CVE Behind the Scenes - The Complexity of Being Simple

Explore the intricacies of the Common Vulnerabilities and Exposures (CVE) system in this Black Hat USA 2001 conference talk. Delve into the complexities behind maintaining a standardized vulnerability naming convention, including the CVE Editorial Board's role, criteria for effective CVEs, and challenges in identifying and categorizing vulnerabilities. Learn about the submission process, content decisions, and abstraction techniques used to create meaningful CVE entries. Gain insights into the growth of CVE, its impact on enterprise security, and how it enables detailed product comparisons. Examine real-world examples of content decisions, such as software flaws in lines of code and multiple executables. Discover the top ten vulnerability types identified in CVE between January 2000 and April 2001, and understand the importance of managing different perspectives in vulnerability classification.

Intro
CVE at a Glance
CVE Editorial Board Members (As of June 4, 2001)
Vision: Using CVE in the Enterprise
CVE Enables Detailed Product Comparisons
Criteria for a Good CVE
Issue: What is a Vulnerability?
Issue: What is a Real Vulnerability?
Issue: What is a known Vulnerability?
Identifying Known Vulnerabilities: The CVE Submission Stage
Submission Conversion
Normalizing Keywords
Submission Matching
Submission Refinement
Some Challenges in Refinement
Content Decisions
Example Content Decision: SF-LOC (Software Flaws/Lines of Code)
SF-LOC Examples
Example Content Decision: SF-EXEC (Software Flaws in Multiple Executables)
Other Example Abstraction CD's
Example Inclusion CD's
Candidate Stage: Reservation
Candidate Reservation Process
CVE Growth
What's in a Name?
What's Open
Top Ten Vulnerability Types in CVE (Issues publicized between Jan 2000 and April 2001)
Managing Perspectives