[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CNA Rules Announcement

On Sun, 9 Oct 2016, Chandan Nandakumaraiah wrote:

: On 10/9/16 7:13 PM, jericho wrote:
: > If you want to then turnaround and issue one ID for implementation 
flaws, 
: > when the protocol spec is correct, you aren't being consistent.
: 
: It is the flaw that is being assigned an ID.
: 
: If the flaw is very specific and unique to the implementations of a 
: particular protocol, it should get a single ID, irrespective of the 
: affected products or vendors.

You are now equating the two sides of the abstraction debate and aren't 
being consistent or clear yourself. "It is the flaw that is being 
assigned 
an ID" then immediately say "if the flaw is very specific and unique to 
the implementations ... it should get a single ID". You can't have it 
both 
ways.

: >  The important part is to stay consistent in the handling of such 
: > issues. 
: 
: Consistently doing a wrong thing does not make it right.

Re-read my email. I very specifically say that if we change the 
standard, 
that is fine, but we need to very publicly state that. I am not arguing 
to 
stick to the old way, or move to the new way. I am playing both sides 
of 
the debate because both have merit, and I have said that several times. 

: > Again, I see the benefit of each method and unfortunately, the 
benefits of 
: > each way help different types of InfoSec professionals. If we go 
one way, 
: > we please academics, (some) VDBs, and (some) auditors. If we go the 
other 
: > way, we please system admins, (some) VDBs, and (some) auditors.
: 
: I have only seen confusion and misunderstandings due to such 
fragmented 
: IDs. There is always a danger of some valid vulnerability being 
ignored 
: as a false positive because the MITRE description said something 
about 
: the CVE being applicable only to a certain vendor's product.

Can you cite a specific example?

And that would not happen if CVE's coverage was better, and addressed 
those additional products that were impacted. Either adding them to the 
base entry (e.g. if it is a protocol flaw), or abstracting out for 
additional vendors if that is the decision.

Ultimately, this boils down to a simple "do we abstract or not" 
argument 
for CVE, but must consider the coverage argument above. There are 
merits 
for abstracting, and there are merits for assigning a single CVE. I 
know I 
don't have a pulse on the entire industry, no one does... but working 
for 
a vuln scanner company and a commercial VDB, I see at least two big 
sides 
to his argument. There WILL be confusion, regardless of what side we 
pick. 
That is the fact. Saying there is confusion is a non sequitur, that 
should 
be obvious to anyone familiar with this arena, as I outlined both sides 
previously.

Brian
Page Last Updated or Reviewed: October 19, 2016