Re: Counting on CVEs

[security curmudgeon <jericho@attrition.org>]

On Thu, 8 Mar 2012, Art Manion wrote:

: The questions remain IMO:
: 
: 1. What level of abstraction is appropriate for CVE?

Their current method of abstraction is appropriate. It is well defined and 
consistent.

: 2. What level of completeness is appropriate for CVE?

I don't think "appropriate" is relevant. I think everyone wants it to be 
"absolutely complete". For our business and research, that is the only 
appropriate completeness.

: Is there desire/need for an accurate count of vulnerabilities?  OSVDB 
: either abstracts a little more narrowly than CVE and/or collects more 
: vulnerabilities, so OSVDB has higher numbers.

OSVDB does both, but our abstraction is more than "a little more narrow". 
We abstract per vulnerability, where CVE will group similiar. So take a 
single CVE that lists 10 scripts vulnerable to SQL Injection, and we will 
create 10 entries. OSVDB abstracts more than any other VDB, but as I said, 
that is not always suitable depending on a person's needs.

: If CVE or any other database were to try to name and count all publicly 
: disclosed vulnerabilities, it would be important to be able to 
: distinguish between a vulnerability that is one of a dozen XSS bugs in a 
: PHP web app and a vulnerability that is a straight up stack buffer 
: overflow in httpd.  Sure, count them all, but be able to say that out of 
: 20K vulnerabilities named this year, 61% were XSS or SQLi in web apps 
: with low distribution.

In theory, that is where CVSS (or another classification scheme) could 
come in. Combined, that data could be used to pick out 'relevant' or 
more critical issues.

: I'm guessing at some numbers in the above example, but this is a big 
: reason IMO that CVE numbers have declined.  Vulnerabilities "worth 
: tracking with a CVE" have declined, not the total number of 
: vulnerabilities.  Another way to look at it might be that thee criteria 
: for "worth tracking with a CVE" has changed.

Based on my chats with CVE, I don't think it is that. I don't believe they 
shy away from an issue due to severity. I think that the issue is that CVE 
monitors a list of sources for vulnerabilities, and their resources do not 
permit them to look at more. For example, they monitor Bugtraq, but not 
Full-Disclosure. Over the years, many researchers have started posting to 
F-D without CCing Bugtraq (for a variety of reasons). Add to that sites 
like Exploit-DB and other exploit aggregation sites that aren't being 
monitored, and the numbers quickly explain themselves. OSVDB has a long 
list, but we don't have the resources to monitor all of them in a timely 
manner. We use a weighted system for checking them as time permits, so the 
ones we consider critical (ICS-CERT) get hit daily, but a changelog or bug 
tracker may get checked yearly at best.