再保险:CNA规则公告

在星期五,2016年10月7日,孩子叫Nandakumaraiah写道::>前进,但追溯试图执行一个问题:>,在某种程度上已经抽象不工作。::同意。我们需要一个语句或规则之间的交互新:作业和作业基于先前的规则。还需要小心如果我们单方面改变抽象CVE如果它打破规则从一个16年历史。:>每扫描仪,不确定。有很多有价值的:> per-vendor发现在这种情况下,其他单发现将有:> 250 +报告列表,不容易互相区别,:>解决方案。::我们不能解决这个问题,分配250 +不同cf:常见的漏洞。这就像回到pre-CVE时代,:不是吗?不。Pre-CVE报价(6个月),X-Force(2年),这两种vulns真的面临这样的协议。 There are merits of each abstraction method and we should weigh the pros and cons looking forward, not back. : What if the product-vendor being scanned had never produced an advisory : or fix for the 'POODLE for TLS' issue? Which of the many CVEs should the : scanner use to reference that unique issue? If they do it right, they don't reference a CVE in that case. That is perhaps the most critically dangerous notion the board, or anyone in security, could have; that you *must* have a CVE for it to be a valid security issue or that an issue without a CVE is some kind of weird thing, when it absolutely is not. In fact, that is the norm [1] for many companies. Brian [1]http://www.csoonline.com/article/3122460/techology business/over - 6000漏洞-去-未赋值的-横切cve -项目-在- 2015. - html