Steven Christey CVE Behind the Scenes The Complexity of Being Simple
0Steven M. Christey,
CVE Behind the Scenes: The Complexity of Being Simple
CVE, the Common Vulnerabilities and Exposures list, is just a collection of unique numbers, ridiculously terse descriptions, and a hodgepodge of references. Isn't it? To most people, CVE looks quite simple. And it is, by design. But simple doesn't always mean easy. I'll delve into some of the roadblocks faced during the short life of "the little list that could."
When David Mann and I proposed the CVE concept to the Vulnerability Database Workshop at Purdue CERIAS in January 1999, we outlined the following major criteria for a good CVE:
- enumerate and discriminate between all known vulnerabilities
- assign a standard, unique name to each vulnerability
- exist independently of the multiple perspectives of what a vulnerability is
- be publicly "open" and shareable without distribution restrictions
I'll discuss the challenges that MITRE and the CVE Editorial Board face in trying to satisfy these criteria, including: what we got wrong in those early days; the terminological warfare that forced CVE to change its name; how CVE has taxonomical features even though we claim that it's not a taxonomy; how CVE, which supposedly isn't a database, encounters various problems that full-fledged vulnerability databases do; why some candidates have been around for two years - and why some might stay that way forever; the bureaucratic process for creating official CVE entries that nonetheless has its advantages; what's being done about IDS; how CVE can simultaneously suffer from too much information and too little information; how CVE entries themselves have evolved over time, and how they publicly reflect the education of a vulnerability analyst; why it's impossible to please everyone at the same time; how having CVE could have helped in the construction of CVE; the buzzword-compliant techniques that support the population and search of CVE; what's being done about the delays between the initial public announcement of a security problem and the assignment of a candidate number; how there really isn't a CVE "behind the scenes;" and whatever else I (or you) feel like talking about.
Steve Christey is a Lead INFOSEC Engineer in the Security and Information Operations Division at The MITRE Corporation. After joining MITRE in 1989, he initially conducted research in artificial intelligence (AI), moving into the information security arena in 1993. He was the primary security auditor for MITRE's networks from 1994 to 1999, conducting network-based risk assessment, management, and incident response. Since 1997, he has conducted research which blends his experience in AI and security, in topics such as automated vulnerability analysis of source code, reverse engineering of executable code, and distributed security assessment. From 1999 to the present, he has been the editor of the Common Vulnerabilities and Exposures (CVE) list, and the Chair of the CVE Editorial Board. Mr. Christey holds a B.S. in Computer Science from Hobart College.
Black Hat - USA - 2001 Hacking conference
#hacking, #hackers, #infosec, #opsec, #IT, #CVE