Re: Juniper to be added to the official list of CNAs

[jericho <jericho@attrition.org>]

On Wed, 27 Apr 2016, Art Manion wrote:

: I believe Brian that Juniper has issues.  I have first hand 
experience 
: with another vendor CNA who has not followed the rules.  I'm pretty 
sure 
: there are other examples.

A bit of an understatement. =)

Almost every single CNA has had screw-ups in assignments in the last 12 
months, including Oracle, Microsoft, and Adobe. The one CNA I can't 
find 
fault with lately is Silicon Graphics.

: Speaking of consequences, what if Juniper doesn't follow the rules? 
: Withdraw their CNA status?  Then who is going to issue CVE IDs for 
: Juniper vulnerabilities?  If a CNA assigns incorrectly, reject their 
: assignments.  If the CNA actually wants their CVE IDs to count, 
they'll 
: shape up.  If they don't, de-list them.  And yes, this does sound 
like 
: laissez-faire.  The current model doesn't scale.

And I have spoken to this point as well. We don't just need rules, we 
need 
a clear path on how MITRE will deal with them if they aren't following 
rules. Unless MITRE decided to keep me out of the loop after I reported 
CNAs not following rules many times, then I don't believe MITRE has 
been 
following up with them much at all. Or perhaps for a fraction of my 
complaints.

I can't imagine MITRE will actually revoke a CNA, because it goes 
against 
their selfish interests (CVE is part of a multi-million dollar contract 
they enjoy every year). That is a grim reality we need to remember as 
we 
discuss this problem. I only bring it up because many of us had 
proposed 
that MITRE bring on more CNAs several years ago, and that was met with 
silence or opposition (usually in private). Now that they are being 
called 
to task, it seems greenlighting new CNAs could be their answer, even if 
the vendor has a history of bad assignments and board members object.

I think what bothers me about this discussion isn't just that I had 
issues 
with Juniper before the CNA status came up, but now that it is 
public... 
what is happening? It would take less than eight hours for one of the 
abundant MITRE employees tasked with CVE duties to audit Juniper's 
advisories for the last couple of years, and determine how accurate 
their 
assignments are. Given that Juniper has been requesting those IDs from 
MITRE, they could further compare the email requests to the public 
advisories to really gauge Juniper's understanding of the process. That 
is 
something I cannot do, since I don't see the ID request emails. Yet, I 
track CNA failures in a passing degree via several other data 
aggregation 
initiatives that have a side effect of giving me that data, and more.

Eight hours of figuring out where Juniper stands in this process is a 
no-brainer to me, given that every bad public assignment can snowball 
and 
cause serious grief for their customers, and in turn for any CVE 
customer. 
The ROI on such a brief audit is clear.

In fact, every CNA, current or proposed, should be audited once a year, 
to 
ensure they are following assignment guidelines. What seems minor and 
pedestrian on the surface to many (e.g. assigning a 2016 ID to a 2015 
issue), can also snowball in huge ways, as seen in the 2016 Verizon 
DBIR 
report (pg13, 'Vulnerabilities' section) where the methodology is not 
defined, and they may be using the year of the ID to attribute 
disclosure 
attributes. Even if they don't, *many* others have historically done 
just 
that when generating yearly vuln totals based on CVE data. These stats 
are 
about the only you see in any media, industry or mainstream. Because 
CVE 
didn't think that 'disclosure date' was important to track in 1999, 
means 
almost every vulnerability stat today is absurd and wrong.

: Growing CVE is going decrease fidelity.  As far as I've thought about 
: it, MITRE acting as CNA registrar/auditor/manager and ultimate 
arbiter 
: of assignments from many CNAs might work as an organizational model.

In a perfect CVE world, MITRE would only act as a manager and auditor 
of 
CNAs and do no assignments themselves (I could also argue they aren't 
as 
qualified to do so anymore, but that is academic pedantry and a losing 
argument due to social perception, not fact). I don't get how it is 
2016 
and this is just being brought up as a possible model falls somewhere 
between amusing and disgusting, especially since I have never seen 
MITRE 
propose it, while half a dozen other industry professionals have in the 
previous years.