RE: Action items coming out of the CNA Summit

[Beverly Finch <beverlyfinch@lenovo.com>]

Thanks for the summary Kent!

I thought it was well worth the time and was glad to meet folks in person. 

Is it possible to get a roster of those who attended?

 

 

**For the latest on Lenovo security advisories, click here.**

 

Regards,

 

Beverly M Finch, PMP PSIRT Program Manager Product Security Office 7001 Development Drive Office 3N-C1 Morrisville, NC  27560	+1 919 294 5873 beverlyfinch@lenovo.com
Lenovo.com  Twitter | Facebook | Instagram | Blogs | Forums

 

 

From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Landfield, Kent
Sent: Wednesday, February 14, 2018 10:10 PM
To: cve-editorial-board-list
Subject: Action items coming out of the CNA Summit

 

All,

 

For those that joined us and participated in the CNA Summit, thank you. It was a very good event and the feedback was outstanding. I personally think we accomplished a great deal of what we tried to achieve.

 

After the summit ended, a few of us met to discuss what we had heard and what we thought we might need to be doing moving forward. The group included MITRE CVE leadership and a few Board members. We came up with a reasonable list of action items which are reflected below.

 

CVE/CNA Summit

 

This was a very productive summit. It is obvious that we need to do these on a more regular basis. The discussions we had suggested we should have these once a year. Additionally, we would like to consider having two online events for the combined CVE Board and CNA community each year.  These events will be treated much like a mini-CVE/CNA summit.  The focus would be multi-hour, not multi-day as the physical F2F meetings are.

 

CNA Liaison Board Representative:

 

It was apparent that we have not done a really good job of keeping the CNA community properly informed of both Board actions and working group status. One of the thoughts we had was to create a seat on the Board for a liaison representative from the CNA community. The thought was this would be an elected position that the CNAs would vote on at the newly established CVE/CNA annual summit. This position would be a full voting member of the Board, who would  have a one-year term. They would be responsible for acting as a representative to the CNA community, assuring CNAs were up-to-date with various status and activity related information. This position would be the conduit for CNAs to bring things to the Board in a more official and structured way. This would be a two-way street when it comes to information. Things the Board needs to get answers to, the Liaison would research, poll the CNAs and report back.  I have volunteered to develop the initial wording for Charter changes and will involve the Board if it is so decided to move in this direction.

 

CNA Collaboration WG:

 

An additional thought, to better involve the CNA community, was to create a CNA Collaboration working group. This group would be populated by CNAs and a few Board member representatives. The intent was to provide a forum for allowing certain CNA specific activities to occur. For example, the Collaboration working group could take control of the Summit planning, site and date selection process. They could establish the at-large CNA liaison voting process. The group could collaborate on needs and requirements directly related to CNAs. We discussed using this group to experiment with using Google Groups as basis for their communication and collaboration. 

 

Existing Working Group Changes:

 

Through the course of the summit we discussed various opportunities to automate certain aspects of the CVE operations and infrastructure. When the Automation WG was initially set up, it was intended the working group would be the place where the needed automation infrastructure requirements were developed and then efforts created to actually do the implementation for each of the identified projects.  The Automation working group has a great deal on its plate right now but from very tactical perspective. It was felt we need to restructure how the Automation WG works to achieve the initial intent. Instead of creating working groups for each of these projects, we have decided to create projects that are not considered permanent working groups but in fact are ‘short-term’ project working groups. Below are areas of needed automation we discussed that would benefit us today and in implementing the new federated infrastructure.

 

• Establish a shared ID allocation service requirements project
• Establish a CNA registry capability requirements project
• Establish a CNA Authorized Automated Submissions projects
• Implement a JSON format project to enhance and standardize the format for add items such as translations, etc.

 

You’ll notice that these are requirements projects. After the requirements projects are done, those projects will terminate, and we will look to create design and development projects to support those phases, which may or may not contain the same participants.  The actual Automation working group will focus on more higher-level architecture and project management to assure the automation needs of the federated roles can be properly supported in the future, while being able to be used today to reduce MITRE’s existing workload. If there needs to be additional projects, they can be created under the Automation WG.

 

As a part of the discussions, it was felt there needs to be a Chair selected for each of the working groups. The Chair identified for the Automation WG is Chris Johnson of NIST. I will act as the Chair of the Strategic WG.

I am on the hook to write a brief description of existing WGs and for the associated projects listed above.

 

Community Tools:

During the summit, various CNA’s offered to contribute tools for the community’s benefit. Chandan Nandakumaraiah (Juniper Networks) demonstrated his Vulnogram.gethub.io environment for creating CVE JSON data, and Oracle offered a tool for translating CVRF formatted documents to JSON. MITRE is going to establish a location to store tools contributed by the CNA community on github. They will then send a message to the CNA and Board lists describing how to contribute tools and where to retrieve them.

 

CVE Awards:

We discussed how to recognize and incentivize good behavior. We talked about issuing CVE awards. Reality is we don’t understand what they should be at this point, as in what should be rewarded… That is a conversation we need to have on the Board.   It was discussed that we should make rewards public but find ways to correct bad behavior privately.

 

Other action items to come out of the discussions are:

 

• MITRE to summarize Board activities and discussions for the CNA community – Quarterly – May want to work with the new CNA Board Liaison on this effort.
• MITRE standup a resource page for CNAs – this will be a list of where all the individual resources are, with a one-line description.  
• MITRE to periodically resend message of WGs and project descriptions to CNA-List to alert newly added CNAs as to opportunities to assist – may be able to automated this with a cron job.
• Jonathan to post the existing training slides as is
• MITRE to compile a survey for CNAs that attended the summit for feedback and questions

 

As these topics are under consideration, we thought they needed to be discussed on the next Board call.   To those in attendance during the discussions, please correct any errors. Those are all mine. ;-)

 

Thanks again for all the work that went into putting on this successful summit. 

 

Thank you, Gracias, Grazie,  谢谢, Merci!, Спасибо!, Danke!, ありがとう, धन्यवाद!

-- 

Kent Landfield

+1.817.637.8026

kent_landfield@mcafee.com