[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE for hosted services



On 3/3/17 5:32 AM, Pascal Meunier wrote:

>>> Please don't make the CVE into an incident or advisory database just
>>> because an ID would be handy.

>> As Brian pointed out earlier, create another C*E project if wanting 
>> to
>> track these kinds of issues in hosted solutions.

I don't have a strong argument against a separate ID scheme.

> Thanks.  What made the CVE interesting was the intelligence in
> identifying and pinpointing root causes.  A broad range of issues
> stemming from the absence of security goals or considerations, as in
> that product, only needs an advisory.  I feel that using a CVE ID for
> this example would be inappropriate because the CVE was meant to be a
> finer and more precise tool.  This example is akin to a grand collapse
> from rampant incompetence;  there is nothing to analyze in detail and
> nothing to do but get indignant about it on Facebook.

But I do have different ideas here.  CVE may have had a stronger
engineering use (defect/root cause identification), but times have 
changes.

An ID -- particularly one that lots of people know and share -- is not
only handy, but critical.  The ID is separate from the engineering value
of the vulnerability, we're in a world now where we still have to be
able to talk about the service vulnerability in big_social_media_site,
even if the world never hears the engineering details.  We even have to
be able to talk about the nth lame XSS in some CMS.  It's just one more
instance of a known class of CWE, but we need to identify *it*.

We also have to identify lame vulnerabilities in stupid consumer IoT
gear.  Because that junk is where computers live these days.

"CloudPets left their database exposed publicly to the web without so
much as a password to protect it."

Now this specific issue, harder to say.  It's an insecure configuration,
which I don't think is in scope for CVE (product, service, or
otherwise).  Does "E is for Exposures" come into play here?

MongoDB (or memcached) should get CVE IDs for insecure default
configurations.

 - Art


PS, I won't be on this week's board call.


Page Last Updated or Reviewed: March 07, 2017