再保险:CVE-10K问题(fwd)

pmeunier写道:>资金CVE应该要求国土安全部,无论>水平所需功能正确,没有过度的压力>团队成员。CVE是必要的脆弱性>处理和研究基金会(或如我之前所说,“关键”),和许多>方面的安全。套用这句话我妻子曾经贴在冰箱的门,当我们在研究生院……制作的软件包没有结束,和脆弱性研究是一个肉体的疲惫。(传道书的最后一章,原来规定的制造和研究书籍,对于那些想知道)。我认为这是做得比国土安全部或美国政府的资金问题。你正确地指出帕斯卡,软件正在撰写全球业务。我有这张照片在我的脑海里。这是荷兰小男孩用手指的泄漏堤。岩脉的另一边,是全球软件市场的大规模的海啸。 I don't think the problem of software package identification is scalable in this new world, much less the problem of vulnerability identification *within* those packages. My sense is that end consumers of vulnerability management solutions have learned that their limited dollars will only buy partial coverage and are willing to settle for coverage of the most important (to them) issues. Dan Geer (and others) has said that enumerative security models don't scale and I tend to agree with him. This is why I don't think this is *only* a government funding issue. More generally, I don't think the world is willing to pay for coverage of all vulnerabilities in all software packages at any part of the VM life-cycle. We are all ears on ways to restructure the CVE id assignment process to reduce the bottle neck. I think we can make substantial progress but I think we all must recognize that a wave is coming. Here is a list of things for us all to consider and discuss... + Can we agree on a list of "must be covered and covered quickly" set of software? This would allow CVE to better focus it's energy. But other things will be excluded. + Can we streamline or automate the Candidate Naming process? And if this introduces more errors and duplicates, to what extent can the community deal with errors? + Can we figure out reasonable ways to divide up the problem as Pascal suggests? Thoughts? -Dave ================================================================== David Mann | CVE Project Lead | The MITRE Corporation ------------------------------------------------------------------ e-mail:damann@mitre.org | cell:781.424.6003 ==================================================================