[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CNA requirements

To: Kurt Seifried <kseifried@redhat.com>, "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>
Subject: Re: CNA requirements
From: Art Manion <amanion@cert.org>
Date: Tue, 31 May 2016 11:50:08 -0400
Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=cert.org;
Cc: "Adinolfi, Daniel R" <dadinolfi@mitre.org>, jericho <jericho@attrition.org>, cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Delivery-date: Tue May 31 15:11:23 2016
In-reply-to: <CANO=Ty0mnDazgBwFrTFaEeiT2fCYSx2fJ58D+UBYRJTGnUahTQ@mail.gmail.com>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <CANO=Ty0PsrLPV_a8+0bTc8wdQB8NDPLnZc+koSRUTHWV4-DrzA@mail.gmail.com> <B867A247-039F-443C-B1DD-724DFCEF7978@mitre.org> <FCE8BD10-195B-4C56-8B2A-B5DA654F3D41@gmail.com> <DM2PR09MB0365489807EE40CFDF0C3645F0480@DM2PR09MB0365.namprd09.prod.outlook.com> <CANO=Ty1ehpxvY81jnVCpKkYw3DJ-i_7E4cq43nDAT4i5Hyxa7Q@mail.gmail.com> <alpine.LNX.2.00.1605280142230.17809@forced.attrition.org> <55F14868-59A0-4695-BA34-A89C47D288EC@mitre.org> <7748E4BAEC3B964387F3535351DCBA1FB6691DE9@D2ASEPREA010> <CANO=Ty0mnDazgBwFrTFaEeiT2fCYSx2fJ58D+UBYRJTGnUahTQ@mail.gmail.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 43da9c421be74aed97248473db21fd15
Spamdiagnosticoutput: 1:2
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Thunderbird/45.1.0

On 2016-05-31 11:35, Kurt Seifried wrote:
> I've actually never heard of ISO 29147, just checked and it costs well
> over $100 to get a copy of, so that's not going to work for most open
> source projects. More to the point we can boil down what is needed to
> the 5 steps I list in my previous email. 
> 
> On Tue, May 31, 2016 at 8:16 AM, Millar, Thomas
> <Thomas.Millar@hq.dhs.gov <mailto:Thomas.Millar@hq.dhs.gov>> wrote:
> 
>     Perhaps the removal of the word "mature" is the fastest way to an
>     acceptable resolution. Adjectives are hard.
> 
>     A secure engineering life cycle including regular vulnerability
>     disclosure and remediation activities, and/or self-attested
>     compliance with ISO 29147, might work as a definition.

It's free:

  http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html

Current version may not be a sufficient measure of maturity, but worth
considering.  Next rev is under development.

That said, to me, CNA maturity is a subset of vulnerability
coordination/disclosure maturity.  They are certainly related, probably
around responsiveness.  But I could imagine a "good" CNA not being
"good" at other vulnerability response aspects.

 - Art

References:
- CNA requirements
  - From: Kurt Seifried <kseifried@redhat.com>
- Re: CNA requirements
  - From: "Adinolfi, Daniel R" <dadinolfi@mitre.org>
- Re: CNA requirements
  - From: Kent Landfield <bitwatcher@gmail.com>
- RE: CNA requirements
  - From: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
- Re: CNA requirements
  - From: Kurt Seifried <kseifried@redhat.com>
- Re: CNA requirements
  - From: jericho <jericho@attrition.org>
- Re: CNA requirements
  - From: "Adinolfi, Daniel R" <dadinolfi@mitre.org>
- Re: CNA requirements
  - From: Kurt Seifried <kseifried@redhat.com>

Prev by Date: Re: CNA requirements
Next by Date: Re: CNA requirements
Previous by thread: Re: CNA requirements
Next by thread: Re: CNA requirements
Index(es):
- Date
- Thread