OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] (CSAF-13) Analysis of "Vulnerability Description Ontology (VDO)" and any possible relation to CSAF work products

    [ https://issues.oasis-open.org/browse/CSAF-13?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=71565#comment-71565 ] 

Art MANION commented on CSAF-13:
--------------------------------

See also CSAF-31.

> Analysis of "Vulnerability Description Ontology (VDO)" and any possible relation to CSAF work products
> ------------------------------------------------------------------------------------------------------
>
>                 Key: CSAF-13
>                 URL: https://issues.oasis-open.org/browse/CSAF-13
>             Project: OASIS Common Security Advisory Framework (CSAF) TC
>          Issue Type: Task
>         Environment: [New]
>            Reporter: Stefan Hagen
>            Priority: Critical
>              Labels: similar_work
>
> This issue (task) is one of many similar formal issues formalizing the TCs process to analyse similar work.
> It deals with the analysis of the "Vulnerability Description Ontology (VDO): a Framework for Characterizing Vulnerabilities" (cf. http://csrc.nist.gov/publications/drafts/nistir-8138/nistir_8138_draft.pdf ),
> which to the reporter appears as either similar work w.r.t. the "OASIS Common Security Advisory Framework (CSAF) Technical Committee Charter" (cf. http://www.oasis-open.org/committees/csaf/charter.php ) or work to be considered for enabling synergy and instead minimising duplication.
> This issue allows us to track and document progress and findings of the CSAF TC of the following:
> 1. understand and summarise VDO (relation to eg. CVSS)
> 2. ensure synergy potentials are identified
> 3. discussion of the relation to and reaction on VDO
> 4. documentation of result
> When checked at 2016-12-13 the (PDF format) document referenced existed at the URL http://csrc.nist.gov/publications/drafts/nistir-8138/nistir_8138_draft.pdf and some bibliographic data identified was:
> URL = http://csrc.nist.gov/publications/drafts/nistir-8138/nistir_8138_draft.pdf
> Authors/Editors = Harold Booth and Christopher Turner 
> AuthorInstitution = National Institute of Standards and Technology (NIST, http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8138 )
> DocumentDate = 2016-09-30
> CommentPeriodEnded = 2016-10-31
> Keywords = software defects; ontology; patching; taxonomy; vulnerabilities; vulnerability management
> DocumentStatus = draft
> DocumentCopyrightPolicy = "NIST"
> Abstract (from publication overview at http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8138 ) == 
> """ 
> NISTIR 8138
> DRAFT Vulnerability Description Ontology (VDO): a Framework for Characterizing Vulnerabilities
> NISTIR 8138 aims to describe a more effective and efficient methodology for characterizing vulnerabilities found in various forms of software and hardware implementations including but not limited to information technology systems, industrial control systems or medical devices to assist in the vulnerability management process. The primary goal of the described methodology is to enable automated analysis using metrics such as the Common Vulnerability Scoring System (CVSS). Additional goals include establishing a baseline of the minimum information needed to properly inform the vulnerability management process, and facilitating the sharing of vulnerability information across language barriers.
> This is the first draft of several anticipated drafts of a document intended to describe a methodology for characterizing vulnerabilities. It is not intended to be complete at this time and the authors do not expect that this draft reflects the full breadth and depth of the information needed to fully automate the descriptions for vulnerabilities. Reviewers are asked to provide feedback on terminology that is unclear, in conflict with established practice and are encouraged to provide feedback and examples where the current draft falls short in enabling the description of a vulnerability. Future drafts will be produced attempting to incorporate feedback consistent with the purpose of the document and the goal of improving the final version.
> The public comment period closed on October 31, 2016
> Questions? Send email to : nistir8138@nist.gov
> Draft NISTIR 8138: http://csrc.nist.gov/publications/drafts/nistir-8138/nistir_8138_draft.pdf
> Comment Template: http://csrc.nist.gov/publications/drafts/nistir-8138/draft_nistir_8138_comment_form.doc 
> """



--
This message was sent by Atlassian JIRA
(v7.7.2#77003)

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]