Re: The Common Vulnerabilities and Exposures taxonomy

[Rick Smith <rick_smith () securecomputing com>]

One reason I was curious about the CVE database is that I'm trying to
figure out how it might work into varous books I'm working on (a new one on
authentication and an update of "Internet Cryptography").

Now that I've looked closer, I realize CVE is NOT a taxonomy, it's simply
intended as a listing of vulnerabilities or "exposures" at a particular
level of abstraction. (Since people tend to think of "vulnerabilities" as
exploitable weaknesses, an "exposure" is a weakness that may or may not be
exploitable, depending on circumstances).

Clearly, I can use the database as a representation of identified
vulnerabilities. It's good to have a list of known problems to work from.
The descriptions aren't always very detailed, but they generally refer to
other sources and reports. So it's a good piece of reference material. If
I'm wondering how many different buffer overflows have been reported (so
far), it's a good place to work from.

Further, there's the question of whether it's worthwhile to associate CVE
identifiers with vulnerabilities I talk about within the book. It's
probably a Bad Idea.

Don't get me wrong -- I see some real value in what they're doing. But I
need to hit a certain level of abstraction and talk about "buffer
overflows" or "buffer overflows in Unix Internet servers." The CVE talks
about "buffer overflows in ping" and has separate identifiers for each
affected software component. That's too low a level of detail for my use.


Rick.
smith () securecomputing com
"Internet Cryptography" at http://www.visi.com/crypto/