RE: The Common Vulnerabilities and Exposures taxonomy

["Anton J Aylward" <anton () the-wire com>]

On Thursday, October 21, 1999 10:09 AM, Ted Doty said:


> I don't think the CVE quite gets us to a common definition of 
> what is or is not a vulnerability.  Different people are concerned with 
> different things, and something not of interest to one person may be very 
> important to another.

Damn right.
So perhaps there should be alternate schemes.
Only the media/press not understanding things will see them in competition,
as they did with OpenLook/Motif.  Remember what happened then?  After
Motif won they decided that different version of Motif were in competition.
Sounds like a cancer to me.  But then if it isn't a issue it doesn't make
headlines, does it?


> However, it's become pretty clear that there often isn't a
> one-to-one mapping of CVE names to our checks, for what we think 
> are pretty good reasons (CVE doesn't provide everything that our customers need).  

Taxonomies are often hierarchical.
One of the wonders of computers is that the same thing can appear 
in different places in the hierarchy, rather like (sym-)links in a 
UNIX file system.  If this is a taxonomy rather than a database, 
then its working by classification.  If there is a one-to-one 
mapping then its ONLY a listing or database.  A taxonomy may 
encompass a database.  There may also be items in the database 
for which there is no taxa.  

Thank you for saying that this doesn't provide everything 
the customers need.  It may bring the media down on you, 
but it also avoids this being touted as a universal panacea.  
I hope the various groups involved will not fall prey to the
marketing disease and think they have a One True Solution. 

> A narrow interpretation of what a CVE reference means probably 
> limits its value, maybe substantially.

The more I hear of this the less I think its really a taxonomy.  
Since a taxonomy implies categorisation that reflects an 
underlying nature of things and offers an insight into why 
things are the way they are.  If its just a list, a one to one 
mapping, like the names of kings or presidents and their dates
when they held office, it tells us nothing about the underlying 
nature of things.  We can do statistics ("yes, there were more 
bug fixes published for LINUX than Windows NT, therefore LINUX 
must be buggier than NT"; "the were fewer people executed for 
murder under that administration therefore the violent crime 
rate must have been lower").   If I'm incorrect in this view,
please point out how CVE is really a taxonomy rather then just 
an enumerated listing.

--------------------------------------------------------------------
Anton J Aylward, CISSP          | The Internet is not the greatest 
System Integrity                        | threat to information security; 
InfoSec Auditing & Consulting   | stupidity is the greatest threat 
Voice: (416) 421-8182           | to information security. 
aja () si on ca                         |   Will Spencer <will.spencer () gte net>