Hello, I also took the time to read the draft and it currently reads like a scenario or an expanded use case draft, not a solution draft. Does SACM need this or is there plans to merge it with solution work into one draft? I could see the value in the latter, but I don't see how a scenario draft on it's own will help speed up progress for the WG.
Thanks, Kathleen On Wed, Dec 2, 2015 at 8:53 AM, Wolfkiel, Joseph L CIV DISA ID (US) <[email protected]> wrote: > I think the disappointment may have been headed off if the document was more > explicit, right at the beginning, about what a "vulnerability report" is. I > got 2/3 of the way through the document before I understood that > "vulnerability report" and "vulnerability definition" are effectively the > same construct. A vulnerability report apparently is an announcement that a > vulnerability has been discovered and defined to the point where endpoint > managers can run assessments on their endpoints to determine if their > endpoints have the vulnerability or not. > > This concept is confusing because generally, with existing vulnerability > scanners, new vulnerability "reports" are a subset of updated vulnerability > definitions that automatically propagated to the tools and aren't delivered > as stand-alone "reports". So a vulnerability "report" would look something > like the report at > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8395 (I think). > > Joseph L. Wolfkiel > SCM Engineering Lead > DISA ID52 > Fort Meade DISA Acquisiton Bldg Cube A4A58E > Work: (301) 225-8820 > Gov Cell: (571) 814-8231 > [email protected] > > > > -----Original Message----- > From: sacm [mailto:[email protected]] On Behalf Of Haynes, Dan > Sent: Wednesday, December 02, 2015 8:36 AM > To: Romascanu, Dan (Dan); Linda Dunbar; [email protected]; [email protected] > Cc: [email protected] > Subject: Re: [sacm] [OPSAWG] Feedback on the SACM Vulnerability Assessment > Scenario > > > Hi Linda, > > > Please let us know if there are any specific questions that we can answer for > you, to help clarify the document, after considering it in the context of the > SACM charter as Dan mentioned. > > > > Thanks, > > Danny > > > > From: OPSEC [Caution-mailto:[email protected]] On Behalf OfRomascanu, > Dan (Dan) > Sent: Sunday, November 22, 2015 9:48 AM > To: Linda Dunbar <[email protected]>; [email protected]; [email protected] > Cc: [email protected] > Subject: Re: [OPSEC] [sacm] [OPSAWG] Feedback on the SACM Vulnerability > Assessment Scenario > > > > Hi Linda, > > > > Thanks for answering the call for review and having a look at this work. > > > > Concerning your 'little disappointment': This I-D needs to be read in the > context of the current charter of the SACM WG. The WG charter focus for this > phase is on the 'endpoint posture' and on the 'enterprise use case'. Maybe > this makes things somehow more clear. > > > > Regards, > > > > Dan > > > > > > From: sacm [Caution-mailto:[email protected] < > Caution-mailto:[email protected] > ]On Behalf Of Linda Dunbar > Sent: Thursday, November 19, 2015 10:36 PM > To: Romascanu, Dan (Dan); [email protected] < Caution-mailto:[email protected] > > ;[email protected] < Caution-mailto:[email protected] > > Cc: [email protected] < Caution-mailto:[email protected] > > Subject: Re: [sacm] [OPSAWG] Feedback on the SACM Vulnerability Assessment > Scenario > > > > Reading through the document has made me feel that the Title of the draft is > misleading. > > Based on the title I was expecting to see the Vulnerability Assessment of > various network scenarios, which will be very useful information for > enterprise and service provider network administrators to put in adequate > tools to protect those vulnerability. > > > > But the document only describes the procedure in authenticating a end > user/points and states that you need to compare with the Vulnerability report > (almost like a common sense ) without saying how and what. I guess I had too > high the expectation, but a little disappointed of not finding the > information I was looking for. > > > > Linda Dunbar > > > > > > > > From: OPSAWG [Caution-mailto:[email protected] < > Caution-mailto:[email protected] > ]On Behalf Of Romascanu, Dan (Dan) > Sent: Thursday, November 19, 2015 7:51 AM > To: [email protected] < Caution-mailto:[email protected] > ; [email protected] < > Caution-mailto:[email protected] > > Cc: [email protected] < Caution-mailto:[email protected] > > Subject: [OPSAWG] Feedback on the SACM Vulnerability Assessment Scenario > > > > Hi, > > > > I am reiterating a request that I made at IETF 94 in the OPSAWG meeting, and > also sent to the mail lists of opsec and opsawg. The SACM WG is considering a > documentCaution-https://datatracker.ietf.org/doc/draft-coffin-sacm-vuln-scenario/ > < > Caution-https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dcoffin-2Dsacm-2Dvuln-2Dscenario_&d=BQMFAg&c=BFpWQw8bsuKpl1SgiZH64Q&r=I4dzGxR31OcNXCJfQzvlsiLQfucBXRucPvdrphpBsFA&m=DXOABUhWgQkWYGVviFzuEvwgbivmgrBaeyHQ3_W-Hyg&s=S_CieVlne2x4XqE2cNL0Y_mb0dcPAGm4cN6hKa5k-6Q&e= > > that describes the operational practice of vulnerability reports, which > we believe is an important use case in the security assessment life cycle. We > are requiring feedback from operators about the scenario describe in this > document - does it make sense? Is it similar with what you do in operational > real life? Are you using similar or different methods for vulnerability > assessment in your networks? A quick reading and short feedback would be > greatl y > appreciated. > > > > Thanks and Regards, > > > > Dan > > > > > _______________________________________________ > sacm mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/sacm > -- Best regards, Kathleen _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
