RE: The Common Vulnerabilities and Exposures taxonomy

["Anton J Aylward" <anton () the-wire com>]

On Wednesday, October 20, 1999 8:31 AM, Ted Doty said: 

> I agree with Marcus that this is a good start, but I don't see this
> replacing our existing database soon.  Not only does CVE lack 
> some info that we think is pretty important (OS info, etc), 
> but the CVE lacks a structure
> that would help a user browse the list of checks.  We've seen that people
> like to do interesting types of sorts on the information (show me all the
> FTP checks, or the high risk FTP checks, or the high risk FTP checks that
> might effect Solaris), but a grouping like this is (for now, at least)
> outside the scope of the CVE.

There are probably two classes of questions to be asked by "users".

1. I'm running a particular OS or platform or application.  What is there that's "relevant".

   This may be 'what patches should I apply" or "what exposure do I have if I don't apply this patch"
   or something like that.   

Lets call that the vertical question.

2. What kind of flaws are found that look like this and why

   There are buffer overrun flaws that affect internet-enabled programs and ones that you need
   to be a user on the machine.  Some can be fixed by fixing the library, some can't.

Lets call that kind of question horizontal.

Great!  I've just invented a rival taxonomy based on the questions the users will ask.
And if all the current generation of management hype books are correct, that listening to
the user (i.e. customer) is what makes business successful, it means I'm onto a winner here!

--------------------------------------------------------------------
Anton J Aylward, CISSP          | The Internet is not the greatest 
System Integrity                        | threat to information security; 
InfoSec Auditing & Consulting   | stupidity is the greatest threat 
Voice: (416) 421-8182           | to information security. 
aja () si on ca                         |   Will Spencer <will.spencer () gte net>