Re: A Dictionary For Vulnerabilities

[InfoSec News <isn () c4i org>]

Forwarded from: Kurt Seifried <kurt () seifried org>

http://security.ziffdavis.com/article2/0,3973,1134336,00.asp

Actually the hope is that vendors come to Mitre requesting CVE CAN
numbers, i.e. you find a vulnerability, you go to SANS/Mitre/etc,
start the process, get a CAN entry, that way when you release it has a
standard name. If Mitre is left to reactively gather entries and
research them (i.e. is this a new issue? already covered? what is it
related to? etc.)then of course it will be "old". As for the CAN ->
CVE process this isn't that important, the number is still kept, i.e.
CAN-2003-0001 -> CVE-2003-0001. The CVE designation simply means that
the issue is "closed", i.e. the vendor has addressed it. The CVE/CAN
designation is a rather moot point and non critical item in my
opinion.

As someone who works for a security vendor I can say that the CVE
project reduces my workload measureably (i.e. several hours a week,
significantly), people use different terminology and names all the
time, as soon as I see a CVE number I can find out in about 1 second
what it actually is, as opposed to spending minutes or hours tracing
down what a vulnerbaility/fix actually is.

BTW, how would having a group to name viruses slow down research, even
if it takes them a while to agree on a name?

This is one of the most poorly written and researched "security"
articles I have ever read, and I've read a lot of bad articles in my
time.

Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.