OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] (CSAF-13) Analysis of "Vulnerability Description Ontology (VDO)" and any possible relation to CSAF work products

     [ https://issues.oasis-open.org/browse/CSAF-13?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stefan Hagen updated CSAF-13:
-----------------------------

    Description: 
This issue (task) is one of many similar formal issues formalizing the TCs process to analyse similar work.
It deals with the analysis of the "Vulnerability Description Ontology (VDO): a Framework for Characterizing Vulnerabilities" (cf. http://csrc.nist.gov/publications/drafts/nistir-8138/nistir_8138_draft.pdf ),
which to the reporter appears as either similar work w.r.t. the "OASIS Common Security Advisory Framework (CSAF) Technical Committee Charter" (cf. http://www.oasis-open.org/committees/csaf/charter.php ) or work to be considered for enabling synergy and instead minimising duplication.

This issue allows us to track and document progress and findings of the CSAF TC of the following:

1. understand and summarise VDO (relation to eg. CVSS)
2. ensure synergy potentials are identified
3. discussion of the relation to and reaction on VDO
4. documentation of result

When checked at 2016-12-13 the (PDF format) document referenced existed at the URL http://csrc.nist.gov/publications/drafts/nistir-8138/nistir_8138_draft.pdf and some bibliographic data identified was:

URL = http://csrc.nist.gov/publications/drafts/nistir-8138/nistir_8138_draft.pdf
Authors/Editors = Harold Booth and Christopher Turner 
AuthorInstitution = National Institute of Standards and Technology (NIST, http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8138 )
DocumentDate = 2016-09-30
CommentPeriodEnded = 2016-10-31

Keywords = software defects; ontology; patching; taxonomy; vulnerabilities; vulnerability management

DocumentStatus = draft
DocumentCopyrightPolicy = "NIST"


Abstract (from publication overview at http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8138 ) == 
""" 
NISTIR 8138

DRAFT Vulnerability Description Ontology (VDO): a Framework for Characterizing Vulnerabilities

NISTIR 8138 aims to describe a more effective and efficient methodology for characterizing vulnerabilities found in various forms of software and hardware implementations including but not limited to information technology systems, industrial control systems or medical devices to assist in the vulnerability management process. The primary goal of the described methodology is to enable automated analysis using metrics such as the Common Vulnerability Scoring System (CVSS). Additional goals include establishing a baseline of the minimum information needed to properly inform the vulnerability management process, and facilitating the sharing of vulnerability information across language barriers.

This is the first draft of several anticipated drafts of a document intended to describe a methodology for characterizing vulnerabilities. It is not intended to be complete at this time and the authors do not expect that this draft reflects the full breadth and depth of the information needed to fully automate the descriptions for vulnerabilities. Reviewers are asked to provide feedback on terminology that is unclear, in conflict with established practice and are encouraged to provide feedback and examples where the current draft falls short in enabling the description of a vulnerability. Future drafts will be produced attempting to incorporate feedback consistent with the purpose of the document and the goal of improving the final version.

The public comment period closed on October 31, 2016
Questions? Send email to : nistir8138@nist.gov

Draft NISTIR 8138: http://csrc.nist.gov/publications/drafts/nistir-8138/nistir_8138_draft.pdf
Comment Template: http://csrc.nist.gov/publications/drafts/nistir-8138/draft_nistir_8138_comment_form.doc 
"""


  was:
This issue (task) is one of many similar formal issues formalizing the TCs process to analyse similar work.
It deals with the analysis of the "Vulnerability Description Ontology (VDO): a Framework for Characterizing Vulnerabilities" (cf. http://csrc.nist.gov/publications/drafts/nistir-8138/nistir_8138_draft.pdf ),
which to the reporter appears as either similar work w.r.t. the "OASIS Common Security Advisory Framework (CSAF) Technical Committee Charter" (cf. http://www.oasis-open.org/committees/csaf/charter.php ) or work to be considered for enabling synergy and instead minimising duplication.

This issue allows us to track and document progress and findings of the CSAF TC of the following:

1. understand and summarise VDO (relation to eg. CVSS)
2. ensure synergy potentials are identified
3. discussion of the relation to and reaction on VDO
4. documentation of result

When checked at 2016-12-13 the (PDF format) document referenced existed at the URL http://csrc.nist.gov/publications/drafts/nistir-8138/nistir_8138_draft.pdf and some bibliographic data identified was:

URL = http://csrc.nist.gov/publications/drafts/nistir-8138/nistir_8138_draft.pdf
Authors/Editors = Harold Booth and Christopher Turner 
AuthorInstitution = NIST ( http://csrc.nist.gov/publications/PubsDrafts.html )
DocumentDate = 2016-09-30
CommentPeriodEnded = 2016-10-31

Keywords = software defects; ontology; patching; taxonomy; vulnerabilities; vulnerability management

DocumentStatus = draft
DocumentCopyrightPolicy = "NIST"


Abstract (from publication overview) == 
""" 
ISTIR 8138

DRAFT Vulnerability Description Ontology (VDO): a Framework for Characterizing Vulnerabilities

NISTIR 8138 aims to describe a more effective and efficient methodology for characterizing vulnerabilities found in various forms of software and hardware implementations including but not limited to information technology systems, industrial control systems or medical devices to assist in the vulnerability management process. The primary goal of the described methodology is to enable automated analysis using metrics such as the Common Vulnerability Scoring System (CVSS). Additional goals include establishing a baseline of the minimum information needed to properly inform the vulnerability management process, and facilitating the sharing of vulnerability information across language barriers.

This is the first draft of several anticipated drafts of a document intended to describe a methodology for characterizing vulnerabilities. It is not intended to be complete at this time and the authors do not expect that this draft reflects the full breadth and depth of the information needed to fully automate the descriptions for vulnerabilities. Reviewers are asked to provide feedback on terminology that is unclear, in conflict with established practice and are encouraged to provide feedback and examples where the current draft falls short in enabling the description of a vulnerability. Future drafts will be produced attempting to incorporate feedback consistent with the purpose of the document and the goal of improving the final version.

The public comment period closed on October 31, 2016
Questions? Send email to : nistir8138@nist.gov

Draft NISTIR 8138: http://csrc.nist.gov/publications/drafts/nistir-8138/nistir_8138_draft.pdf
Comment Template: http://csrc.nist.gov/publications/drafts/nistir-8138/draft_nistir_8138_comment_form.doc 
"""



> Analysis of "Vulnerability Description Ontology (VDO)" and any possible relation to CSAF work products
> ------------------------------------------------------------------------------------------------------
>
>                 Key: CSAF-13
>                 URL: https://issues.oasis-open.org/browse/CSAF-13
>             Project: OASIS Common Security Advisory Framework (CSAF) TC
>          Issue Type: Task
>         Environment: [New]
>            Reporter: Stefan Hagen
>            Priority: Critical
>              Labels: similar_work
>
> This issue (task) is one of many similar formal issues formalizing the TCs process to analyse similar work.
> It deals with the analysis of the "Vulnerability Description Ontology (VDO): a Framework for Characterizing Vulnerabilities" (cf. http://csrc.nist.gov/publications/drafts/nistir-8138/nistir_8138_draft.pdf ),
> which to the reporter appears as either similar work w.r.t. the "OASIS Common Security Advisory Framework (CSAF) Technical Committee Charter" (cf. http://www.oasis-open.org/committees/csaf/charter.php ) or work to be considered for enabling synergy and instead minimising duplication.
> This issue allows us to track and document progress and findings of the CSAF TC of the following:
> 1. understand and summarise VDO (relation to eg. CVSS)
> 2. ensure synergy potentials are identified
> 3. discussion of the relation to and reaction on VDO
> 4. documentation of result
> When checked at 2016-12-13 the (PDF format) document referenced existed at the URL http://csrc.nist.gov/publications/drafts/nistir-8138/nistir_8138_draft.pdf and some bibliographic data identified was:
> URL = http://csrc.nist.gov/publications/drafts/nistir-8138/nistir_8138_draft.pdf
> Authors/Editors = Harold Booth and Christopher Turner 
> AuthorInstitution = National Institute of Standards and Technology (NIST, http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8138 )
> DocumentDate = 2016-09-30
> CommentPeriodEnded = 2016-10-31
> Keywords = software defects; ontology; patching; taxonomy; vulnerabilities; vulnerability management
> DocumentStatus = draft
> DocumentCopyrightPolicy = "NIST"
> Abstract (from publication overview at http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8138 ) == 
> """ 
> NISTIR 8138
> DRAFT Vulnerability Description Ontology (VDO): a Framework for Characterizing Vulnerabilities
> NISTIR 8138 aims to describe a more effective and efficient methodology for characterizing vulnerabilities found in various forms of software and hardware implementations including but not limited to information technology systems, industrial control systems or medical devices to assist in the vulnerability management process. The primary goal of the described methodology is to enable automated analysis using metrics such as the Common Vulnerability Scoring System (CVSS). Additional goals include establishing a baseline of the minimum information needed to properly inform the vulnerability management process, and facilitating the sharing of vulnerability information across language barriers.
> This is the first draft of several anticipated drafts of a document intended to describe a methodology for characterizing vulnerabilities. It is not intended to be complete at this time and the authors do not expect that this draft reflects the full breadth and depth of the information needed to fully automate the descriptions for vulnerabilities. Reviewers are asked to provide feedback on terminology that is unclear, in conflict with established practice and are encouraged to provide feedback and examples where the current draft falls short in enabling the description of a vulnerability. Future drafts will be produced attempting to incorporate feedback consistent with the purpose of the document and the goal of improving the final version.
> The public comment period closed on October 31, 2016
> Questions? Send email to : nistir8138@nist.gov
> Draft NISTIR 8138: http://csrc.nist.gov/publications/drafts/nistir-8138/nistir_8138_draft.pdf
> Comment Template: http://csrc.nist.gov/publications/drafts/nistir-8138/draft_nistir_8138_comment_form.doc 
> """



--
This message was sent by Atlassian JIRA
(v6.2.2#6258)

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]