Firewall Wizards mailing list archives
RE: The Common Vulnerabilities and Exposures taxonomy
From: "Anton J Aylward" <anton () the-wire com>
Date: Thu, 21 Oct 1999 10:24:44 -0400
On Wednesday, October 20, 1999 8:31 AM, Ted Doty said:
I agree with Marcus that this is a good start, but I don't see this replacing our existing database soon. Not only does CVE lack some info that we think is pretty important (OS info, etc), but the CVE lacks a structure that would help a user browse the list of checks. We've seen that people like to do interesting types of sorts on the information (show me all the FTP checks, or the high risk FTP checks, or the high risk FTP checks that might effect Solaris), but a grouping like this is (for now, at least) outside the scope of the CVE.
There are probably two classes of questions to be asked by "users". 1. I'm running a particular OS or platform or application. What is there that's "relevant". This may be 'what patches should I apply" or "what exposure do I have if I don't apply this patch" or something like that. Lets call that the vertical question. 2. What kind of flaws are found that look like this and why There are buffer overrun flaws that affect internet-enabled programs and ones that you need to be a user on the machine. Some can be fixed by fixing the library, some can't. Lets call that kind of question horizontal. Great! I've just invented a rival taxonomy based on the questions the users will ask. And if all the current generation of management hype books are correct, that listening to the user (i.e. customer) is what makes business successful, it means I'm onto a winner here! -------------------------------------------------------------------- Anton J Aylward, CISSP | The Internet is not the greatest System Integrity | threat to information security; InfoSec Auditing & Consulting | stupidity is the greatest threat Voice: (416) 421-8182 | to information security. aja () si on ca | Will Spencer <will.spencer () gte net>
Current thread:
- Re: The Common Vulnerabilities and Exposures taxonomy, (continued)
- Re: The Common Vulnerabilities and Exposures taxonomy Marcus J. Ranum (Oct 19)
- RE: The Common Vulnerabilities and Exposures taxonomy Scott Blake (Oct 20)
- Re: The Common Vulnerabilities and Exposures taxonomy Rick Smith (Oct 20)
- Re: The Common Vulnerabilities and Exposures taxonomy Adam Shostack (Oct 21)
- RE: The Common Vulnerabilities and Exposures taxonomy Anton J Aylward (Oct 21)
- Re: The Common Vulnerabilities and Exposures taxonomy Adam Shostack (Oct 21)
- RE: The Common Vulnerabilities and Exposures taxonomy Anton J Aylward (Oct 21)
- Re: The Common Vulnerabilities and Exposures taxonomy Adam Shostack (Oct 21)
- Re: The Common Vulnerabilities and Exposures taxonomy Marcus J. Ranum (Oct 19)
- RE: The Common Vulnerabilities and Exposures taxonomy Anton J Aylward (Oct 21)
- RE: The Common Vulnerabilities and Exposures taxonomy Anton J Aylward (Oct 21)