[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti] Re: [EXT] [cti] RE: Common repository for STIX CTI objects
Thank you for your insights, Jason. My interest in this area is based on the need to provide reliable software supply chain risk assessments to the energy industry to protect the bulk electric system from harm/disruption from cyber threats. I think itâs well known that todays vulnerability search capabilities leave lots of room for improvement. Signal/noise ratio of search results is very poor, lots of false positives. No alignment of SBOM ontologies with Vulnerability data base ontologies make it difficult to perform a âdeep searchâ for vulnerabilities at the sub-component level of an SBOM. I understand there are alternative approaches to addressing these items and Iâll rely on the good statesmanship and diplomatic skills of those involved to find a solution, in much the same way that OASIS led the convergence of ebXML and SOAP at the W3C negotiating table. Yesterday, I attended an EEI meeting where a question was asked about plans by NERC E-ISAC to support STIX and was pleased to learn that there is some discussion underway in this regard. I see more fracturing of the âvulnerability reportingâ world, i.e. AttackerKB is now in beta. So here is my âwish listâ as a provider of software risk assessment control software for the Energy industry:
Thanks, Dick Brooks Never trust software, always verify and report! â http://www.reliableenergyanalytics.com Email: dick@reliableenergyanalytics.com Tel: +1 978-696-1788 From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> On Behalf Of Jason Keirstead Regarding vulnerabilities - I am wondering if MITRE has simply considered issuing official Vulnerability SDOs w/UUIDs, alongside the CVEs when they are provided by MITRE? Really, they should not exist anywhere else. Also I am wondering how this entire thread of discussion relates to the ongoing work around SCAP 2.0? I do not think the CTI TC should be moving ahead in this area without working closely with these other groups - this idea of a normative source of cybersecurity reference information, spans beyond just threat intelligence, and if the threat intelligence repository is just "yet another source", it is not going to truly help matters. -
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]