Replies: 4 comments 4 replies
-
A supplier does not know how or where the product will be utilized. The deployer is fully aware of the where and may also be aware of how the product will be utilized as they are applying the update. |
Beta Was this translation helpful? Give feedback.
-
Gut reaction to just this question:
Obviously, the line blurs because Product-as-a-service is a thing. |
Beta Was this translation helpful? Give feedback.
-
I need to think about the broader point more though. One not entirely unrelated thought I've had recently is that I'm starting to think of SSVC as including:
Partly because I've been messing with python enums way to much lately, I've had the idea that the SSVC "parts catalog" could include things like CVSS vector elements too, or the criticality concept from #216 for example. We could potentially define and manage an entire library of decision points independently of which trees they are used in. Like defining a formal vocabulary encoding of vulnerability-management-relevant features. |
Beta Was this translation helpful? Give feedback.
-
I think we are saying pretty similar things here. I would like to see us also manage some different example trees for different supply chain points and information gathering maturity levels. But in respect of the supply chain position being, shall we say, fluid, we could move away from rigidly defined stakeholder roles along the supply chain. Coordinators remain somewhat separate in a different way, though, and we shouldn't lose that. |
Beta Was this translation helpful? Give feedback.
-
Based on a discussion with @thomas-proell and @bs37208. However, I have digested their comments, so should not be taken to represent their views directly.
"supplier" is not the best way to model this kind of stakeholder, because every supplier is in the middle of a supply chain and they will always be absorbing fixes from their dependencies.
This is addressed briefly here.
https://github.com/CERTCC/SSVC/blob/82363313b2f0c17308bce829753641bda77e73e3/doc/md_src_files/040_stakeholders-scope.md?plain=1#L16C1-L24C93
I'd like to use this discussion to ask a more fundamental question:
What actually is the difference between a supplier and a deployer? Is the fact that it is a spectrum of information about how a system or piece of software will be used mean that we eliminate the distinction but instead provide 3-6 example trees and say something more along the lines of "use whatever one you have the information for" with a bit of a caveat that there are some decision points that folks could gather information on as their mature their asset management and vulnerability management processes? So provide more example trees, with some being "starter" trees with fewer decision points and a growth pattern for how it might look as the stakeholder gathers more information?
This is related to a maturity process for stakeholders that I have discussed with @jeroenh .
@ahouseholder probably also related to Vultron and MPCVD.
Beta Was this translation helpful? Give feedback.
All reactions