LIST@LISTS.MITRE.ORG; Wed, 5 Oct
2011 12:33:14 -0400
Received: from [129.83.20.13] by LISTS.MITRE.ORG (SMTPL release 1.0w) with
TCP; Wed, 5 Oct 2011 12:33:14 -0400
Received: from smtpksrv1.mitre.org (198.49.146.77) by lists.mitre.org with
SMTP id 12410252; Wed, 05 Oct 2011 12:33:04 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by
localhost (Postfix) with SMTP id B0F3721B1068 for
<cve-editorial-board-list@lists.mitre.org>; Wed, 5 Oct 2011
12:33:03 -0400 (EDT)
Received: from imchub2.MITRE.ORG (imchub2.mitre.org [129.83.29.74]) by
smtpksrv1.mitre.org (Postfix) with ESMTP id A2B5121B0B45 for
<cve-editorial-board-list@lists.mitre.org>; Wed, 5 Oct 2011
12:33:03 -0400 (EDT)
Received: from IMCMBX1.MITRE.ORG ([129.83.29.204]) by imchub2.MITRE.ORG
([129.83.29.74]) with mapi; Wed, 5 Oct 2011 12:33:03 -0400
From: "Mann, Dave" <damann@mitre.org>
To: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Date: Wed, 5 Oct 2011 12:33:03 -0400
Subject: Update Disclosure Sources List - Please Vote!
Thread-Topic: Update Disclosure Sources List - Please Vote!
Thread-Index: AcyDetgAnr/Y+BrGTfm++JtmPyRrBg==
Message-ID: <3FF9F74E63A7484EB3B88F04329CBEDC0444812B45@IMCMBX1.MITRE.ORG>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
Precedence: list
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by linus.mitre.org id p95GXMuq027529
Content-Length: 4183
Status: R
X-Status: A
X-Keywords:
Folks,
First, thanks to all who've responded to the request for votes on must-haves and nice to haves regarding vulnerability disclosure sources.
If you haven't weighed in yet, please do so. Having us all (the Editorial Board) in agreement on must-haves vs nice-to-haves will be important before we can talk about harder issues like response time and scalability.
I've compiled the votes to date and have presented them in plain text below (because, yes, I am that old).
BIG NOTE: I was expecting you all to add a *LOT* more different information sources. As Art correctly noted, this list of sources is dated. In particular, when it comes to vendor issued disclosures, it really reflects the traditional bias towards OS level vulnerabilities that speaks of our older history.
I'm frankly surprised that you all aren't suggesting more non-OS vendors that must be monitored.
I would ask that you all think hard about whether or not non-OS vendors should be added, or is it sufficient to monitor non-vendor sources for this class?
-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:damann@mitre.org | cell:781.424.6003
==================================================================
VULNERABILITY INFORMATION SOURCES [ M, N, I]
M = must have
N = nice to have
I = ignore
Government Information Sources
US-CERT Advisories (aka CERT-CC Advisories) [ 5, 0, 0]
US-CERT Vulnerability Notes (CERT-CC) [ 5, 0, 0]
US-CERT Bulletins (aka Cyber-Notes) [ 4, 1, 0]
DoD IAVAs [ 3, 1, 0]
NISCC [ 1, 3, 0]
AUS-CERT [ 2, 2, 1]
CIAC (name has changed) [ 1, 2, 2]
CNA Published Information
CMU/CERT-CC [ 5, 0, 0]
Microsoft [ 5, 0, 0]
RedHat [ 5, 0, 0]
Debian [ 2, 3, 0]
Apache [ 5, 0, 0]
Apple OSX [ 5, 0, 0]
Oracle [ 5, 0, 0]
Non-CNA Vendor Advisories
Solaris [ 4, 0, 0]
Suse [ 4, 1, 0]
Mandriva [ 4, 0, 1]
HP-UX [ 4, 1, 0]
SCO [ 2, 0, 3]
AIX [ 4, 0, 1]
Cisco IOS [ 5, 0, 0]
Free BSD [ 4, 1, 0]
Open BSD [ 4, 1, 0]
Net BSD [ 4, 0, 1]
Gentoo (Linux) [ 4, 1, 0]
Ubuntu (Linux) [ 4, 1, 0]
Mailing Lists & VDBs
Bugtraq [ 5, 0, 0]
Vuln-Watch [ 0, 0, 4]
VulnDev [ 0, 0, 4]
Full Disclosure [ 2, 3, 1]
Security Focus [ 2, 0, 1]
Security Tracker [ 2, 0, 1]
OSVDB [ 2, 2, 1]
ISS X-Force [ 1, 2, 1]
FRSIRT (VUPEN) [ 1, 3, 1]
Secunia [ 1, 2, 1]
Packet Storm [ 1, 1, 2]
SecuriTeam [ 0, 2, 1]
SANS Mailing List (Qualys) [ 0, 1, 2]
Neohapsis (Security Threat Watch) [ 0, 0, 3]
Metasploit [ 0, 1, 0]
Snort [ 0, 1, 0]
Contagiodump.blogspot.com [ 0, 1, 0]
Oss-security [ 1, 0, 0]
From owner-cve-editorial-board-list@LISTS.MITRE.ORG Wed Oct 5 13:01:06 2011
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77])
by linus.mitre.org (8.12.11/8.12.10) with ESMTP id p95H16av027944;
Wed, 5 Oct 2011 13:01:06 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1])
by localhost (Postfix) with SMTP id 3E74A21B11A8;
Wed, 5 Oct 2011 13:01:01 -0400 (EDT)
Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78])
by smtpksrv1.mitre.org (Postfix) with ESMTP id 1FFD721B12D4;
Wed, 5 Oct 2011 13:01:01 -0400 (EDT)
Received: from lists (129.83.31.52) by IMCCAS01.MITRE.ORG (129.83.29.78) with
Microsoft SMTP Server id 14.1.339.1; Wed, 5 Oct 2011 13:01:00 -0400
Received: by LISTS.MITRE.ORG (LISTSERV-TCP/IP release 15.5) with spool id
2899421 for CVE-EDITORIAL-BOARD-LIST@LISTS.MITRE.ORG; Wed, 5 Oct
2011 13:01:00 -0400
Received: from [129.83.20.13] by LISTS.MITRE.ORG (SMTPL release 1.0w) with
TCP; Wed, 5 Oct 2011 13:01:00 -0400
Received: from smtpksrv1.mitre.org (198.49.146.77) by lists.mitre.org with
SMTP id 12410476; Wed, 05 Oct 2011 13:00:44 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by
localhost (Postfix) with SMTP id 733EE21B12D4 for
<cve-editorial-board-list@lists.mitre.org>; Wed, 5 Oct 2011
13:00:44 -0400 (EDT)
Received: from na3sys009aog112.obsmtp.com (na3sys009aog112.obsmtp.com
[74.125.149.207]) by smtpksrv1.mitre.org (Postfix) with ESMTP id
95E3F21B0201 for <cve-editorial-board-list@lists.mitre.org>; Wed, 5
Oct 2011 13:00:41 -0400 (EDT)
Received: from USILMS190.ca.com ([141.202.246.44]) (using TLSv1) by
na3sys009aob112.postini.com ([74.125.148.12]) with SMTP; Wed, 05 Oct
2011 10:00:41 PDT
Received: from USILMS173.ca.com (141.202.6.23) by USILMS190.ca.com
(141.202.246.44) with Microsoft SMTP Server (TLS) id 14.1.289.1;
Wed, 5 Oct 2011 13:00:40 -0400
Received: from USILMS113B.ca.com ([169.254.5.151]) by usilms173.ca.com
([141.202.6.23]) with mapi id 14.01.0289.001; Wed, 5 Oct 2011
13:00:39 -0400
From: "Williams, James K" <James.Williams@ca.com>
To: "Mann, Dave" <damann@mitre.org>,
cve-editorial-board-list
<cve-editorial-board-list@LISTS.MITRE.ORG>
Subject: RE: Update Disclosure Sources List - Please Vote!
Thread-Topic: Update Disclosure Sources List - Please Vote!
Thread-Index: AcyDetgAnr/Y+BrGTfm++JtmPyRrBgABBDTg
Date: Wed, 5 Oct 2011 17:00:39 +0000
Message-ID: <ED311CBEE6993C428563DEDF6D083BC801D9CE@usilms113b.ca.com>
References: <3FF9F74E63A7484EB3B88F04329CBEDC0444812B45@IMCMBX1.MITRE.ORG>
In-Reply-To: <3FF9F74E63A7484EB3B88F04329CBEDC0444812B45@IMCMBX1.MITRE.ORG>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.132.8.103]
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379,
Antispam-Data: 2011.10.5.165117
X-MITRE-External: True
X-PerlMx-Spam: Gauge=IIIIIIII, Probability=8%, Report=' BLOGSPOT_URI 0.05,
KNOWN_FREEWEB_URI 0.05, SUPERLONG_LINE 0.05, FROM_NAME_PHRASE 0,
WEBMAIL_SOURCE 0, WEBMAIL_XOIP 0, WEBMAIL_X_IP_HDR 0,
__ANY_URI 0, __BOUNCE_CHALLENGE_SUBJ 0,
__BOUNCE_NDR_SUBJ_EXEMPT 0, __C230066_P5 0, __CP_URI_IN_BODY 0,
__CT 0, __CTE 0, __CT_TEXT_PLAIN 0, __HAS_MSGID 0, __HAS_XOIP 0,
__IMS_MSGID 0, __KNOWN_FREEWEB_URI1 0, __LINES_OF_YELLING 0,
__MIME_TEXT_ONLY 0, __MIME_VERSION 0, __SANE_MSGID 0,
__TO_MALFORMED_2 0, __URI_NS '
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
Precedence: list
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by linus.mitre.org id p95H16av027944
Content-Length: 5497
Status: R
X-Status: A
X-Keywords:
A few more info sources to consider ...
http://www.exploit-db.com/
Notes: effectively replaced milw0rm, good source for exploit code
http://isc.sans.org/
Notes: decent source for significant new security events, patches, zero day
http://www.webappsec.org/lists/websecurity/archive/
Notes: mostly noise, but rare vuln disclosures do occur
http://www.linuxsecurity.com/
Notes: Central resource for major linux vendors, but would be better to monitor vendor directly
http://www.immunityinc.com/ceu-index.shtml
Notes: Regularly post fresh or zero day exploit info, but must have subscription
http://aluigi.altervista.org/
Notes: very prolific vuln researcher, worth monitoring directly due to volume
http://www.coresecurity.com/content/core-impact-pro-security-updates
Notes: Occasionally post fresh or zero day exploit info, but must have subscription
Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
wilja22@ca.com - 816-914-4225
-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Mann, Dave
Sent: Wednesday, October 05, 2011 11:33 AM
To: cve-editorial-board-list
Subject: Update Disclosure Sources List - Please Vote!
Folks,
First, thanks to all who've responded to the request for votes on must-haves and nice to haves regarding vulnerability disclosure sources.
If you haven't weighed in yet, please do so. Having us all (the Editorial Board) in agreement on must-haves vs nice-to-haves will be important before we can talk about harder issues like response time and scalability.
I've compiled the votes to date and have presented them in plain text below (because, yes, I am that old).
BIG NOTE: I was expecting you all to add a *LOT* more different information sources. As Art correctly noted, this list of sources is dated. In particular, when it comes to vendor issued disclosures, it really reflects the traditional bias towards OS level vulnerabilities that speaks of our older history.
I'm frankly surprised that you all aren't suggesting more non-OS vendors that must be monitored.
I would ask that you all think hard about whether or not non-OS vendors should be added, or is it sufficient to monitor non-vendor sources for this class?
-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:damann@mitre.org | cell:781.424.6003 ==================================================================
VULNERABILITY INFORMATION SOURCES [ M, N, I]
M = must have
N = nice to have
I = ignore
Government Information Sources
US-CERT Advisories (aka CERT-CC Advisories) [ 5, 0, 0]
US-CERT Vulnerability Notes (CERT-CC) [ 5, 0, 0]
US-CERT Bulletins (aka Cyber-Notes) [ 4, 1, 0]
DoD IAVAs [ 3, 1, 0]
NISCC [ 1, 3, 0]
AUS-CERT [ 2, 2, 1]
CIAC (name has changed) [ 1, 2, 2]
CNA Published Information
CMU/CERT-CC [ 5, 0, 0]
Microsoft [ 5, 0, 0]
RedHat [ 5, 0, 0]
Debian [ 2, 3, 0]
Apache [ 5, 0, 0]
Apple OSX [ 5, 0, 0]
Oracle [ 5, 0, 0]
Non-CNA Vendor Advisories
Solaris [ 4, 0, 0]
Suse [ 4, 1, 0]
Mandriva [ 4, 0, 1]
HP-UX [ 4, 1, 0]
SCO [ 2, 0, 3]
AIX [ 4, 0, 1]
Cisco IOS [ 5, 0, 0]
Free BSD [ 4, 1, 0]
Open BSD [ 4, 1, 0]
Net BSD [ 4, 0, 1]
Gentoo (Linux) [ 4, 1, 0]
Ubuntu (Linux) [ 4, 1, 0]
Mailing Lists & VDBs
Bugtraq [ 5, 0, 0]
Vuln-Watch [ 0, 0, 4]
VulnDev [ 0, 0, 4]
Full Disclosure [ 2, 3, 1]
Security Focus [ 2, 0, 1]
Security Tracker [ 2, 0, 1]
OSVDB [ 2, 2, 1]
ISS X-Force [ 1, 2, 1]
FRSIRT (VUPEN) [ 1, 3, 1]
Secunia [ 1, 2, 1]
Packet Storm [ 1, 1, 2]
SecuriTeam [ 0, 2, 1]
SANS Mailing List (Qualys) [ 0, 1, 2]
Neohapsis (Security Threat Watch) [ 0, 0, 3]
Metasploit [ 0, 1, 0]
Snort [ 0, 1, 0]
Contagiodump.blogspot.com [ 0, 1, 0]
Oss-security [ 1, 0, 0]
From owner-cve-editorial-board-list@LISTS.MITRE.ORG Wed Oct 5 13:33:14 2011
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77])
by linus.mitre.org (8.12.11/8.12.10) with ESMTP id p95HXDmp028452;
Wed, 5 Oct 2011 13:33:13 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1])
by localhost (Postfix) with SMTP id DEC8E21B191F;
Wed, 5 Oct 2011 13:33:08 -0400 (EDT)
Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78])
by smtpksrv1.mitre.org (Postfix) with ESMTP id BAAD921B1926;
Wed, 5 Oct 2011 13:33:08 -0400 (EDT)
Received: from lists (129.83.31.52) by IMCCAS01.MITRE.ORG (129.83.29.78) with
Microsoft SMTP Server id 14.1.339.1; Wed, 5 Oct 2011 13:33:08 -0400
Received: by LISTS.MITRE.ORG (LISTSERV-TCP/IP release 15.5) with spool id
2899862 for CVE-EDITORIAL-BOARD-LIST@LISTS.MITRE.ORG; Wed, 5 Oct
2011 13:33:08 -0400
Received: from [129.83.20.13] by LISTS.MITRE.ORG (SMTPL release 1.0w) with
TCP; Wed, 5 Oct 2011 13:33:08 -0400
Received: from smtpksrv1.mitre.org (198.49.146.77) by lists.mitre.org with
SMTP id 12410652; Wed, 05 Oct 2011 13:32:57 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by
localhost (Postfix) with SMTP id 0EDE421B191C for
<cve-editorial-board-list@lists.mitre.org>; Wed, 5 Oct 2011
13:32:57 -0400 (EDT)
Received: from na3sys009aog126.obsmtp.com (na3sys009aog126.obsmtp.com
[74.125.149.155]) by smtpksrv1.mitre.org (Postfix) with ESMTP id
68EF321B1947 for <cve-editorial-board-list@lists.mitre.org>; Wed, 5
Oct 2011 13:32:52 -0400 (EDT)
Received: from USILMS190.ca.com ([141.202.246.44]) (using TLSv1) by
na3sys009aob126.postini.com ([74.125.148.12]) with SMTP; Wed, 05 Oct
2011 10:32:52 PDT
Received: from USILMS175.ca.com (141.202.6.25) by USILMS190.ca.com
(141.202.246.44) with Microsoft SMTP Server (TLS) id 14.1.289.1;
Wed, 5 Oct 2011 13:32:47 -0400
Received: from USILMS113B.ca.com ([169.254.5.151]) by usilms175.ca.com
([141.202.6.25]) with mapi id 14.01.0289.001; Wed, 5 Oct 2011
13:32:46 -0400
From: "Williams, James K" <James.Williams@ca.com>
To: "Mann, Dave" <damann@mitre.org>,
cve-editorial-board-list
<cve-editorial-board-list@LISTS.MITRE.ORG>
Subject: RE: CVE Information Sources & Scope
Thread-Topic: CVE Information Sources & Scope
Thread-Index: AQHMgr6TpbdY+fwsQ3q+w22wYsQdkJVseVKggAAHGHCAAW038IAADdGQ
Date: Wed, 5 Oct 2011 17:32:45 +0000
Message-ID: <ED311CBEE6993C428563DEDF6D083BC801DA32@usilms113b.ca.com>
References: <3FF9F74E63A7484EB3B88F04329CBEDC04448126E0@IMCMBX1.MITRE.ORG>
<4E8B482F.2090602@cert.org>
<ED311CBEE6993C428563DEDF6D083BC801CEAB@usilms113b.ca.com>
<ED311CBEE6993C428563DEDF6D083BC801CF15@usilms113b.ca.com>
<3FF9F74E63A7484EB3B88F04329CBEDC0444812B2E@IMCMBX1.MITRE.ORG>
In-Reply-To: <3FF9F74E63A7484EB3B88F04329CBEDC0444812B2E@IMCMBX1.MITRE.ORG>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.132.8.103]
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379,
Antispam-Data: 2011.10.5.172116
X-MITRE-External: True
X-PerlMx-Spam: Gauge=IIIIIIII, Probability=8%, Report=' SUPERLONG_LINE 0.05,
BODY_SIZE_4000_4999 0, BODY_SIZE_5000_LESS 0,
BODY_SIZE_7000_LESS 0, FROM_NAME_PHRASE 0, INFO_TLD 0,
WEBMAIL_SOURCE 0, WEBMAIL_XOIP 0, WEBMAIL_X_IP_HDR 0,
__ANY_URI 0, __BOUNCE_CHALLENGE_SUBJ 0,
__BOUNCE_NDR_SUBJ_EXEMPT 0, __C230066_P5 0, __CT 0, __CTE 0,
__CT_TEXT_PLAIN 0, __HAS_MSGID 0, __HAS_XOIP 0, __IMS_MSGID 0,
__MIME_TEXT_ONLY 0, __MIME_VERSION 0, __SANE_MSGID 0,
__SXL_FUR_TIMEOUT , __SXL_RIP_TIMEOUT , __SXL_SIG_TIMEOUT ,
__TO_MALFORMED_2 0, __URI_NO_PATH 0, __URI_NO_WWW 0, __URI_NS '
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
Precedence: list
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by linus.mitre.org id p95HXDmp028452
Content-Length: 2915
Status: R
X-Status:
X-Keywords:
Virtually every aspect of vuln processing can be automated, including:
* searching by keyword on any website or mailing list archive (marc.info works great as long as keyword is at least 3 char)
* monitoring web pages (ie. vendor security and support home pages) and mailing lists for updates
* using google or other search engine to monitor smaller vendor sites, support forums, bugtracking systems
* keyword searching on pastebin
* IRC channel logging, and search through published logs
* monitoring twitter feeds for new twitter feeds and for links to websites with vuln content
* loading of a vuln queue based on content culled from above actions
* filtering noise out of vuln queue
* CVE assignment, after very brief cursory review by human
In the end, it becomes a matter of manpower vs acceptable level of accuracy.
In my experience, I have found that vendors modify their security and support page locations and formats so often that frequent manual review is necessary. I've also found that queue filtering is best left to human SMEs.
Even SMEs though can automate portions of their work by using custom browser add-ons and features, mail client filters, etc.
All said (and I'm certain that Steve would agree with me), there's simply no automated substitute for a quality SME who is obsessed with accuracy and thoroughness. :)
Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
wilja22@ca.com - 816-914-4225
-----Original Message-----
From: Mann, Dave [mailto:damann@mitre.org]
Sent: Wednesday, October 05, 2011 11:21 AM
To: Williams, James K; cve-editorial-board-list
Subject: RE: CVE Information Sources & Scope
>editorial-board-list@lists.mitre.org] On Behalf Of Williams, James K
>Good points, Art. In particular, quicker issuance of CVE identifiers
>would be great.
I triple promise that we're going to have the speed of issuance discussion. Promise.
>As far as monitoring of twitter and blogs goes, we also need to
>consider
>monitoring:
>* pastebin,
>* smaller vendor bugtracking systems (I find vulns every week, in
>widely used software, that never makes it to BugTraq, Secunia, or CVE),
>* discussion forums (in a variety of languages, and many require
>registration),
>* reddit,
>* IRC,
>* and whatever other communication/dissemination mediums become popular
>(again) next month.
>
>When expanding monitoring of these types of sources, extensive
>automation is necessary.
James, could you talk more about automation techniques for monitoring these sources?
-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:damann@mitre.org | cell:781.424.6003 ==================================================================
From owner-cve-editorial-board-list@LISTS.MITRE.ORG Wed Oct 5 15:18:22 2011
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77])
by linus.mitre.org (8.12.11/8.12.10) with ESMTP id p95JILr1000670;
Wed, 5 Oct 2011 15:18:21 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1])
by localhost (Postfix) with SMTP id A039D21B193A;
Wed, 5 Oct 2011 15:18:16 -0400 (EDT)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81])
by smtpksrv1.mitre.org (Postfix) with ESMTP id 8A8C721B190A;
Wed, 5 Oct 2011 15:18:16 -0400 (EDT)
Received: from lists (129.83.31.52) by IMCCAS04.MITRE.ORG (129.83.29.81) with
Microsoft SMTP Server id 14.1.339.1; Wed, 5 Oct 2011 15:18:16 -0400
Received: by LISTS.MITRE.ORG (LISTSERV-TCP/IP release 15.5) with spool id
2901493 for CVE-EDITORIAL-BOARD-LIST@LISTS.MITRE.ORG; Wed, 5 Oct
2011 15:18:16 -0400
Received: from [129.83.20.13] by LISTS.MITRE.ORG (SMTPL release 1.0w) with
TCP; Wed, 5 Oct 2011 15:18:16 -0400
Received: from smtpksrv1.mitre.org (198.49.146.77) by lists.mitre.org with
SMTP id 12411305; Wed, 05 Oct 2011 15:17:58 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by
localhost (Postfix) with SMTP id 238C821B0B7B; Wed, 5 Oct 2011
15:17:58 -0400 (EDT)
Received: from imchub1.MITRE.ORG (imchub1.mitre.org [129.83.29.73]) by
smtpksrv1.mitre.org (Postfix) with ESMTP id 1F3F821B0664; Wed, 5
Oct 2011 15:17:58 -0400 (EDT)
Received: from IMCMBX1.MITRE.ORG ([129.83.29.204]) by imchub1.MITRE.ORG
([129.83.29.73]) with mapi; Wed, 5 Oct 2011 15:17:58 -0400
From: "Mann, Dave" <damann@mitre.org>
To: "Williams, James K" <James.Williams@ca.com>,
cve-editorial-board-list
<cve-editorial-board-list@LISTS.MITRE.ORG>
Date: Wed, 5 Oct 2011 15:17:54 -0400
Subject: RE: CVE Information Sources & Scope
Thread-Topic: CVE Information Sources & Scope
Thread-Index: AQHMgr6TpbdY+fwsQ3q+w22wYsQdkJVseVKggAAHGHCAAW038IAADdGQgAAlbJA=
Message-ID: <3FF9F74E63A7484EB3B88F04329CBEDC0444812C16@IMCMBX1.MITRE.ORG>
References: <3FF9F74E63A7484EB3B88F04329CBEDC04448126E0@IMCMBX1.MITRE.ORG>
<4E8B482F.2090602@cert.org>
<ED311CBEE6993C428563DEDF6D083BC801CEAB@usilms113b.ca.com>
<ED311CBEE6993C428563DEDF6D083BC801CF15@usilms113b.ca.com>
<3FF9F74E63A7484EB3B88F04329CBEDC0444812B2E@IMCMBX1.MITRE.ORG>
<ED311CBEE6993C428563DEDF6D083BC801DA32@usilms113b.ca.com>
In-Reply-To: <ED311CBEE6993C428563DEDF6D083BC801DA32@usilms113b.ca.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
Precedence: list
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by linus.mitre.org id p95JILr1000670
Content-Length: 3981
Status: R
X-Status:
X-Keywords:
Ken noted:
>All said (and I'm certain that Steve would agree with me), there's simply
>no automated substitute for a quality SME who is obsessed with accuracy and
>thoroughness. :)>
We all three are in agreement.
I just presented a paper at a conference making roughly this same point. I stole this line from Matt Burton (who I hope returns to security work) who said we need to focus on effective computer augmentation, not merely computer automation.
-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:damann@mitre.org | cell:781.424.6003
==================================================================
>-----Original Message-----
>From: Williams, James K [mailto:James.Williams@ca.com]
>Sent: Wednesday, October 05, 2011 1:33 PM
>To: Mann, Dave; cve-editorial-board-list
>Subject: RE: CVE Information Sources & Scope
>
>Virtually every aspect of vuln processing can be automated, including:
>
>* searching by keyword on any website or mailing list archive (marc.info
>works great as long as keyword is at least 3 char)
>* monitoring web pages (ie. vendor security and support home pages) and
>mailing lists for updates
>* using google or other search engine to monitor smaller vendor sites,
>support forums, bugtracking systems
>* keyword searching on pastebin
>* IRC channel logging, and search through published logs
>* monitoring twitter feeds for new twitter feeds and for links to websites
>with vuln content
>* loading of a vuln queue based on content culled from above actions
>* filtering noise out of vuln queue
>* CVE assignment, after very brief cursory review by human
>
>In the end, it becomes a matter of manpower vs acceptable level of
>accuracy.
>
>In my experience, I have found that vendors modify their security and
>support page locations and formats so often that frequent manual review is
>necessary. I've also found that queue filtering is best left to human
>SMEs.
>
>Even SMEs though can automate portions of their work by using custom
>browser add-ons and features, mail client filters, etc.
>
>
>All said (and I'm certain that Steve would agree with me), there's simply
>no automated substitute for a quality SME who is obsessed with accuracy and
>thoroughness. :)>
>
>Thanks and regards,
>Ken Williams, Director
>CA Technologies Product Vulnerability Response Team
>CA Technologies Business Unit Operations
>wilja22@ca.com - 816-914-4225
>
>
>-----Original Message-----
>From: Mann, Dave [mailto:damann@mitre.org]
>Sent: Wednesday, October 05, 2011 11:21 AM
>To: Williams, James K; cve-editorial-board-list
>Subject: RE: CVE Information Sources & Scope
>
>>editorial-board-list@lists.mitre.org] On Behalf Of Williams, James K
>>Good points, Art. In particular, quicker issuance of CVE identifiers
>>would be great.
>
>I triple promise that we're going to have the speed of issuance discussion.
>Promise.
>
>
>
>>As far as monitoring of twitter and blogs goes, we also need to
>>consider
>>monitoring:
>>* pastebin,
>>* smaller vendor bugtracking systems (I find vulns every week, in
>>widely used software, that never makes it to BugTraq, Secunia, or CVE),
>>* discussion forums (in a variety of languages, and many require
>>registration),
>>* reddit,
>>* IRC,
>>* and whatever other communication/dissemination mediums become popular
>>(again) next month.
>>
>>When expanding monitoring of these types of sources, extensive
>>automation is necessary.
>
>James, could you talk more about automation techniques for monitoring these
>sources?
>
>
>
>-Dave
>==================================================================
>David Mann | Principal Infosec Scientist | The MITRE Corporation
>------------------------------------------------------------------
>e-mail:damann@mitre.org | cell:781.424.6003
>==================================================================
>
>
From owner-cve-editorial-board-list@LISTS.MITRE.ORG Thu Oct 6 11:22:34 2011
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77])
by linus.mitre.org (8.12.11/8.12.10) with ESMTP id p96FMX78002993;
Thu, 6 Oct 2011 11:22:33 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1])
by localhost (Postfix) with SMTP id A328921B14D8;
Thu, 6 Oct 2011 11:22:28 -0400 (EDT)
Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78])
by smtpksrv1.mitre.org (Postfix) with ESMTP id 3394921B14AB;
Thu, 6 Oct 2011 11:22:28 -0400 (EDT)
Received: from lists (129.83.31.52) by IMCCAS01.MITRE.ORG (129.83.29.78) with
Microsoft SMTP Server id 14.1.339.1; Thu, 6 Oct 2011 11:22:27 -0400
Received: by LISTS.MITRE.ORG (LISTSERV-TCP/IP release 15.5) with spool id
2915279 for CVE-EDITORIAL-BOARD-LIST@LISTS.MITRE.ORG; Thu, 6 Oct
2011 11:22:27 -0400
Received: from [129.83.20.13] by LISTS.MITRE.ORG (SMTPL release 1.0w) with
TCP; Thu, 6 Oct 2011 11:22:27 -0400
Received: from smtpksrv1.mitre.org (198.49.146.77) by lists.mitre.org with
SMTP id 12416447; Thu, 06 Oct 2011 11:22:23 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by
localhost (Postfix) with SMTP id 4C19D21B14C4; Thu, 6 Oct 2011
11:22:23 -0400 (EDT)
Received: from dalsmrelay2.nai.com (dalsmrelay2.nai.com [205.227.136.216]) by
smtpksrv1.mitre.org (Postfix) with ESMTP id BC7B021B14C6; Thu, 6
Oct 2011 11:22:22 -0400 (EDT)
Received: from (unknown [10.64.5.52]) by dalsmrelay2.nai.com with smtp id
3e53_d0c8_fce3e362_f02e_11e0_8003_00219b929abd; Thu, 06 Oct 2011
10:22:21 -0500
Received: from AMERDALEXMB1.corp.nai.org ([fe80::b534:4a0d:1289:2d2d]) by
DALEXHT2.corp.nai.org ([::1]) with mapi; Thu, 6 Oct 2011 10:20:42
-0500
From: <Kent_Landfield@McAfee.com>
To: <damann@mitre.org>, <cve-editorial-board-list@LISTS.MITRE.ORG>
Date: Thu, 6 Oct 2011 10:20:38 -0500
Subject: Re: Update Disclosure Sources List - Please Vote!
Thread-Topic: Update Disclosure Sources List - Please Vote!
Thread-Index: AcyEO4KcoUQb6DMLT2GXhX00JI8Chw==
Message-ID: <CAB32B6B.218F9%kent_landfield@mcafee.com>
In-Reply-To: <3FF9F74E63A7484EB3B88F04329CBEDC0444812B45@IMCMBX1.MITRE.ORG>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.13.0.110805
acceptlanguage: en-US
Content-Type: text/plain; charset="Windows-1252"
MIME-Version: 1.0
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379,
Antispam-Data: 2011.10.6.151214
X-MITRE-External: True
X-PerlMx-Spam: Gauge=IIIIIIII, Probability=8%, Report=' BLOGSPOT_URI 0.05,
BODYTEXTP_SIZE_3000_LESS 0, BODY_ENDS_IN_URL 0,
BODY_SIZE_1800_1899 0, BODY_SIZE_2000_LESS 0,
BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, DATE_TZ_NA 0,
DATE_TZ_NEG_0500 0, NO_REAL_NAME 0, __ANY_URI 0,
__BOUNCE_CHALLENGE_SUBJ 0, __BOUNCE_NDR_SUBJ_EXEMPT 0,
__C230066_P5 0, __CP_URI_IN_BODY 0, __CT 0, __CTE 0,
__CT_TEXT_PLAIN 0, __HAS_MSGID 0, __INT_PROD_COMP 0,
__INT_PROD_LOC 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0,
__SANE_MSGID 0, __TO_MALFORMED_2 0, __TO_NO_NAME 0,
__URI_NO_MAILTO 0, __URI_NS , __USER_AGENT 0'
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
Precedence: list
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by linus.mitre.org id p96FMX78002993
Content-Length: 1750
Status: R
X-Status: A
X-Keywords:
I have voted but also included a few more on the end….
Government Information Sources
Must Have - US-CERT Advisories (aka CERT-CC Advisories)
Must Have - US-CERT Vulnerability Notes (CERT-CC)
Ignore - US-CERT Bulletins (aka Cyber-Notes)
Ignore - DoD IAVAs
Nice to Have - NISCC
Nice to Have - AUS-CERT
Ignore - CIAC (name has changed)
CNA Published Information
All CNAs are a Must Have
Non-CNA Vendor Advisories
All non-CNS vendor advisories are a Must Have
Mailing Lists & VDBs
Must Have - Bugtraq
Ignore - Vuln-Watch
Ignore - VulnDev
Nice to Have - Full Disclosure
Ignore - Security Focus
Ignore - Security Tracker
Must Have - OSVDB
Ignore - ISS X-Force
Must Have - FRSIRT (VUPEN)
Must Have - Secunia
Ignore - Packet Storm
Ignore - SecuriTeam
Ignore - SANS Mailing List (Qualys)
Ignore - Neohapsis (Security Threat Watch)
Must Have - Metasploit
Nice to Have - Snort
Nice to Have - Contagiodump.blogspot.com
Nice to Have - Oss-security
Non-OS venders should be included
Specifically Desktop products that are commonly seen in both corporate and consumer systems
Additions….
1. Must haves
* APSA / APSB - Adobe
2. Nice to have
* ZDI
* Exploit-DB
* MSVR – Microsoft Vulnerability Research Advisories
* iDefense
* cisco-sa-xxxxxxxx-xxx (Cisco Security Advisories)
* Htxxxx (Apple)
* VMSA (Vmware Security Advisories)
* CNVD (China National Vulnerability Database)
* Metasploit Module Ids
Kent Landfield
Director Content Strategy, Architecture and Standards
McAfee, Inc.
5000 Headquarters Dr.
Plano, Texas 75024
Direct: +1.972.963.7096
Mobile: +1.817.637.8026
Web: www.mcafee.com<http://www.mcafee.com/>
From owner-cve-editorial-board-list@LISTS.MITRE.ORG Fri Oct 7 07:35:28 2011
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77])
by linus.mitre.org (8.12.11/8.12.10) with ESMTP id p97BZRl8005147;
Fri, 7 Oct 2011 07:35:27 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1])
by localhost (Postfix) with SMTP id 240612B782CD;
Fri, 7 Oct 2011 07:35:22 -0400 (EDT)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81])
by smtpksrv1.mitre.org (Postfix) with ESMTP id 0D91721B0103;
Fri, 7 Oct 2011 07:35:22 -0400 (EDT)
Received: from lists (129.83.31.52) by IMCCAS04.MITRE.ORG (129.83.29.81) with
Microsoft SMTP Server id 14.1.339.1; Fri, 7 Oct 2011 07:35:21 -0400
Received: by LISTS.MITRE.ORG (LISTSERV-TCP/IP release 15.5) with spool id
2930926 for CVE-EDITORIAL-BOARD-LIST@LISTS.MITRE.ORG; Fri, 7 Oct
2011 07:35:19 -0400
Received: from [129.83.20.13] by LISTS.MITRE.ORG (SMTPL release 1.0w) with
TCP; Fri, 7 Oct 2011 07:35:19 -0400
Received: from smtpksrv1.mitre.org (198.49.146.77) by lists.mitre.org with
SMTP id 12422308; Fri, 07 Oct 2011 07:35:05 -0400 (EDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by
localhost (Postfix) with SMTP id 8301C2B782CD for
<cve-editorial-board-list@lists.mitre.org>; Fri, 7 Oct 2011
07:35:05 -0400 (EDT)
Received: from mail2.secunia.com (mail2.secunia.com [91.198.117.240]) by
smtpksrv1.mitre.org (Postfix) with SMTP id D579721B03C5 for
<cve-editorial-board-list@lists.mitre.org>; Fri, 7 Oct 2011
07:35:04 -0400 (EDT)
Received: (qmail 24283 invoked from network); 7 Oct 2011 11:38:31 -0000
Received: from unknown (HELO exch-hq-1.secunia.local) (192.168.53.101) by
mail2.secunia.com with SMTP; 7 Oct 2011 11:38:31 -0000
Received: from EXCH-HQ-1.secunia.local ([::1]) by exch-hq-1.secunia.local
([::1]) with mapi id 14.01.0270.001; Fri, 7 Oct 2011 13:35:38 +0200
From: Carsten Eiram <che@secunia.com>
To: "'damann@mitre.org'" <damann@mitre.org>
CC: "'cve-editorial-board-list@lists.mitre.org'"
<cve-editorial-board-list@LISTS.MITRE.ORG>
Subject: Re: CVE Information Sources & Scope
Thread-Topic: CVE Information Sources & Scope
Thread-Index: AcyE4wlmfW0z+NANRjaeRFC/aPrWCw==
Date: Fri, 7 Oct 2011 11:35:37 +0000
Message-ID: <F4A3A6029AA9A54E8FA9BF5FB9834C79115467@exch-hq-1.secunia.local>
Accept-Language: en-US, da-DK
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.53.61]
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379,
Antispam-Data: 2011.10.7.112714
X-MITRE-External: True
X-PerlMx-Spam: Gauge=IIIIIIII, Probability=8%, Report=' BLOGSPOT_URI 0.05,
SUPERLONG_LINE 0.05, BODY_SIZE_4000_4999 0,
BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, WEBMAIL_SOURCE 0,
WEBMAIL_XOIP 0, WEBMAIL_X_IP_HDR 0, __ANY_URI 0,
__BOUNCE_CHALLENGE_SUBJ 0, __BOUNCE_NDR_SUBJ_EXEMPT 0,
__CP_URI_IN_BODY 0, __CT 0, __CTE 0, __CT_TEXT_PLAIN 0,
__HAS_MSGID 0, __HAS_XOIP 0, __IMS_MSGID 0, __INT_PROD_LOC 0,
__MIME_TEXT_ONLY 0, __MIME_VERSION 0, __SANE_MSGID 0,
__TO_MALFORMED_2 0, __TO_NO_NAME 0, __URI_NO_MAILTO 0,
__URI_NO_WWW 0, __URI_NS '
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
Precedence: list
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by linus.mitre.org id p97BZRl8005147
Content-Length: 3762
Status: R
X-Status: A
X-Keywords:
I already sent my ratings along with a lot of other feedback to Dave, but should share my scoring (see inline) with the board as well (Dave: Hindsight made me change a couple of the ratings + I added scores for the other suggested sources).
Generally, I believe that VDBs (at least the 2-3 major ones like Secunia, OSVDB, and SecurityFocus) are important resources to monitor as information there will be referenced a lot by other sources. Preferably all vulnerability reports covered by these VDBs should have CVEs assigned.
cheers,
/Carsten
> Government Information Sources
> US-CERT Advisories (aka CERT-CC Advisories)
+ M
> US-CERT Vulnerability Notes (CERT-CC)
+ M
> US-CERT Bulletins (aka Cyber-Notes)
+ N
> DoD IAVAs
+ I
> NISCC
+ I
> AUS-CERT
+ I
> CIAC
+ I
> CNA Published Information
+ M (goes for all CNAs)
> Non-CNA Vendor Advisories
+ M (all major software vendors)
> Suse
+ M
> Mandriva
+ I (not that popular anymore)
> HP-UX
+ M (HP in general)
> SCO
+ I (not very active anymore)
> AIX
+ M (IBM in general)
> Cisco IOS
+ M (Cisco in general)
> Free BSD
+ M
> Open BSD
+ M
> Net BSD
+ N
> Gentoo (Linux)
+ I (not very active anymore)
> Ubuntu (Linux)
+ N
>
>
> Mailing Lists & VDBs
> Bugtraq
+ M
> Vuln-Watch
+ I
> VulnDev
+ I
> Full Disclosure
+ N (from a CVE perspective the noise ratio is too high to consider it "must have" - most relevant info is also sent to bugtraq and if not then it will still be caught by the VDBs and can be spotted there).
> Security Focus
+ M (I'm a bit between "must have" and "nice to have" since the publicly available info doesn't really provide anything not already available from Secunia and OSVDB; leaning towards "must have" as some still seem to find it useful).
> Security Tracker
+ I
> OSVDB
+ M (focuses a lot on covering "everything" including unstable software (not covered by Secunia) and old, historic issues that do not affect later version (partially covered by Secunia) - it's, therefore, a nice complement to Secunia).
> ISS X-Force
+ N (primarily due to their coverage of IBM vulnerabilities)
> FRSIRT/VUPEN
+ I (pretty much dead, random coverage, and provides no info not already available elsewhere (just links to various resources now))
> Secunia
+ M (obviously! ;-) Our verification process daily results in extra details being added to advisories not available in the original vulnerability reports. Secunia is also a CNA (CVEs are assigned for internally discovered vulnerabilities and vulnerabilities coordinated on behalf of external researchers) and original source of a lot of vulnerability reports[1]).
[1]: http://secunia.com/community/research/
> Packet Storm
+ N (most of it is available on exploit-db.com, which I personally find to be a better source)
> Exploit-DB.com
+ M
> SecuriTeam
+ I
> SANS Mailing List (Qualys)
+ I
> Neohapsis (Security Threat Watch)
+ I
> Metasploit
+ I (great project but not that useful from a CVE perspective as it's seldom an original source)
> Snort
+ I
> Contagiodump.blogspot.com
+ N
> Oss-security
+ M
> Additions....
> APSA / APSB - Adobe
+ M
> ZDI
+ N (original source for a lot of reports, but information will also be available e.g. on monitored mailing lists)
> MSVR - Microsoft Vulnerability Research Advisories
+ N
> iDefense
+ N
> VMSA (Vmware Security Advisories)
+ M
> CNVD (China National Vulnerability Database)
+ N
> JVN
+ N
--
Med venlig hilsen / Kind regards
Carsten H. Eiram
Chief Security Specialist
Follow us on twitter
http://twitter.com/secunia
http://twitter.com/carsteneiram
Secunia
Mikado House
Rued Langgaards Vej 8
2300 Copenhagen S
Denmark
Phone +45 7020 5144
Fax +45 7020 5145