Versions Compared

Old Version 6

changes.mady.by.user user-f8986

Saved on

compared with

New Version 7

changes.mady.by.user user-f8986

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

As of this writing, work is underway within the Vulnerability Report Data Exchange special interest group (VRDX-SIG) within FIRST [8] on a vulnerability report cross-reference data model that will allow for the expression of relationships between vulnerability reports. The current work in progress can be found at [https://github.com/FIRSTdotorg/vrdx-sig-vxref-wip|https://github.com/FIRSTdotorg/vrdx-sig-vxref-wip]. In order to make it easier to relate vulnerability reports and records to each other, the VRDX work represents the following concepts: "possibly related," "related," "not equal," "equal," "superset," "subset," and "overlap."

What CVE Isn't

Because of the prevalence and popular use of CVE IDs in the vulnerability response space, many people assume that vulnerability identity is synonymous with Common Vulnerabilities and Exposures (CVE) [9\]. However, let's briefly look at some ways in which that assumption is inaccurate:

...

As the CERT/CC's vulnerability analysis efforts have expanded into vulnerability coordination for non-traditional computing products (mobile, vehicles, medical devices, IoT, etc.) [10\], we've also begun to hit up against another set of issues affecting vulnerability identities and compatibility across vulnerability databases (VDBs): namely, bias. Steve Christey Coley and Brian Martin mention a number of biases that affect all VDBs in their BlackHat 2013 talk [11\]:

  • Selection bias. Not all products receive equal scrutiny. Not all vul reports are included in VDBs.
  • Publication bias. Not all results get published. Some vuls are found but never reported to anyone.
  • Abstraction bias. This bias is an artifact of the process that VDBs use to assign identifiers to vulnerabilities. (Is it 1 vul or 3? 23,667 or 1?)
  • Measurement bias. This bias encompasses errors in how a vulnerability is analyzed, verified, and catalogued.

...

Over time, it has become clear that the days of the "One Vulnerability ID to Rule Them All" are coming to a close and we need to start planning for that change. As we've covered above, one of the key observations we've made has been the growing need for multiple vulnerability identifiers and databases that serve different audiences, support diverse business practices, and operate at different characteristic rates. In his book Thinking, Fast and Slow, Daniel Kahneman describes human thought processes in terms of two distinct systems [20\]:

  • System 1: Fast, automatic, frequent, emotional, stereotypic, subconscious
  • System 2: Slow, effortful, infrequent, logical, calculating, conscious

...