FW: Proposed Agenda Topic for the CVE CNA Summit, 13-14 February, 2018

["Landfield, Kent" <Kent_Landfield@McAfee.com>]

The CNA Summit Agenda looks reasonable. As long as the government is still open, Dave and I will present the CVE Federation Philosophy and moderate the discussions. Personally I think we need to include the backup session in the overall agenda. Some of it will be touched on in the muti-vendor discussions.  Seems like the type of topic discussions that this set of participants could add real value to. (Also corrected your numbering below… ;-)

 

Thank you, Gracias, Grazie,  谢谢, Merci!, Спасибо!, Danke!, ありがとう, धन्यवाद!

-- 

Kent Landfield

+1.817.637.8026

kent_landfield@mcafee.com

 

From: <owner-cve-cna-list@lists.mitre.org> on behalf of CNA Coordinator Email <cna-coordinator@mitre.org>
Date: Tuesday, January 23, 2018 at 3:02 PM
To: cve-cna-list <cve-cna-list@lists.mitre.org>
Subject: Proposed Agenda Topic for the CVE CNA Summit, 13-14 February, 2018

 

Dear CNA Representatives -

 

The following is a list of topics for the CVE CNA Summit, which is being held on February 13 – 14, 2018 at the MITRE McLean, VA campus. Please review it, and if you additional topics that you would like to see covered, please respond to this email with your suggestions and comments. A separate email with instructions for attending, directions to the MITRE McLean site, and accommodations in the area will be forthcoming soon.

 

Thank you for your participation and support; we are looking forward to hearing from you!

 

Regards,

 

The MITRE CVE Team

>>>>>>>>>>>>>>>>>> 

 

1. Panel Discussion - The Current State of CVE and the CNA Program – Where we are, and the need to scale the program

 

• This is an introductory panel discussion designed to describe where we are with the CVE program, the progress that has been made in advancing a federated system that will enable CVE to scale into the future.
1. CVE Federation Philosophy – Root CNAs, Sub-CNAs, and how they are organized

• This session will cover a range of issues:

o   Current status of the federated CVE program

o   Problems and challenges that we face today

o   How do we transition to the future?

• This session will also feature a discussion of a CVE Board proposed CVE Operational Program Structure that will better position the project for success as CVE scales to meet an increasingly large need.

3. CNA Rules 2.0 Discussion – Impact of the changes, and how other incremental changes will affect CNA operations

• This open discussion will cover the impact on CNAs of the changes to the CNA rules, and will include a discussion on the rules that have the greatest impact on the operations of CNAs. We are discussing the possibility moving from a model of yearly rules changes to a model of changes as needed, and we would like to understand the impact of changes to CNA processes.

 

4. Panel Discussion - Accelerating CVE Data Exchange: Automation and the Git Pilot

 

• This session will cover efforts by the CVE Automation Working Group to accelerate the exchange of vulnerability information from vendors and researchers to the CVE list. Topics here will include the use of GitHub for CVE submissions, advanced in data collection, formatting and distribution, and plans for future improvements.

5. Ownership and Timeframes for Multi-Vendor Vulnerabilities

• This session will cover the following:

• Rapid population of CVEs by the Issuing CNA.
• What should the timeframe be for another CNA to wait before taking over the responsibility to issue the CVEs?
• Should there be a trusted group of CNAs (e.g., a Vulnerability Coordination Working Group) to handle these issues?
• How should coordination across products and vendors be handled?
• Open Source Software

 

6. Process for Assigning CVE IDs and Formatting Advisories

 

• Vulnerability researcher Larry Cashdollar and Chandan Nandakumaraiah of Juniper Networks will present their tools and processes for tracking discoveries and assigning CVEs. They will cover the research & discovery process, organizing data, and creating an advisory with the associated JSON for entry into the CVE database.
• The floor will then be opened to all participants to compare their tools and processes.

7. CNA Onboarding and Management

• This session will cover the process that the project has adopted to bring new CNAs into the program and to assist them in becoming fully functional. CNA training and guidance will be discussed as well. CNAs are welcome to express their opinions on how the Onboarding program is working, how it can be improved, and what issues new CNAs face as they come up to speed.
• As the CVE program continues to expand into new sectors, management of CNAs will be increasingly important.

 

8. Rules for Updating CVE Entries

 

• The CNA Rules are focused on assigning CVE IDs and getting the CVE entries populated.  They are mostly silent on updating CVE entries once they are populated.  New rules should be developed to cover

o   Who can update the entries,

o   What they can update,

o   And under what conditions.

 

9. How should hardware be incorporated into CVE?

 

• Hardware is an overly broad term that presents problems for the assignment process.

o   Should anything that could be considered hardware be included?  For example, can an ID be assigned to a flaw in a lock or safe?  Can the term be limited in a reasonable way, such as computer hardware or digital hardware?

o   Should physical attacks be considered a vulnerability, e.g. is it a vulnerability if I can throw a thermal blanket of an infrared detector?

• Meltdown and Spectre – How should CVE Handle these types of issues?

10. Is there value in incorporating services into CVE?

• This session is designed to be an open discussion regarding the need for CVE to expand into the services sector.

11. Developing a registry of vendor and product names, CNA and non-CNA contact lists in JSON.

 

• This discussion began in the CVE Automation Working Group as a necessary tool for accelerating the processing of incoming CVEs. One possible approach is to start with CNAs, then branch out to non-CNAs.

 

12. Developing an official policy for which year to use in a CVE ID.

 

• The CNA Rules do not cover which year to use when assigning a CVE ID. This has resulted in inconsistent assignment policies and confusion by both CNAs and downstream consumers.  As we expand the CNA program this problem is only going to increase.  We should develop a singular process for all CNAs to follow.

 

13. Future of CNA Summits

 

• Discussion of how the summit went, how to improve, and creation of a working group to plan the next summit.

 

Backup Sessions

Workshop - CVE and Supply Chain Relationships: How vulnerabilities flow down to other products

 

• This session will cover vulnerability identification and naming versus supply chain and relationships among products and vendors.
• There are different types of CVEs and different relationships among companies in the communities; these are interrelated with the supply chain, which also includes multiple vendors.
• Coordination between vendors is a critical issue. CVE would provide guidance on supply chain vulnerability identification and naming without dictating operational requirements.