Firewall Wizards mailing list archives
Re: The Common Vulnerabilities and Exposures taxonomy
From: Rick Smith <rick_smith () securecomputing com>
Date: Wed, 20 Oct 1999 10:01:43 -0500
One reason I was curious about the CVE database is that I'm trying to figure out how it might work into varous books I'm working on (a new one on authentication and an update of "Internet Cryptography"). Now that I've looked closer, I realize CVE is NOT a taxonomy, it's simply intended as a listing of vulnerabilities or "exposures" at a particular level of abstraction. (Since people tend to think of "vulnerabilities" as exploitable weaknesses, an "exposure" is a weakness that may or may not be exploitable, depending on circumstances). Clearly, I can use the database as a representation of identified vulnerabilities. It's good to have a list of known problems to work from. The descriptions aren't always very detailed, but they generally refer to other sources and reports. So it's a good piece of reference material. If I'm wondering how many different buffer overflows have been reported (so far), it's a good place to work from. Further, there's the question of whether it's worthwhile to associate CVE identifiers with vulnerabilities I talk about within the book. It's probably a Bad Idea. Don't get me wrong -- I see some real value in what they're doing. But I need to hit a certain level of abstraction and talk about "buffer overflows" or "buffer overflows in Unix Internet servers." The CVE talks about "buffer overflows in ping" and has separate identifiers for each affected software component. That's too low a level of detail for my use. Rick. smith () securecomputing com "Internet Cryptography" at http://www.visi.com/crypto/
Current thread:
- The Common Vulnerabilities and Exposures taxonomy Rick Smith (Oct 19)
- Re: The Common Vulnerabilities and Exposures taxonomy Marcus J. Ranum (Oct 19)
- RE: The Common Vulnerabilities and Exposures taxonomy Scott Blake (Oct 20)
- Re: The Common Vulnerabilities and Exposures taxonomy Rick Smith (Oct 20)
- Re: The Common Vulnerabilities and Exposures taxonomy Adam Shostack (Oct 21)
- RE: The Common Vulnerabilities and Exposures taxonomy Anton J Aylward (Oct 21)
- Re: The Common Vulnerabilities and Exposures taxonomy Adam Shostack (Oct 21)
- RE: The Common Vulnerabilities and Exposures taxonomy Anton J Aylward (Oct 21)
- Re: The Common Vulnerabilities and Exposures taxonomy Adam Shostack (Oct 21)
- Re: The Common Vulnerabilities and Exposures taxonomy Marcus J. Ranum (Oct 19)
- <Possible follow-ups>
- RE: The Common Vulnerabilities and Exposures taxonomy Doty, Ted (ISSAtlanta) (Oct 20)
- RE: The Common Vulnerabilities and Exposures taxonomy Anton J Aylward (Oct 21)
- Re: The Common Vulnerabilities and Exposures taxonomy Bill_Royds (Oct 20)
- RE: The Common Vulnerabilities and Exposures taxonomy Russ (Oct 20)