Cloud & Telecom Security

想必大家都关注到了这次获得媒体广泛关照的丰田汽车召回事件，Google上面搜索“丰田汽车召回”，刚刚的搜索结果数是8.8M+。虽然说    汽车家电等召回事件在中国国内，拜国内消费者“保护”所赐，不是很多，消费者大都哑巴吃黄连了。可是，这在西方发达国家是惯例 – 你生产的产品出了质量问题，召回-免费修补是天经地义的事情。

回过来在看看我们所处的IT和软件业呢？大家随便找到一份商业软件的license agreement等，逼着你签过字的那种，都明明白白写着 – 本软件“as-is”；不保证不出漏洞；出了漏洞不保证什么时候可以出补丁；出了补丁，不保证那个补丁管用；软件使用中出了事故，赔偿金额不会超过软件价格；….

在IT和软件作为新兴行业时，对这种高风险的新生事物特例一些保护是可以理解的。但是，当这个行业里占据了越来越多的500强、产生了越来越多的亿万富翁时，对此基本市场义务的反思就成为很容易理解的动向了。

SANS和Mitre Corp，这两个大名鼎鼎的组织联袂发起了这个很有思想性的项目。说其“很有思想性”，是因为我想这个问题也有不少时间了。为软件和安全厂商工作，这种感觉不会有，或不会很明显。但是作为内部IT运行人员就不一样了。你的病毒系统误杀了几千台电脑的软件，搞当了数百个服务器，我居然无法通过合同/许可条款获得正常的赔偿？很让人窝火。你的软件出了漏洞，厂商不但迟迟不响应补丁，还似乎成了用户的责任 – 当初签字画押时就说好的 as-is… Read more…

Oct.18 2009(Beijing time), China CCTV news reported the release of national vulnerability database of China.

Along with the upsoaring of the Internet applications, the vulnerability number is also in a sharp growth. So the update and automation of vulnerability information is becoming more and more critical for the whole information ssytems. Vulnerability Database is used to research, collect, release, automate the lifecycle of vulnerability management, which is regarded the core of the related activities. Although there have been a series of open source vulnerability database(e.g. OSVDB, etc.), commercial maintained vulnerailibity database(e.g. CERT CVE, Bugtraq, NSFocus VDB, etc.), it’s still regarded very essential to setup one authoritive database for the industry, particularly for government and research organizations. Read more…

Adope官方已经确认再爆新漏洞。该漏洞存在于Windows, Macintosh, Unix版本的Adobe Reader和Acrobat 9.1.3和以前的版本（CVE-2009-3459），有报告称已经发现针对Windows版本的利用。漏洞细节详见下文报道： Read more…

5月30日，NIST（美国技术标准局）推出了一个用于对安全配置进行打分的草案，其全称是：NIST IR-7502 DRAFT The Common Configuration Scoring System (CCSS) 。

CCSS是用于对有关软件安全配置问题（Issue）的特征和影响提供的一个标准测量集合。CCSS可以帮助企业组织在解决安全问题时做出正确的决定，另外，它还可以提供数据以便对主机的安全状况进行量化的评估。从体系上看，CCSS借鉴了CVSS，但是针对软件的安全配置问题做了特别调整（CVSS专注于软件缺陷和漏洞）。我们知道，一个软件系统的安全性，不仅仅是软件本身的安全问题，很大程度上还决定于安装、配置和运行管理。

据报道，NIST还计划扩展CCSS，将环境度量也包含进来。点击下载原文。

March 15, 2006, according to the official news from mitre.org, a new effort leveraging CVE entitled the “Common Weakness Enumeration (CWE)” has been added to the GET CVE page on the CVE Web site.

CWE is a community-developed formal list of common software
weaknesses, idiosyncrasies, faults, and flaws. The intention of CWE is to serve as a common language for describing software security vulnerabilities, a standard measuring stick for software security tools targeting these vulnerabilities, and as a baseline standard for vulnerability identification, mitigation, and prevention efforts. Leveraging the diverse thinking on this topic from academia, the commercial sector, and government, CWE unites the most valuable breadth and depth of content and structure to serve as a unified standard. Our objective is to help shape and mature the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop.

Based in part on the CVE List’s 15,000 plus CVE names—but also including detail and scope from a diverse set of other industry and academic sources and examples including the McGraw/Fortify “Kingdoms” taxonomy; Howard, LeBlanc & Viega’s 19 Deadly Sins; and Secure Software’s CLASP project; among others—CWE’s definitions and descriptions support the finding of common types of software security flaws in code prior to fielding. This means both users and developers now have a mechanism for ensuring that the software products they acquire and develop are free of known types of security flaws by describing their code and assessment capabilities in terms of their coverage of the different CWEs.

The new section includes the CWE List, offered in a detailed Taxonomy view and a high-level Dictionary view; an About section describing the overall CWE effort and process in more detail; a Compatibility page; a Community Participation page; and list of Sources.

[Tags]CVE,Security,CWE[/Tags]