[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Re: CNA Rules Announcement
On Sun, 9 Oct 2016, Scott Lawler wrote:
: This level of abstraction is?well?abstract. How do we determine what
: should be abstracted and to what level?
:
: This is a slippery slope to start down.
:
: While I concur that some level of abstraction is good. I think that
we
: need to carefully define for the community what level of abstraction
is
: appropriate.
:
: Honestly, I?m not quite sure how to do that. I hate to say
case-by-base
: but?
:
: Ideas on how to quantify and define the right level of abstraction?
I think the best way to start is to pick out ~ 10 vulns from the past
that fit the bill. "Protocol" vulns that were NOT due to a flaw in the
design specs, rather the implementation (where almost every vendor got
it
wrong), and see how it worked out.
While many may immediately say "we don't need 100 IDs for that, it's
confusing!" I disagree to at a certain point. When it comes to
per-vendor
fixes where you are applying 20 different patches, upgrades, or
workarounds in your organization "for the same vulnerability", that is
confusing. That one ID is no longer talking about the same
vulnerability
in the full scope of it (flaw, impact, and remediation).
So examining some of the past ones that were abstracted, and some that
were not... then look at how security vendors handled it. Did they
create
different rules for IDS/IPS? Did vuln scanners create different
IDs/plugins? That would also be a good one to get community feedback on.
Brian