Skip to content

Commit

Permalink
#93 Clerical updates to website front matter (#138)
Browse files Browse the repository at this point in the history 
* #93 Refined content and added JSON examples
* #93 continued clerical updates for initial front matter
* #93 fix bad link and add extra content to objects page
* Apply suggestions from code review

---------

Co-authored-by: David Waltermire <david.waltermire@nist.gov>
  • Loading branch information
@Chris-Turner-NIST @david-waltermire
Chris-Turner-NIST and david-waltermire committed Oct 19, 2023
1 parent 7b7da31 commit a0dd316
Show file tree
Hide file tree
Showing 29 changed files with 450 additions and 87 deletions.
26 changes: 13 additions & 13 deletions examples/vulntology-example.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"$schema": "../schema/vulntology-json-schema-1.0-draft.json",
"Vulnerability": {
"vulnerability": {
"hasIdentity": [
{
"scheme": "http://cve.mitre.org",
Expand All @@ -16,13 +16,13 @@
{
"scheme": "https://csrc.nist.gov/ns/cpe/2.3",
"values": [
"cpe:2.3:a:acme:acmeproductX:1.0.0",
"cpe:2.3:a:acme:acmeproductY:1.0.0"
"cpe:2.3:a:fake:fakeproductX:1.0.0",
"cpe:2.3:a:fake:fakeproductY:1.0.0"
]
},
{
"scheme": "https://nist.gov/cpe/2.2",
"values": ["cpe:/a:blah"]
"values": ["cpe:/a:fake"]
}
],
"hasCPEApplicabilityStatement": [
Expand All @@ -34,12 +34,12 @@
"cpe_match": [
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:adobe:flash_player:*:*:*:*:*:edge:*:*",
"cpe23Uri": "cpe:2.3:a:fakevendor:fakeproduct:*:*:*:*:*:fake_TSW:*:*",
"versionEndIncluding": "32.0.0.114"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:adobe:flash_player:*:*:*:*:*:internet_explorer_11:*:*",
"cpe23Uri": "cpe:2.3:a:fakevendor:fakeproduct:*:*:*:*:*:fake_TSW:*:*",
"versionEndIncluding": "32.0.0.114"
}
]
Expand All @@ -49,11 +49,11 @@
"cpe_match": [
{
"vulnerable": false,
"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:*:*:*:*:*:*:*:*"
"cpe23Uri": "cpe:2.3:o:anotherfakevendor:anotherfakeproduct:*:*:*:*:*:*:*:*"
},
{
"vulnerable": false,
"cpe23Uri": "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*"
"cpe23Uri": "cpe:2.3:o:anotherfakevendor:yetanotherfakeproduct:*:*:*:*:*:*:*:*"
}
]
}
Expand All @@ -70,7 +70,7 @@
"affectsProduct": {
"hasEnumeration": [{
"scheme": "https://nist.gov/cpe/2.3",
"values": ["cpe:2.3:a:acme:acmeproduct:1.0.0"]
"values": ["cpe:2.3:a:fake:fakeproduct:1.0.0"]
}],
"hasCPEApplicabilityStatement": [
{
Expand All @@ -81,12 +81,12 @@
"cpe_match": [
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:adobe:flash_player:*:*:*:*:*:edge:*:*",
"cpe23Uri": "cpe:2.3:a:fakevendor:fakeproduct:*:*:*:*:*:fake_TSW:*:*",
"versionEndIncluding": "32.0.0.114"
},
{
"vulnerable": true,
"cpe23Uri": "cpe:2.3:a:adobe:flash_player:*:*:*:*:*:internet_explorer_11:*:*",
"cpe23Uri": "cpe:2.3:a:fakevendor:fakeproduct:*:*:*:*:*:fake_TSW:*:*",
"versionEndIncluding": "32.0.0.114"
}
]
Expand All @@ -96,11 +96,11 @@
"cpe_match": [
{
"vulnerable": false,
"cpe23Uri": "cpe:2.3:o:microsoft:windows_10:*:*:*:*:*:*:*:*"
"cpe23Uri": "cpe:2.3:o:anotherfakevendor:anotherfakeproduct:*:*:*:*:*:*:*:*"
},
{
"vulnerable": false,
"cpe23Uri": "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*"
"cpe23Uri": "cpe:2.3:o:anotherfakevendor:yetanotherfakeproduct:*:*:*:*:*:*:*:*"
}
]
}
Expand Down
0 website/static/figures/vulntology-graph.vsdx → examples/vulntology-graph.vsdx
View file
File renamed without changes.
27 changes: 0 additions & 27 deletions examples/xss-example-human-text.md
View file

This file was deleted.

Binary file removed examples/xss-example.png
View file
Binary file not shown.
Binary file modified examples/xss-example.vsdx
View file
Binary file not shown.
7 changes: 4 additions & 3 deletions website/content/_index.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
---
title: "NIST Vulnerability Data Ontology"
title: "NIST Vulntology"
cascade:
suppresstopiclist: true
toc:
Expand All @@ -13,8 +13,8 @@ to describe a vulnerability
{{< usa-tagline caption="Standardize your vulnerability descriptions." >}}
The Vulntology supports the expression of characterization details about:

- How a vulnerability can be exploited?
- What the impact of that exploit will be?
- How can a vulnerability be exploited?
- What will the impact of that exploit be?
- What mitigating factors can make exploitation difficult?

These details are provided in the context of a given attack scenario, which may differ in characteristics from other scenarios for the same vulnerability.
Expand All @@ -26,5 +26,6 @@ The Vulntology is not intended to be a general purpose format for describing vul
- To standardize the description of vulnerabilities through structured characterization formatting.
- To enable automated scoring agnostic of any particular system.
- To improve the level of detail in provided information for the purpose of assisting with defense while minimizing increased risk from attacks.
- To assist in establishing a baseline of the minimum information needed to properly inform downstream vulnerability management processes.
- To allow for easier vulnerability information sharing across language barriers
{{< /usa-tagline >}}
10 changes: 5 additions & 5 deletions website/content/about/_index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,15 +10,15 @@ toc:

# The Vulntology

The Vulntology aims to describe a more effective and efficient methodology for characterizing vulnerabilities found in various forms of software and hardware implementations including but not limited to information technology systems, industrial control systems or medical devices to assist in the vulnerability management process. The primary goal of the described methodology is to enable automated analysis using metrics such as the Common Vulnerability Scoring System (CVSS). Additional goals include establishing a baseline of the minimum information needed to properly inform the vulnerability management process, and facilitating the sharing of vulnerability information across language barriers.
The Vulntology aims to describe a more effective and efficient methodology for characterizing vulnerabilities found in various forms of software and hardware implementations. Improving vulnerability management process support across the board, including but not limited to information technology systems, industrial control systems or medical devices. The primary goals of the described methodology are to standardize the description of vulnerabilities through structured characterization formatting, enable automation of derived data points such as the Common Vulnerability Scoring System (CVSS), establish a baseline of the minimum information needed to properly inform the vulnerability management process, and facilitate the sharing of vulnerability information across language barriers.

## Introduction

When two or more groups share information, a common vocabulary is critical for success. The cybersecurity landscape is relatively new and therefore is still in its infancy in developing these shared vocabularies. The ontology described in this document is a fundamental building block in developing that shared understanding for vulnerabilities among cybersecurity professionals. For the purposes of this document a vulnerability is defined as any weakness in the computational logic found in products or devices that could be exploited by a threat source [NISTIR 7298](https://csrc.nist.gov/pubs/ir/7298/r3/final).
When two or more groups share information, a common vocabulary is critical for success. The cybersecurity landscape is relatively new and therefore is still in its infancy in developing these shared vocabularies. The framework described by this project is a fundamental building block in developing that shared understanding for vulnerabilities among cybersecurity professionals. For the purposes of this project a vulnerability is defined as any weakness in the computational logic found in products or devices that could be exploited by a threat source [NISTIR 7298](https://csrc.nist.gov/pubs/ir/7298/r3/final).

The vulnerability management process consists of identifying whether an organization has endpoints containing the vulnerability, determining the exposure of the vulnerability within the organization and evaluating the impact of successful exploitation of a vulnerability within the context of the organization. An organization must determine whether the exposure and impact of a specific vulnerability warrants a response and prioritize that response among other critical activities. Organizations then need to make a similar decision for each vulnerability. The analysis needed to inform the prioritization is currently a time-consuming, manual process and is often based on reading security bulletins and vendor advisories which sometimes provide incomplete or conflicting information.

This document defines a framework that improves upon this manual process by supplying a structured format to describe vulnerabilities. Consumers of vulnerability information will be able use the vocabulary described in this framework to identify missing data points and encourage more complete and accurate vulnerability descriptions from their providers. More complete and accurate descriptions will better facilitate the vulnerability management process for organizations.
This project defines a framework that improves upon this manual process by supplying a structured format to describe vulnerabilities. Consumers of vulnerability information will be able use the vocabulary described in this framework to identify missing data points and encourage more complete and accurate vulnerability descriptions from their providers. More complete and accurate descriptions will better facilitate the vulnerability management process for organizations.

In addition to those responsible for an organization’s vulnerability management function, other stakeholders include:

Expand All @@ -30,11 +30,11 @@ In addition to those responsible for an organization’s vulnerability managemen

- Vulnerability Information Services: that need to provide vulnerability information to the consumers of their data, often performing additional analysis which can assist in the prioritization of vulnerabilities for organizations

All of these stakeholders need a common language to describe and characterize vulnerabilities as well as a way to express what information is needed to perform their activities. The framework in this document intends to provide this common language and to provide a way for stakeholders to describe required information.
All of these stakeholders need a common language to describe and characterize vulnerabilities as well as a way to express what information is needed to perform their activities. The framework in this project provides this common language, structure, and facilitates a way for stakeholders to identify desirable information.

## High Level View

A high level illustration that depicts the core differences between what is generally understood as the current model for a vulnerability and what this document proposes as enhancements to that model. While at first glance it may appear that we are taking a relatively simple system and proposing one that is far more complex, we believe that the complexity exists within both systems, but the consumer of the information is responsible for digesting the complexity in the current model where the Vulntology model displays the complexity up front in a structured manner.
A high level illustration that depicts the core differences between what is generally understood as the current model for a vulnerability and what this project proposes as enhancements to that model. While at first glance it may appear that we are taking a relatively simple system and proposing one that is far more complex, we believe that the complexity exists within both systems. However, the consumer of the information is responsible for digesting the complexity in the current model. Whilst the Vulntology model displays the complexity up front in a structured manner for provisioning of information by those closest to the source information.

The color coding associated to each box is intended to display how each of the previous concepts intertwine with the enhanced representation the Vulntology model represents.

Expand Down
4 changes: 2 additions & 2 deletions website/content/contribute/_index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,11 @@ menu:

# Welcome to the Vulntology Community

We are excited that you want to contribute to the Metaschema project. We are striving to provide a collaborative environment for professionals and hobbyists alike to contribute to the project's goals and objectives.
We are excited that you want to contribute to the Vulntology project. We are striving to provide a collaborative environment for professionals and hobbyists alike to contribute to the project's goals and objectives.

## Contributing

We use GitHub as a collaboration platform for the development of the Metaschema framework. Within the project's GitHub repository you will find:
We use GitHub as a collaboration platform for the development of the Vulntology. Within the project's GitHub repository you will find:

- A [set of issues](https://github.com/usnistgov/vulntology/issues?q=is%3Aopen+is%3Aissue) for which we need your help. Feel free to pick from this list, or [reach out to us](#contact-us) about any other ideas you might have.
- [Guidelines](https://github.com/usnistgov/vulntology/blob/master/CONTRIBUTING.md) on contributing to this project.
Expand Down

0 comments on commit a0dd316

Please sign in to comment.