再保险:杜松添加到官方列表区域

马尼恩在结婚,2016年4月27日,艺术写道::我相信布莱恩,Juniper问题。我有第一手的经验:与另一个供应商CNA没有遵循规则。我敢肯定还有其他的例子。一个保守的说法。=)每个CNA几乎都有糟糕的事情在过去12个月的作业,包括甲骨文、微软和Adobe。CNA的我找不到毛病最近硅谷图形。:说到后果,如果Juniper不遵守规则?:撤回CNA状态?那么谁会问题的CVE id:杜松漏洞?如果一个CNA分配不正确,拒绝他们:作业。 If the CNA actually wants their CVE IDs to count, they'll : shape up. If they don't, de-list them. And yes, this does sound like : laissez-faire. The current model doesn't scale. And I have spoken to this point as well. We don't just need rules, we need a clear path on how MITRE will deal with them if they aren't following rules. Unless MITRE decided to keep me out of the loop after I reported CNAs not following rules many times, then I don't believe MITRE has been following up with them much at all. Or perhaps for a fraction of my complaints. I can't imagine MITRE will actually revoke a CNA, because it goes against their selfish interests (CVE is part of a multi-million dollar contract they enjoy every year). That is a grim reality we need to remember as we discuss this problem. I only bring it up because many of us had proposed that MITRE bring on more CNAs several years ago, and that was met with silence or opposition (usually in private). Now that they are being called to task, it seems greenlighting new CNAs could be their answer, even if the vendor has a history of bad assignments and board members object. I think what bothers me about this discussion isn't just that I had issues with Juniper before the CNA status came up, but now that it is public... what is happening? It would take less than eight hours for one of the abundant MITRE employees tasked with CVE duties to audit Juniper's advisories for the last couple of years, and determine how accurate their assignments are. Given that Juniper has been requesting those IDs from MITRE, they could further compare the email requests to the public advisories to really gauge Juniper's understanding of the process. That is something I cannot do, since I don't see the ID request emails. Yet, I track CNA failures in a passing degree via several other data aggregation initiatives that have a side effect of giving me that data, and more. Eight hours of figuring out where Juniper stands in this process is a no-brainer to me, given that every bad public assignment can snowball and cause serious grief for their customers, and in turn for any CVE customer. The ROI on such a brief audit is clear. In fact, every CNA, current or proposed, should be audited once a year, to ensure they are following assignment guidelines. What seems minor and pedestrian on the surface to many (e.g. assigning a 2016 ID to a 2015 issue), can also snowball in huge ways, as seen in the 2016 Verizon DBIR report (pg13, 'Vulnerabilities' section) where the methodology is not defined, and they may be using the year of the ID to attribute disclosure attributes. Even if they don't, *many* others have historically done just that when generating yearly vuln totals based on CVE data. These stats are about the only you see in any media, industry or mainstream. Because CVE didn't think that 'disclosure date' was important to track in 1999, means almost every vulnerability stat today is absurd and wrong. : Growing CVE is going decrease fidelity. As far as I've thought about : it, MITRE acting as CNA registrar/auditor/manager and ultimate arbiter : of assignments from many CNAs might work as an organizational model. In a perfect CVE world, MITRE would only act as a manager and auditor of CNAs and do no assignments themselves (I could also argue they aren't as qualified to do so anymore, but that is academic pedantry and a losing argument due to social perception, not fact). I don't get how it is 2016 and this is just being brought up as a possible model falls somewhere between amusing and disgusting, especially since I have never seen MITRE propose it, while half a dozen other industry professionals have in the previous years.