|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Vulnerability Description Ontology
- To: jericho <jericho@attrition.org>, "Booth, Harold (Fed)" <harold.booth@nist.gov>
- Subject: RE: Vulnerability Description Ontology
- From: "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>
- Date: Thu, 6 Oct 2016 00:44:39 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=hq.dhs.gov;mitre.org; dkim=none (message not signed) header.d=none;
- Cc: "cve-editorial-board-list@lists.mitre.org" <cve-editorial-board-list@lists.mitre.org>
- Delivery-date: Thu Oct 6 07:53:50 2016
- In-reply-to: <alpine.LNX.2.00.1610051736420.22653@forced.attrition.org>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <CY4PR09MB1255D2E702FF84CE15DA3EB5E6C20@CY4PR09MB1255.namprd09.prod.outlook.com>,<alpine.LNX.2.00.1610051736420.22653@forced.attrition.org>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
- Spamdiagnosticoutput: 1:2
- Thread-index: AdIdhWS3WCbUNM0OT5u4yrHmXlCHuQB9SoeA///ghUE=
- Thread-topic: Vulnerability Description Ontology
This might come off like a rant but it's really not
NVD (namely, Harold) has been working on a bigger and better structured format for security bug data for ages, especially since CVRF came out, and was/is basically an advisory format so multiple incumbent vendors share testing and patch data.
This ontology m,from my perspective, is a strong attempt at creating a way for security-affecting bug knowledge to be captured in a structure that accommodates for all the wacky use cases we've learned about over the decades (decades!) so that various collectors, curators and creators of such data can share alike.
A few years ago it was okay to have proprietary scripts and expert knowledge serving the purpose, but now there's too many vulns (with and without CVEs) and too many DBs and tools. Harold's ontology draft is the beginning of a better and more systematic approach.
Did I overdo it? Am I false?
Tom Millar, US-CERT
Sent from +1-202-631-1915
https://www.us-cert.gov
From: owner-cve-editorial-board-list@lists.mitre.org on behalf of jericho
Sent: Wednesday, October 05, 2016 11:37:19 PM
To: Booth, Harold (Fed)
Cc: cve-editorial-board-list@lists.mitre.org
Subject: Re: Vulnerability Description Ontology
NVD (namely, Harold) has been working on a bigger and better structured format for security bug data for ages, especially since CVRF came out, and was/is basically an advisory format so multiple incumbent vendors share testing and patch data.
This ontology m,from my perspective, is a strong attempt at creating a way for security-affecting bug knowledge to be captured in a structure that accommodates for all the wacky use cases we've learned about over the decades (decades!) so that various collectors, curators and creators of such data can share alike.
A few years ago it was okay to have proprietary scripts and expert knowledge serving the purpose, but now there's too many vulns (with and without CVEs) and too many DBs and tools. Harold's ontology draft is the beginning of a better and more systematic approach.
Did I overdo it? Am I false?
Tom Millar, US-CERT
Sent from +1-202-631-1915
https://www.us-cert.gov
From: owner-cve-editorial-board-list@lists.mitre.org on behalf of jericho
Sent: Wednesday, October 05, 2016 11:37:19 PM
To: Booth, Harold (Fed)
Cc: cve-editorial-board-list@lists.mitre.org
Subject: Re: Vulnerability Description Ontology
: This is the first of hopefully several drafts and we are looking at the
: comments to see in which ways we need to modify in order to satisfy the
: needs for vulnerability management.
I am curious what perceived 'gap' in vulnerability management this is
designed to fill. Can you elaborate on the origins of this initiative?
Brian
: comments to see in which ways we need to modify in order to satisfy the
: needs for vulnerability management.
I am curious what perceived 'gap' in vulnerability management this is
designed to fill. Can you elaborate on the origins of this initiative?
Brian
- Follow-Ups:
- Re: Vulnerability Description Ontology
- From: Kurt Seifried <kseifried@redhat.com>
- Re: Vulnerability Description Ontology
- References:
- Vulnerability Description Ontology
- From: "Booth, Harold (Fed)" <harold.booth@nist.gov>
- Re: Vulnerability Description Ontology
- From: jericho <jericho@attrition.org>
- Vulnerability Description Ontology
- Prev by Date: Re: Vulnerability Description Ontology
- Next by Date: Re: Vulnerability Description Ontology
- Previous by thread: Re: Vulnerability Description Ontology
- Next by thread: Re: Vulnerability Description Ontology
- Index(es):