[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (CSAF-13) Analysis of "Vulnerability Description Ontology (VDO)" and any possible relation to CSAF work products
[ https://issues.oasis-open.org/browse/CSAF-13?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stefan Hagen updated CSAF-13:
-----------------------------
Description:
This issue (task) is one of many similar formal issues formalizing the TCs process to analyse similar work.
It deals with the analysis of the "Vulnerability Description Ontology (VDO): a Framework for Characterizing Vulnerabilities" (cf. http://csrc.nist.gov/publications/drafts/nistir-8138/nistir_8138_draft.pdf ),
which to the reporter appears as either similar work w.r.t. the "OASIS Common Security Advisory Framework (CSAF) Technical Committee Charter" (cf. http://www.oasis-open.org/committees/csaf/charter.php ) or work to be considered for enabling synergy and instead minimising duplication.
This issue allows us to track and document progress and findings of the CSAF TC of the following:
1. understand and summarise VDO (relation to eg. CVSS)
2. ensure synergy potentials are identified
3. discussion of the relation to and reaction on VDO
4. documentation of result
When checked at 2016-12-13 the (PDF format) document referenced existed at the URL http://csrc.nist.gov/publications/drafts/nistir-8138/nistir_8138_draft.pdf and some bibliographic data identified was:
URL = http://csrc.nist.gov/publications/drafts/nistir-8138/nistir_8138_draft.pdf
Authors/Editors = Harold Booth and Christopher Turner
AuthorInstitution = NIST ( http://csrc.nist.gov/publications/PubsDrafts.html )
DocumentDate = 2016-09-30
CommentPeriodEnded = 2016-10-31
Keywords = software defects; ontology; patching; taxonomy; vulnerabilities; vulnerability management
DocumentStatus = draft
DocumentCopyrightPolicy = "NIST"
Abstract (from publication overview) ==
"""
ISTIR 8138
DRAFT Vulnerability Description Ontology (VDO): a Framework for Characterizing Vulnerabilities
NISTIR 8138 aims to describe a more effective and efficient methodology for characterizing vulnerabilities found in various forms of software and hardware implementations including but not limited to information technology systems, industrial control systems or medical devices to assist in the vulnerability management process. The primary goal of the described methodology is to enable automated analysis using metrics such as the Common Vulnerability Scoring System (CVSS). Additional goals include establishing a baseline of the minimum information needed to properly inform the vulnerability management process, and facilitating the sharing of vulnerability information across language barriers.
This is the first draft of several anticipated drafts of a document intended to describe a methodology for characterizing vulnerabilities. It is not intended to be complete at this time and the authors do not expect that this draft reflects the full breadth and depth of the information needed to fully automate the descriptions for vulnerabilities. Reviewers are asked to provide feedback on terminology that is unclear, in conflict with established practice and are encouraged to provide feedback and examples where the current draft falls short in enabling the description of a vulnerability. Future drafts will be produced attempting to incorporate feedback consistent with the purpose of the document and the goal of improving the final version.
The public comment period closed on October 31, 2016
Questions? Send email to : nistir8138@nist.gov
Draft NISTIR 8138: http://csrc.nist.gov/publications/drafts/nistir-8138/nistir_8138_draft.pdf
Comment Template: http://csrc.nist.gov/publications/drafts/nistir-8138/draft_nistir_8138_comment_form.doc
"""
was:
This issue (task) is one of many similar formal issues formalizing the TCs process to analyse similar work.
It deals with the analysis of the "EISPP Common Advisory Format" (cf. http://www.cert-ist.com/eispp/documents.htm#common_format ),
which has been named explicitedly as similar work in section (2)(a) "Identification of Similar Work"
of the "OASIS Common Security Advisory Framework (CSAF) Technical Committee Charter" (cf. http://www.oasis-open.org/committees/csaf/charter.php ).
This issue allows us to track and document progress and findings of the CSAF TC of the following:
1. understand and summarize EISPP
2. ensure synergy potentials are identified
3. discussion of the relation to and reaction on EISPP
4. documentation of result
When checked at 2016-11-24 the (HTML format) document tree root referenced existed at the URL http://www.cert-ist.com/eispp/documents.htm#common_format and some bibliographic data identified was:
URL = http://www.cert-ist.com/eispp/documents.htm#common_format
Authors/Editors = N.N. (?)
AuthorInstitution = N.N. / IST / EISPP Consortium (?)
DocumentDate = 2004-05-20
DocumentTitle = VULDEF: The VULnerability Data publication and Exchange Format data model
DocumentStatus ==
"""
This document describes a corner stone of the EISPP approach towards supplying
SMEs with security advisories: a common advisory format, which will enable an easy
exchange of advisory data between the four CERTs participating in EISPP.
The advisory format merges the best-practice information regarding security
advisories of these four CERTs.
"""
DocumentCopyright = "©EISPP Consortium" (!)
Abstract ==
""" (content taken from Executive Summary of LinkedData::Instance[1])
The European Information Security Promotion Programme (EISPP) strives
to set up a network of expertise with the aim of providing European
SMEs with those IT Security services that give them the necessary trust
in e-commerce to develop their businesses in that direction.
EISPP is a project fund by the EU through the fifth European Framework
Program within the thematic program Information Society Technologies (IST).
Further information about EISPP can be found at its website, http://www.eispp.org/.
Probably the most important security service SMEs have to be provided with,
is an advisory service, i.e., the distribution of so-called security
advisories that provides system administrators with precise and timely
information about new vulnerabilities and what can be done against them.
Such information is absolutely essential for IT security, because new
vulnerabilities are discovered on a daily basis. IT systems can only
be kept secure, if they are regularly upgraded or patched such that the
latest security holes are closed again.
This document describes a corner stone of the EISPP approach towards
supplying SMEs with security advisories: a common advisory format,
which will enable an easy exchange of advisory data between the four
CERTs participating in EISPP. The advisory format merges the best-practice
information regarding security advisories of these four CERTs.
The format is defined using XML, so the various standards and standard
tools of the XML-family can be used for advisory processing.
The XML data-type description of this (and future versions) of the format,
together with sample XSLT style sheets for displaying advisory data,
are made publicly available on EISPP's website http://www.eispp.org.
"""
LinkedDataInstanceCount = 3
LinkedData::Instance[1]:
LinkedData = http://www.cert-ist.com/eispp/commonformat_2_0.pdf
LinkedDataDetails = EISPP Common Advisory Format Description
LinkedDataId = EISPP-D3-001-TR
LinkedDataVersion = "2.0"
LinkedDAtaDate = 2004-05-20
LinkedData::Instance[2]:
LinkedData = http://www.cert-ist.com/eispp/valuelist_2_0.pdf
LinkedDataDetails = EISPP Common Advisory Format Description: Value Lists
LinkedDataId = EISPP-D3-001b-TR
LinkedDataVersion = "2.0"
LinkedDAtaDate = 2004-05-20
LinkedData::Instance[3]:
LinkedData = http://www.cert-ist.com/eispp/eispp_v20.dtd.txt
LinkedDataDetails = Linked from entry document, contains dtd implementation of EISPP CAFD
LinkedDataVersion = "2.0"
> Analysis of "Vulnerability Description Ontology (VDO)" and any possible relation to CSAF work products
> ------------------------------------------------------------------------------------------------------
>
> Key: CSAF-13
> URL: https://issues.oasis-open.org/browse/CSAF-13
> Project: OASIS Common Security Advisory Framework (CSAF) TC
> Issue Type: Task
> Environment: [New]
> Reporter: Stefan Hagen
> Priority: Critical
> Labels: similar_work
>
> This issue (task) is one of many similar formal issues formalizing the TCs process to analyse similar work.
> It deals with the analysis of the "Vulnerability Description Ontology (VDO): a Framework for Characterizing Vulnerabilities" (cf. http://csrc.nist.gov/publications/drafts/nistir-8138/nistir_8138_draft.pdf ),
> which to the reporter appears as either similar work w.r.t. the "OASIS Common Security Advisory Framework (CSAF) Technical Committee Charter" (cf. http://www.oasis-open.org/committees/csaf/charter.php ) or work to be considered for enabling synergy and instead minimising duplication.
> This issue allows us to track and document progress and findings of the CSAF TC of the following:
> 1. understand and summarise VDO (relation to eg. CVSS)
> 2. ensure synergy potentials are identified
> 3. discussion of the relation to and reaction on VDO
> 4. documentation of result
> When checked at 2016-12-13 the (PDF format) document referenced existed at the URL http://csrc.nist.gov/publications/drafts/nistir-8138/nistir_8138_draft.pdf and some bibliographic data identified was:
> URL = http://csrc.nist.gov/publications/drafts/nistir-8138/nistir_8138_draft.pdf
> Authors/Editors = Harold Booth and Christopher Turner
> AuthorInstitution = NIST ( http://csrc.nist.gov/publications/PubsDrafts.html )
> DocumentDate = 2016-09-30
> CommentPeriodEnded = 2016-10-31
> Keywords = software defects; ontology; patching; taxonomy; vulnerabilities; vulnerability management
> DocumentStatus = draft
> DocumentCopyrightPolicy = "NIST"
> Abstract (from publication overview) ==
> """
> ISTIR 8138
> DRAFT Vulnerability Description Ontology (VDO): a Framework for Characterizing Vulnerabilities
> NISTIR 8138 aims to describe a more effective and efficient methodology for characterizing vulnerabilities found in various forms of software and hardware implementations including but not limited to information technology systems, industrial control systems or medical devices to assist in the vulnerability management process. The primary goal of the described methodology is to enable automated analysis using metrics such as the Common Vulnerability Scoring System (CVSS). Additional goals include establishing a baseline of the minimum information needed to properly inform the vulnerability management process, and facilitating the sharing of vulnerability information across language barriers.
> This is the first draft of several anticipated drafts of a document intended to describe a methodology for characterizing vulnerabilities. It is not intended to be complete at this time and the authors do not expect that this draft reflects the full breadth and depth of the information needed to fully automate the descriptions for vulnerabilities. Reviewers are asked to provide feedback on terminology that is unclear, in conflict with established practice and are encouraged to provide feedback and examples where the current draft falls short in enabling the description of a vulnerability. Future drafts will be produced attempting to incorporate feedback consistent with the purpose of the document and the goal of improving the final version.
> The public comment period closed on October 31, 2016
> Questions? Send email to : nistir8138@nist.gov
> Draft NISTIR 8138: http://csrc.nist.gov/publications/drafts/nistir-8138/nistir_8138_draft.pdf
> Comment Template: http://csrc.nist.gov/publications/drafts/nistir-8138/draft_nistir_8138_comment_form.doc
> """
--
This message was sent by Atlassian JIRA
(v6.2.2#6258)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]