CVE Board Meeting 10 January 2018
Board Members in Attendance
Andy Balinsky (Cisco)
Mark Cox (Red Hat)
Beverly Finch (Lenovo)
Kent Landfield (McAfee)
Art Manion (CERT/CC)
Scott Moore (IBM)
Kurt Seifried (Red Hat/DWF)
Taki Uchiyama (JPCERT/CC)
Dave Waltermire (NIST)
Scott Lawler (LP3)
Ken Williams (CA)
Members of MITRE CVE Team in Attendance
2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin
2:05 – 2:25: Working Groups
2:25 – 2:50: CNA Update
General – Jonathan Evans, Nick Caron
2:50 - 3:00: CVE CNA Summit Topics for the Agenda – Joe Sain
3:00 – 3:30: CNA Feedback Mechanisms – David Waltermire
3:30 – 3:45: CVE Board Membership, alternates, and succession planning – Chris Coffin
3:45 – 3:55: Open Discussion
3:55 – 4:00: Action items, wrap-up – Chris Coffin
Review of Action Items from Last Meeting
Board Working Groups
Strategic Planning Working Group (Kent Landfield)
STATUS: One issue the WG has been working on is to try and figure out what the roles/functions for the CVE program are in a federated environment. For example, what does Primary CNA really mean? Is it just a grouping of roles? Kent presented slides on “CVE Program Roles.” These depict how CVE might be organized in the future, 4 or 5 years down the road. This outlines the various items: policy aspects, legal aspects, etc., for CVE. Role of Authorized Data Publisher is new; similar to NVD. This would be a role that would exist both within a top level (across program) and within specific roots. The CNA of Last Resort (CNA-LR) is at the root level; ensures that if there are direct conflicts, they determine that. Also, where no coverage exists (outside existing CNA scopes). This role would take care of retail assignments and at the same time, we believe that the roots should be a CNA-LR for their scope; the information they understand about their environment is most accurately addressed within that root. There is the potential for having a CNA-LR be an actual role inside the root. Or they could designate that to an outside organization. Trying to establish a group of roles that depict what MITRE’s current position is, so that we can break this up conceptually and have a better understanding as to where we are trying to go in the future (federated environment). Trying to establish a federated structure so we can put some meat behind this standpoint going forward. Dave Waltermire said some of his thinking when creating these roles came out of the CNA Rules document. There is some duplication of responsibilities currently; how would the CNA Rules fall out in a more granular, rule based approach? These proposed roles would create clear lines of communication and oversight, and will help us have a more productive conversation in terms of who under what role needs to do what. Kent said they are trying to establish these roles to make sure they are legitimate and to add flexibility so that the roots have some control, as well. Makes sense to have a CVE Mentor program. All roles are up for discussion; they aren’t hard and fast. We are going to try and flesh these out a bit more so that they can be understood by all. Other things we need to address and have answered. But the key is that when we started having these conversation, it stemmed from what Dave saw in the CNA rules. The slides will serve as a conversation point for next couple of meetings.
Another thing that was discussed was trying to find the right time to meet, given the various members’ different time zones and schedules. Beverly Finch conducted a doodle poll. Meetings will be on Mondays at 4:00 p.m. ET.
ACTIONS: Share slide deck and get comments from the Board (Dave Waltermire posted here: https://docs.google.com/presentation/d/1rgGG9nwbvzccHPYJhbgRxLa9PhAnSj8t5m5dzsQuIxg/edit#slide=id.p17). Chris Coffin needs to send out updated invite for 4pm ET on Mondays.
Automation Working Group (George Theall)
STATUS: George relayed to the group the Board’s request of the group to document how users should download CVE data and stated that the effort has not yet started. Discussed status of automation for phase 3. Briefly talked about having CNAs participate in GitHub Pilot. How can we best support CNAs that have questions in a group setting? Discussed how to share infrastructure and code with the community without getting into specifics. Discussed implementation of a CNA registry in JSON and extending to non-CNA vendors. Information about each CNA that the CNA itself would maintain, such as GitHub users authorized to submit pull requests, CAN scope, security points-of-contacts, etc. Will draft something and send out to the Automation WG later on. Kurt notices that a lot of people reference NVD downloads and he’s wondering if we can get download references or stats. How many people go to MITRE vs. NVD? Kent thinks most vendors get their daily feeds from NVD; not MITRE. Dave said he suspects that once we start augmenting data in GitHub with CVSS scores, etc., that may actually start to shift.
DWF (Kurt Seifried)
STATUS: Kurt Seifried stated that they cleared the 2017 backlog and there are about 200 badly formed CVE requests that can be used for training purposes. Not taking in unstructured data ever again unless is the embargoed stuff, but even that, will be looking at creating a template. It’s incredibly time consuming.
MITRE (CVE Team)
STATUS: Have not received any new CNA requests. We are going to be doing some training for Hikvision (http://www.hikvision.com) next week. A couple of CNAs have asked for training this month but nothing scheduled. Amazon reached out and said they are almost ready to become a CNA and would like to join the summit if possible. Chris Coffin asked if there are objections to having a representative from Amazon at the summit; no objections were voiced. Kent Landfield added that we don’t want to do training at the summit, but having Amazon attend for networking purposes will be a good thing.
Working on CNA report card—should be out sometime next week (Jan 15 -19).
CVE CNA Summit Planning – Joe Sain
STATUS: Proposed topics:
Joe Sain: Recommend starting early on 2/13 and end around noon on the 2/14. Is that okay? Kent said we will all be there, so we need to make sure we get everything done. Let’s work on the agenda and see how much time we will need.
>>Discussion: Kent Landfield--The idea of reaching out to the CNA list would be useful as to what they would like to see discussed; also to see if they have people that would like to step up and speak to these issues. This seems to overlap with the later “CVE Federation Philosophy – Root CNAs, Sub-CNAs, and how they are organized.” Should remove “plans going forward” from this talk and leave it for the Philosophy discussion.
Landfield –This may be better suited to Dave Waltermire. Kurt Seifried indicated he will likely not attend in
person, but will be available via telecon.
>>Discussion: Kent Landfield —this may be where the first Vulnerability Working Group could participate. Kurt Seifried —main concern is getting CVEs published quickly. Can a trusted CNA populate a CVE? Kent Landfield —we need to make a one paragraph abstract as to what the focus is for each of these topics so that we are not all bringing our baggage into it. George Theall said this is only a problem until we automate. Kent Landfield —we could turn this into a “what if” kind of conversation as opposed to us dictating something. We want to know what works for the CNAs. Setting the topic areas and then opening the floor up would be a good use of our time because we need to hear that feedback. Joe Sain will draft up a paragraph for each topic. Is it worth having a separate discussion on open source? Kurt Seifried --The original CNA needs to hold the bucket on it. Art Manion recommends adding to the CNA rules that if you’re the assigner for a multi-vendor issue, it’s your responsibility then to hurry up and push to populate the entries. Kurt Seifried—Biggest decision boils down to if the originating CNA does not populate it in a certain timeframe, who populates it? MITRE? Another trusted CNA? What is the timeframe? We need to have some standards in place to address this.
>>Discussion: Kent Landfield --Coordination becomes a critical aspect here. Kurt Seifried —one thing that CVE tried to avoid was dictating operational requirements. Everyone ships open source; not sure that CVE is the right forum for this. Chris Coffin—I think it’s more about having guidance so people know what to expect and how to possibly address the problem. Art Manion—I am still willing to moderate this topic; I will give some thought as to whether this is a CVE problem or not. If our agenda is full without this topic, we can table this discussion. Chris Coffin—this can be a backup topic.
>>Discussion: Chris Coffin--May be good to introduce the slides that Kent presented earlier regarding the roles. Kent Landfield—I see federation aspects as a transition to the future. That in itself could garner a lot of conversation or none, but it needs to be separate from the discussion here.
>>Discussion: Chris Coffin—get CNA thoughts on how we need to update the CNA rules. Dave Waltermire—how, in general, do changes to the CNA rules impact them? We need to be better informed on the impact of changes.
>>Discussion: Chris Coffin—should the counting rules include specific recommendations if it is a hardware issue? Kurt Seifried —the Intel thing is a great example because my thinking goes to the IoT. For hardware, we need to look at a lot more consolidation because of the way supply chains work. Chris Coffin—we need to also make sure we define the scope.
>>Discussion: Kent Landfield—that would be a good discussion to have. Andy Balinsky indicated he will not be able to attend the summit. Kurt Seifried —is it possible to invite someone from Cloud Security Alliance (Victor Chin) and maybe look into CVEs for things that are pure services? No objections. Jonathan Evans—we could ask Amazon, since they want to send a representative, if they have someone from AWS that would be interested in attending.
>>Discussion: Chris Coffin--That was part of the discussion in the automation WG.
Art Manion—I see these as distinctly different topics; I would group the product name topic with the supply chain topic. Kurt Seifried —I suggest we add service names as a separate topic. Maybe the same for hardware.
Chris Coffin—any suggestions for additional topics? Kent Landfield again suggests that a paragraph be created for the purpose of each of these and sent to the board and let them think about it more and perhaps revise.
ACTIONS: MITRE to reach out to the CNA list to see what they would like to see discussed; also to see if they have people that would like to step up and speak to these issues. Joe will draft up a paragraph abstract for each workshop topic and send to the Board for review.
CNA Feedback Mechanisms (Dave Waltermire)
Status/Issue: Chris Coffin—this agenda item refers to communications among CNAs when there are issues pertaining to one or more CNAs. We need to establish direct feedback between other CNAs and the community. Dave Waltermire—my general concern is there are many costs associated with being a CNA. Under the federated model, we need to identify who the responsible CNA is. That is one area where reaching out can be a time consuming and painful task if you do not know who the right people are to talk to. There is also a need to facilitate communications amongst disparate stakeholders in this community. Interested in having a more long-term conversation in how to address this. Chris Coffin—as of today, MITRE has this (contact) information for the CNAs but does not share it. That means that MITRE has to be in the middle of all communication between CNAs. Dave Waltermire—as CVE is federated, CNAs need to be able to communicate. Kent Landfield—this is a perfect topic of discussion for the summit. Dave Waltermire—should be early in the day, maybe with the discussion on roles. This will help frame a lot of discussions.
Actions: Chris Coffin—Art Manion and Kent Landfield, we need to send out some information to the Board on what we have discussed on this topic. Dave Waltermire said he would be happy to put together a slide or two to start the conversation.
CVE Board Membership, alternates, and succession planning (Chris Coffin)
Status/Issue: Chris Coffin—Art (Manion) and I discussed if [it would be possible] to have backups for board members if they can’t make it to a call. Wanted to run it by everybody to see what you think about allowing a temporary (or permanent) stand-in. Kent Landfield—if a board member wants to resign, they can do so. They can nominate someone to go through the process before they leave. From a temporary voting perspective, that’s not covered in the charter we have right now and they cannot vote. Voting would be an area that I would not welcome a backup or stand-in participant unless you want to add that person as board member. Dave Waltermire—I agree with a lot of what you are saying. I think the premise behind the Board is it consists of a group of individual subject matter experts (SMEs). The reason we instituted the rule of one vote per organization is we don’t want any one organization to have undue influence. I’m not sure that approaching the problem in the way you’re suggesting creates the right incentives (i.e., the law of unintended consequences). We are trying to expand the participation of the board by getting more individuals who are passionate about the topic. We are trying to get more diverse perspectives. I’m afraid if we say the common practice is to nominate your co-worker so that you have a backup, that doesn’t facilitate the diversity of the Board. But from a voting perspective, and you want to designate a proxy because you’re going on vacation, that poses some problems because you may lose the SME aspect. Maybe for a period of time, you could assign a proxy to cover for you. If I went on travel for a couple of weeks and I knew there was a vote coming up, I could see where I would give someone instructions on how to vote on my behalf. That doesn’t violate the spirit of what we are trying to do here. Or we could extend the voting period. Kent Landfield—or we could pre-vote perhaps but that may be problematic as well. Dave Waltermire—so that may be the only niche where having a proxy might work. Kurt Seifried—that’s how I ended up on the board, as a proxy for Mark Cox. Maybe we could look into different levels of membership (junior/senior). Mark Cox—you could perhaps appoint your proxy from within the Board members. Kent Landfield—this is an open discussion we need to think about and come back to. Chris Coffin—another thought. The board today is specific individuals, but there are organizations that want to be a part of the Board. Dave Waltermire—we need to have conversations about how CVE is governed. The governance organization may change over time. This is more of short-term tactical change but we need to have a bunch of longer term, strategic conversations. Kent Landfield—we’ve done that in the past and it did not go well (organizations vs. individuals). I would be against anything that took it away from the individuals at least in the near term. Dave Waltermire—how do we resolve this in the short term? Kent Landfield—reality is we are about to go to a Board vote on the Charter. Do we want to hold off on the vote to perhaps add in some verbiage about adding a proxy or back-up in the Charter? Dave Waltermire—does anyone have any proposed text on this? Chris Coffin—no. I vote we go forward with the vote on the charter (all agreed).
Actions: Add this topic to agenda for next meeting.
Mark Cox: No longer associated with the Red Hat Product Security team. New role is associated with Apache and OpenSSL. He has more time to focus on CVE. Ken Williams—what does MITRE use for CVE identifiers and tracking issues? Specifically regarding issues that Brian Martin has raised. Chris Coffin—we use an internal ticketing system based on CVE form. Brian generally sends us things to [hidden email], so it is less formal. We may want to encourage him to start using the form. Ken Williams—yes, it would be nice if we could get metrics from it and if these issues could be publicly available. Kurt Seifried—the cvelist repo is public (GitHub).
Summary of Action Items
|Free forum by Nabble||Edit this page|