cvemitre.org
Date: Mon Sep 27 2004 - 16:07:18 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Welcome to the latest edition of the CVE-Announce e-newsletter. This
email newsletter is designed to bring recent news about CVE, such as
new versions, upcoming conferences, new Web site features, etc. right
to your emailbox. Common Vulnerabilities and Exposures (CVE) is a list
or dictionary that provides common names for publicly known
information security vulnerabilities and exposures. CVE content
results from the collaborative efforts of the CVE Editorial Board,
which is comprised of leading representatives from the information
security community. Details on subscribing (and unsubscribing) to the
email newsletter are at the end.

Comments: cvemitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/September 27, 2004
-------------------------------------------------------

Contents:

1. Feature Story
2. Upcoming Event!
3. Also in this Issue
4. Subscribe to "CVE-Data-Update" for Technical Updates
5. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

5-Year Anniversary Q&A with CVE Co-Founder Steve Christey

Five years ago Senior MITRE Information Security Engineer Steve
Christey recognized the need for common, standardized vulnerability
names and went on to co-found CVE. He now functions as CVE Technical
Lead and is Editor of the CVE List.

Q: What's the biggest difference from what you first imagined for CVE
   to what it is today?

A: The first thing that comes to mind is the scale and scope of the
   effort. In the very beginning, [CVE co-founder] Dave Mann and I
   just wanted to make it easier to link some tools and advisories
   together to help with internal MITRE security operations. We were
   thinking about a couple hundred vulnerabilities from a couple data
   sources. Now, there are a couple hundred new issues announced PER
   MONTH, plus we've seen the growth of vulnerability databases,
   information services, and correlation tools, which barely existed 5
   years ago, if at all. And the speed of information exchange is much
   faster, too. In hindsight, we were actually kind of provincial in
   our original view, but then again, we couldn't predict the
   future. We didn't anticipate that CVE would become a global
   resource that would apply across a wider variety of tools and
   information sources. It constantly keeps us on our toes.

Q: What achievement on the project are you most proud of?

A: This answer might seem trite, but it's the truth. It's gratifying
   to know that CVE has helped make many people's jobs easier and,
   directly or indirectly, help improve the state of information
   security. This has been demonstrated in many ways over the years. A
   recent example that comes to mind is the award ceremony for CVE
   compatible products that we held at the RSA Conference in February
   2004. All of the vendors made statements about how CVE had helped
   them and their customers. Talking with them face-to-face and
   hearing what they had to say somehow made CVE more "real," which I
   sometimes forget when I'm just clacking away on the keyboard in my
   office. Any time people tell us how CVE has helped them is
   rewarding.

   It's also very nice to see large-scale comparisons and trend
   analyses taking place. These were too resource-intensive to conduct
   before CVE. This benefit was part of our original vision, but it's
   only become a reality in the last year or two.

   Personally, I'm also proud of being able to share my experiences
   and knowledge with others in the industry. And I'm proud of the
   team effort that's gone into CVE, from the contributing individuals
   in MITRE, to the CVE Editorial Board, to our sponsors over the
   years, and to all the other community members who've supported it
   in myriad ways, big and small. CVE is a community-based initiative,
   and it shows.

Q: Biggest surprise for you working on CVE?

A: There have been a few surprises along the way, such as when we
   started to receive inquiries about CVE compatibility from the
   marketing directors for security tool vendors. That told us that it
   wasn't just the technical people who were starting to take CVE
   seriously. Another surprise occurred when some Linux vendors told
   me how using CVE had helped them to coordinate bug fixes even
   before they became public! There are many other surprises, but the
   biggest one is probably how much CVE has grown and how much it's
   being used, even in non-English speaking countries.

   Surprise, however, is the norm for CVE. We are surprised on a
   regular basis, and that's a big part of what keeps things
   interesting, even after 5 years.

Q: Your most difficult challenge working on the project?

A: Being all things to all people. As previously mentioned, the scope
   of CVE is much wider than we had originally anticipated. There are
   certain sub-communities whose needs could be met by extending CVE
   in certain ways. We are sensitive to those needs and are doing what
   we can to address them.

   Technically speaking, I think that properly documenting CVE's
   content decisions - and applying them appropriately - is a
   significant challenge as well. Vulnerability information is highly
   volatile, and the quality and quantity of information varies widely
   and changes over time. This makes it very difficult to be
   consistent within CVE (and any vulnerability repository faces these
   challenges, too). CVE's content decisions help to mitigate these
   problems, but they are more of a "state of mind" than a pre-canned
   set of rules. Clearly specified content decisions are my personal
   albatross.

Q: What's in the future for CVE?

A: In the next year, the effort with the widest community impact will
   involve a single, one-time-only change to the CVE numbering scheme,
   which will begin sometime in 2005. There are a few reasons for
   this, but the biggest reason is the fact that the "CAN-yyyy-nnnn"
   identifier eventually gets changed to a "CVE-yyyy-nnnn" identifier,
   and this makes for a lot of maintenance headaches and confusion. We
   are very aware that we can't make this change lightly, and we can
   only do it once, so we want to do it right and minimize the amount
   of work required for this one-time change. We're still working on
   the details, but we expect to announce the specifics soon, and we
   will be sure to give vendors and consumers plenty of warning before
   the change takes place.

   I previously mentioned certain sub-communities that could be better
   served by CVE. In the future, we expect to extend CVE (or at least
   the concept of it) to handle system configuration issues and
   intrusion detection "events." These are obviously
   security-relevant, but they don't necessarily fit the concept of
   "vulnerability" and they don't necessarily translate well into a
   flat namespace like we've been able to use for
   vulnerabilities. MITRE's OVAL (http://oval.mitre.org) project is
   already working in the area of system configuration, but we'd like
   to have CVE names assigned for the most common issues.

   We are also continually working to improve CVE's timeliness and
   comprehensiveness. Technical CVE users no doubt have noticed our
   improvements in the past 6 months, but we're going to be even
   better. Of course, the number of vulnerabilities on the list
   continues to grow each week, and adding them while maintaining the
   veracity of what's included in a CVE name is significant work. Soon
   enough we'll be at 8,000, and it'll keep growing from there.

   What else is in the future for CVE? Well, we'll have to wait and
   see. If there's one thing I've learned on this project, it's to
   expect the unexpected.

LINKS:

CVE Web site - http://cve.mitre.org

CVE List - http://cve.mitre.org/cve

CVE-Compatible Products and Services - http://cve.mitre.org/compatible/

-------------------------------------------------------------
UPCOMING EVENT:

MITRE to Host CVE/OVAL Booth at "SANS Network Security 2004"

MITRE is scheduled to host a CVE/OVAL exhibitor booth at "SANS Network
Security 2004, " September 30 - October 1, 2004, at the Riviera Hotel
in Las Vegas, Nevada, USA. The conference will expose CVE and OVAL
(http://oval.mitre.org) to a diverse audience of network professionals
and information security specialists from industry, academia, and
government. In addition, organizations with CVE-Compatible Products
and Services will also be exhibiting.

Visit the CVE Calendar for information about this and other upcoming
events. Contact cvemitre.org to have CVE present a briefing or
participate in a panel discussion about CVE, OVAL, and/or other
vulnerability management topics at your event.

LINKS:

CVE Calendar - http://cve.mitre.org/news/calendar.html

CVE-Compatible Products and Services - http://cve.mitre.org/compatible/

-------------------------------------------------------------
ALSO IN THIS ISSUE:

* CVE Main Topic of PatchAdvisor, Inc. News Release

Read these stories and more news at http://cve.mitre.org/news

---------------------------------------------------------------
Subscribe to "CVE-Data-Update" for Technical Updates

Intended for technical users of CVE such as vulnerability database
maintainers or those who require timely notification of new
candidates, the "CVE-Data-Update" e-newsletter provides subscribers
with reports of new CVE entries and/or candidates and other detailed
technical information regarding CVE. Subscribe now at
http://cve.mitre.org/signup/register.html.

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: Steve Christey, Information Security Technical
Center. Writer: Bob Roberge, Corporate Communications. The MITRE
Corporation (www.mitre.org) maintains CVE and provides impartial
technical guidance to the CVE Editorial Board on all matters related
to ongoing development of CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new email
message and copy the following text to the BODY of the message
"SIGNOFF CVE-Announce-list", then send the message to:
listservlists.mitre.org. To subscribe, send an email message to
listservlists.mitre.org with the following text in the BODY of the
message: "SUBSCRIBE CVE-Announce-List".

Copyright 2004, The MITRE Corporation. CVE and the CVE logo are
registered trademarks of The MITRE Corporation.

For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cvemitre.org.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]