[[日期上一篇] [下一个日期] [线程] [线程接下来] [日期索引] [线程索引这是给予的
回复:计算CVE
- 到:cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
- 主题:re:在CVE上计数
- 从:安全性curmudgeon <jericho@attrition.org>
- 日期:2012年3月9日星期五15:31:32 -0600
- 交货日期:3月9日星期五16:32:13 2012年
- 陷入困境:<4F591CCF.6050203@cert.org>
- 列表助手:<mailto:listserv@lists.mitre.org?body = info%20cve-editorial-board列表>
- 列表所有者:<mailto:cve-editorial-board-list-request@lists.mitre.org>
- 列表订阅:<mailto:cve-editorial-board-list-subscribe-request-request@lists.mitre.org>
- list-unsubscribe:<mailto:cve-editorial-board-list-unsubscribe-request@lists.mitre.org>
- 参考:<cb7cd170.2dc8a%Kent_landfield@mcafee.com> <5084579A0A81C947AB6E6BFB7AFCF9DF13DC66@IMCMBX02.MITRE.org> <4F591CCF.6050203@cert.org>
- 发件人:<所有者cve-editorial-board-list@lists.mitre.org>
- 用户代理:Alpine 2.00(LNX 1167 2008-08-23)
在2012年3月8日的星期四,Art Manion写道::这些问题仍然是IMO ::: 1. CVE的抽象级别适合?他们当前的抽象方法是合适的。它的定义良好且一致。:2。CVE的完整性级别是什么?我认为“适当”没有相关。我认为每个人都希望它“绝对完整”。对于我们的业务和研究,这是唯一合适的完整性。:是否需要/需要准确的漏洞计数?OSVDB:要么比CVE要么狭窄一点摘要和/或收集更多:漏洞,因此OSVDB的数量更高。OSVDB都做到了,但是我们的抽象不仅仅是“更狭窄”。 We abstract per vulnerability, where CVE will group similiar. So take a single CVE that lists 10 scripts vulnerable to SQL Injection, and we will create 10 entries. OSVDB abstracts more than any other VDB, but as I said, that is not always suitable depending on a person's needs. : If CVE or any other database were to try to name and count all publicly : disclosed vulnerabilities, it would be important to be able to : distinguish between a vulnerability that is one of a dozen XSS bugs in a : PHP web app and a vulnerability that is a straight up stack buffer : overflow in httpd. Sure, count them all, but be able to say that out of : 20K vulnerabilities named this year, 61% were XSS or SQLi in web apps : with low distribution. In theory, that is where CVSS (or another classification scheme) could come in. Combined, that data could be used to pick out 'relevant' or more critical issues. : I'm guessing at some numbers in the above example, but this is a big : reason IMO that CVE numbers have declined. Vulnerabilities "worth : tracking with a CVE" have declined, not the total number of : vulnerabilities. Another way to look at it might be that thee criteria : for "worth tracking with a CVE" has changed. Based on my chats with CVE, I don't think it is that. I don't believe they shy away from an issue due to severity. I think that the issue is that CVE monitors a list of sources for vulnerabilities, and their resources do not permit them to look at more. For example, they monitor Bugtraq, but not Full-Disclosure. Over the years, many researchers have started posting to F-D without CCing Bugtraq (for a variety of reasons). Add to that sites like Exploit-DB and other exploit aggregation sites that aren't being monitored, and the numbers quickly explain themselves. OSVDB has a long list, but we don't have the resources to monitor all of them in a timely manner. We use a weighted system for checking them as time permits, so the ones we consider critical (ICS-CERT) get hit daily, but a changelog or bug tracker may get checked yearly at best.
