Full Disclosure mailing list archives
Re: RE: Why Vulnerability Databases can't do everything
From: security curmudgeon <jericho () attrition org>
Date: Sat, 16 Jul 2005 19:31:31 -0400 (EDT)
: So I think that there should be a government agency that coordinates : this shit : I call for federal government intervention. Microsoft has abused all of : us for the last time. I have a list of a dozen bugs in Microsoft Access; : and I know of one bug in SQL Server that those cornholers just wont fix. : I mean-- SQL AUTHENTICATION IS IMPOSSIBLE TO SECURE. RIGHT? This is good in theory, bad in practice (historically). Consider that we already have government coordination for vulnerabilities. In fact, did you know we have it half a dozen times over? CERT The CERT/CC is funded primarily by the U.S. Department of Defense and the Department of Homeland Security, along with a number of other federal civil agencies. Other funding comes from the private sector. As part of the Software Engineering Institute, we receive some funds from the primary sponsor of the SEI, the Office of the Under Secretary of Defense for Acquisition and Technology. CIAC U.S. Department of Energy (DOE) funded CVE CVE is sponsored by the National Cyber Security Division (NCSD) at the U.S. Department of Homeland Security. US-CERT is the operational arm of the NCSD. ICAT ICAT is maintained by the National Institute of Standards and Technology. US-CERT US-CERT is part of the Department of Homeland Security Little overlap? You bet there is. DHS is spending money on two of the five listed above, which are just the biggest and most well known. There are other incident response teams for other government agencies, some of which maintain their own vulnerability databases. Consolidation? Has there been any effort made to consolidate these? Not that I have heard of, but there might have been (and it got nowhere). So the U.S. government clearly sees a need for this type of activity, it's just that it has not been implemented that well and there has been relatively little coordination between the agencies and sources of funding. Imagine one database being funded by and worked on all of the people/agencies above. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: RE: Why Vulnerability Databases can't do everything security curmudgeon (Jul 16)
- RE: RE: Why Vulnerability Databases can't do everything aaron_kempf (Jul 18)
- RE: RE: Why Vulnerability Databases can't do everything Eric Paynter (Jul 18)
- <Possible follow-ups>
- Re: RE: Why Vulnerability Databases can't do everything Steven M. Christey (Jul 17)
- RE: RE: Why Vulnerability Databases can't do everything aaron_kempf (Jul 18)