[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DWF and CVE Integration Proposal

Great, I'm glad you're thinking ahead of me.

Cheers,
Pascal

On 04/06/2016 09:57 AM, Kurt Seifried wrote:

On Wed, Apr 6, 2016 at 7:51 AM, Pascal Meunier 
<pmeunier@cerias.purdue.edu>
wrote:


That sounds excellent.  The devil will be in the details, such as 
business
continuity planning and lifecycle planning (e.g., what to do if/when a 
root
CNA winds down).  There's an implicit assumption that, using the current
DWF setup as example, GitHub won't fail, and so on.  However that should
all be fixable later and is no reason to delay.



Quite the opposite, I assume at some point GitHub will fail/pull a 
source
forge or do something else that results in us having to move. And 
that's ok
because everything is in Git and trivial to completely keep an update to
date archive of (just issue a pull request every X hours for your local
copy). We would potentially lose the Issues (bug reports) but that 
would be
far from a crippling blow (also assuming we can copy/export the issues
data).

As for organization continuity that's why there is 5 members on the DWF
board.




Great start!  I can't wait to see that seed bloom.

Pascal




On 04/06/2016 06:52 AM, Landfield, Kent B wrote:


All,

Following up on the conversations we had on the Board call last week,
Kurt, the DWF Board, myself and other CVE Board members have been 
working
to put together the proposal as requested by MITRE.  We have tried to 
lay
out what the intent, parameters, expectations and hopefully what the
successful outcome will result in.

We were pleased to hear MITRE’s agreement with the overall objective of
the project on the call and to see it listed in the minutes of the Board
meeting.  As requested by Jon Baker, we have documented the proposal 
and it
is submitted below.

We believe it is in the best interest of CVE and the community to
initiate the DWF / CVE Integration Project as soon possible.


DWF and CVE Integration Proposal

Proposers:
Harold Booth, NIST (harold.booth@nist.gov<mailto:harold.booth@nist.gov>)
Larry W. Cashdollar, Akamai Technologies (larry@akamai.com<mailto:
larry@akamai.com>)
Kent Landfield, Intel (kent.b.landfield@intel.com<mailto:
kent.b.landfield@intel.com>)
Art Manion, CERT/CC (amanion@cert.org<mailto:amanion@cert.org>)
Brian Martin, OSF / OSVDB (jericho@attrition.org<mailto:
jericho@attrition.org>)
Kurt Seifried, Red Hat (kseifried@redhat.com<mailto:kseifried@redhat.com

)

David Waltermire, NIST (david.waltermire@nist.gov<mailto:
david.waltermire@nist.gov>)
Zachary Wikholm, Independent (kestrel@trylinux.us<mailto:
kestrel@trylinux.us>)
Area of Focus
The Distributed Weakness Filing (DWF) Project provides a community based
Open Source process oriented solution to getting CVE identifiers into 
the
hands of people that need them. The DWF aims to work with security
researchers and other “producers” of CVE IDs to assure the timely
assignment of IDs. The project’s major focus is to become a CVE 
Numbering
Authority (CNA) targeted primarily at the Open Source community.

Proposing a New Type of CNA
The overall purpose of this Proof of Concept (PoC)  is to test the
validity of creating a new class of CNA. In the past CNAs have been, for
the most part, an endpoint in the CVE ID issuance process. Authorized 
CNAs
have been issued a block from the CVE ID pool they have then used to 
issue
their own organizational IDs. This proposal is to create a Root CNA. The
DWF Root CNA will be able to act as an existing CNA by issuing CVE IDs 
as
requested. Additionally, the DWF Root CNA will be able to  train and
coordinate other organizations and people to create CNAs that live 
within
the DWF namespace.

As this is a PoC, the plan is to take a “fail fast” approach. DWF will 
be
experimenting where we believe good ideas should be put into an 
operational
production environment to test the usefulness of the idea.

The following are the proposed specifics of the effort:


●    The DWF Project will act as a CNA and ensure no conflicts between
DWF and current CVE ID ranges. The DWF will start at a high range of
numbers to avoid conflicts with CVE numbers.

●     DWF Project will use the ID range CVE-YEAR-1000000 through
CVE-YEAR-1999999.

●    The DWF will assign CVE IDs to answer requests sent directly to the
DWF by researchers, vendors and others.

●    Any subordinate DWF authorized CNAs will only be allowed to exist
under the DWF hierarchy and be restricted to the DWF authorized 
namespace
(that is CVE-YEAR-1000000 through CVE-YEAR-1999999).
The DWF project will continue to work with MITRE and others to create
guidelines and requirements for CVE requests, CNA creation, curation of
CVEs and so forth. As mentioned earlier, the DWF will focus on Open 
Source
software, security researchers and security vendors that find and report
security vulnerabilities.

The DWF Project will continue to coordinate closely with MITRE and the
CVE Editorial Board to ensure compatibility with existing and future CVE
requirements and processes such as “what counts as a vulnerability”,
SPLIT/MERGE and so forth.

DWF will work with MITRE and the CVE Editorial Board to create a base 
set
of documentation of best practices that can assist with the development 
and
processes of the Root CNA usage and deployment.  While targeted towards
DWF, the documentation can be used by others within the CVE management
community.
Proposed Outcome
The intent of this POC is to determine the effectiveness of new
techniques, ideas and a new hierarchy-based model for CNA creation and 
CVE
issuance. If successful, this approach will allow for other Root CNA
authorities to be set up. Future CNAs could be assigned based on 
technology
sectors or national boundaries thus allowing expansion and expertise in
areas of vulnerability identification not currently possible in the
existing CVE management approach/scheme.

---
Kent Landfield
+1.817.637.8026
Page Last Updated or Reviewed: April 12, 2016