CVE Board Meeting summary - 14APR2021

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

CVE Board Meeting summary - 14APR2021

CVE Program Secretariat

Members of CVE Board in Attendance

Beverly Alvarez, AMD

Ken Armstrong, EWA-Canada, An Intertek Company

Tod Beardsley, Rapid7 

Chris Coffin, The MITRE Corporation (MITRE At-Large)

Jessica Colvin JPMorgan Chase

Mark Cox, Red Hat, Inc.

William Cox, Synopsys, Inc.

Patrick Emsweller, Cisco Systems, Inc.

Jay Gazlay, Cybersecurity and Infrastructure Security Agency (CISA)

Tim Keanini, Cisco Systems, Inc.

Kent Landfield, McAfee

Scott Lawler, LP3

Art Manion, CERT/CC (Software Engineering Institute, Carnegie Mellon University)

Pascal Meunier, CERIAS/Purdue University

Ken Munro, Pen Test Partners LLP

Tom Millar, Cybersecurity and Infrastructure Security Agency (CISA)

Kathleen Noble, Intel Corporation

Lisa Olson, Microsoft

Shannon Sabens, CrowdStrike

Takayuki Uchiyama, Panasonic Corporation

David Waltermire, National Institute of Standards and Technology (NIST)

James “Ken” Williams, Broadcom Inc.

 

Invited Guests

Chandan N (Palo Alto Networks)

 

Members of MITRE CVE Team in Attendance

Jo Bazar

Kris Britton

Christine Deal

Jonathan Evans

Chris Levendis

09:00-09:05:     Introductions and Roll Call

09:05-09:35:     Open discussion items 

09:35-10:55:     Review of Action items (see attached excel file)

10:55-11:00:     Wrap-up

New Actions items from today’s Board Meeting

See attached Excel spreadsheet for open action items from prior meetings (CVE Board Meeting 28 April21– Agenda and Action items)

#

Action Item

Responsible Party

Due

Status

Comments

04.14.01

Develop a marketing campaign (External) for new AWG services to increase adoption for new CNAs (i.e., podcast)

Kris B.

 

Not Started

Assigned on 4/14/2021

04.14.02

Develop a marketing campaign (Internal) for new AWG services to increase adoption for new CNAs, such as, “How to engage with the AWG new services” PowerPoint/video.

Kris B.

 

Not Started

Assigned on 4/14/2021

 

Discussion Items

§  Relationships with CVEs (Multi-Vendor) – Art M.

  • The CNA Rules require assignment of CVE IDs at specific levels of abstraction depending on circumstances (7.2.4 and 7.2.5); for example:
  • Products affected by a vulnerability because they inherit the vulnerability from a shared upstream product share the CVE ID for the upstream product.
  • If there is a vulnerability in a standard that multiple products implement correctly, those products share the same CVE ID.
  • If multiple vendors made the same mistake in different codebases, then there would be multiple CVE IDs (one per codebase).
  • In a multi-vendor coordination scenario, these rules can be difficult to implement.
  • Codebase relationships may not be known.
  • Downstream vendors’ implementation may change the nature of the vulnerability (e.g., different CVSS score).
  • The proposal is to allow CNAs to assign at whatever level of abstraction they deem appropriate and build in a capability to include the relationships between CVE IDs.
  • Art will further discuss at the CVE Summit; this topic is on the agenda.
  • Once a decision is made, there are three actions: Design, Policy/rules, and implementation

Working Groups Updates

§  Strategic Planning Working Group (SPWG) – Kent Landfield

  • Roles, Responsibilities, and Requirements for CVE Program roles (TL-Root, Root, CNA-LR and CNA) are almost completed; the ADP is still in progress. The SPWG plans to finalize the Roles, Responsibilities, and Requirements soon, it may or may not include ADPs. The SPWG is ready to finalize the current program roles and make a recommendation to the CVE Board.
  • Working Group Guidelines document is currently being tech edited and will be distributed to the CVE Board for approval soon.
  • Deprecation of Acceptable CVE Formats
  • CVE Program currently supports three different formats for submitting CVE-related record information (flat file, CSV, JSON); the CVE Program is moving towards CVE JSON version 5 (JSON5).
  • The Board agreed the SPWG will send an email to the CNAs about the impact of deprecating to one format, the message will be sent soon.
  • The deprecation of acceptable formats will be added to the CVE Summit agenda to discuss further with the CNAs

§  Automation Working Group (AWG) – Kris Britton (MITRE)

  • Operations/Maintenance of IDR
  • Initial IDR Services (named CVE Services 1.0.0) is fully deployed. To date, 66 CNAs have requested CVE Service credentials (41%) with a total of 110 credentials distributed by the Secretariat. One CVE Service Patch has been deployed (CVE Services 1.0.1) since IDR went into production.
  • Development/Deployment of CVE Services
  • CVE Services 1.1.0 development is just about ready for Release and the CVE Services 2.0.0 requirements (User Stories) are approaching completion.
  • Key Decisions by AWG
  • Two key decisions made by the AWG 1) Adopted Semantic Versioning 2.0.0 scheme as the CVE Services version numbering scheme and 2) Agreed upon a JSON 4.0 to 5.0 CVE Services transition framework. The transitions framework will be presented to the SPWG on April 19.
  • Governance/Process modifications
  • CVE data format maintenance (i.e., JSON Schema) responsibility transferred to the QWG and adopted an AWG “governance approach” that alternates between development/design review and CVE Service Requirements Generation.
  • Administrative
  • AWG is adopting Groups.io as the AWG management/messaging platform.
  • CVE Service Development and Deployment Schedule is depicted below

  • How do we market the new AWG Services?
  • The Board discussed how the CVE Program can campaign for the new services to increase adoption by the CNAs.
  • The Board agreed that a marketing campaign for the AWG services focused on both external marketing (i.e., Podcast) and internal marketing to new CNAs during the onboarding process needs to be developed, as well as tools to help new CNAs with how to engage with the services. 

§  Outreach and Communications Working Group (OCWG) – Shannon Sabens

  • In April, Mark Cox (Apache Software Foundation [ASF]) contributed a blog, “Our CVE Story: An open-source, community-based example.” The blog was published on April 12. 
  • The third podcast was published on April 6; Shannon Sabens (CrowdStrike) is the moderator, and the focus of the podcast is on partnering with CVE. Jo Bazar (MITRE), Erin Alexander (DHS CISA), and Tomo Itou (JP-CERT) are the podcast participants.
  • The fourth podcast is being scheduled and will be an interview with Larry Cashdollar about being a CNA; Kelly Todd (MITRE) will moderate. The planning meeting is scheduled for Thursday, April 15.
  • CVE Website Content Review in progress. A small team of OCWG members are reviewing the community comments and making recommendations for content changes in preparation for CVE Website Phase 1 deployment, scheduled June 2021.

§  Quality Working Group – David Waltermire

  • Current Efforts underway
  • The QWG has taken over responsibility for managing the CVE JSON format.
  • QWG is now using GitHub issues to track open work items and are also working any remaining issues for the CVE JSON format 5.0 release. The link to the GitHub issues is located here (https://github.com/CVEProject/cve-schema/milestone/1).
        • There are seven remaining issues that will be worked and closed out in the next few weeks. The QWG needs to remove this blocker of the AWG record service development ASAP.
  • Future Efforts for the QWG
  • Establish tag governance documentation
  • Plan to make use of the CVE Schema GitHub
  • Currently staging issues for the CVE JSON Format 5.1 release
  • Create schema documentation
  • Develop usage examples

§  CNA Coordination Working Group – Tod Beardsley

  • CVE Summit planning underway
  • CVE Summit is confirmed for May 13 (4:00 p.m. – 8:00 p.m. EDT) and May 14 (9:00 a.m. – 1:00 p.m. EDT).
  • CERT/CMU SEI Broadcast Production has offered CVE Summit speakers the opportunity to pre-record their presentations for viewing on the day of the event. Allowing, speakers to participate in the text chat with participants, while your video is running -- answer questions. Records are due no later than April 30.
  • Draft Agenda sent to speakers on April 7.

Board Decisions

Next CVE Board Meetings 

  • Wednesday, April 28, 2021 2:00pm-4:00pm (EDT)
  • Wednesday, May 12, 2021 9:00am-11:00am (EDT)
  • Wednesday, May 26, 2021 2:00pm-4:00pm (EDT)
  • Wednesday, June 9, 2021 9:00am-11:00am (EDT)
  • Wednesday, June 23, 2021 2:00pm-4:00pm (EDT)

Open Discussion Items (to be discussed at future meetings)

See attached Excel spreadsheet (CVE Board Meeting 28April21– Agenda and Action items)

CVE Board Recordings

§  The CVE Board meeting recording archives are in transition to a new platform. Once the new platform is ready, the Board recordings will be readily available to CVE Board Members. Until then, to obtain a recording of a CVE Board Meeting, please reach out to CVE Program Secretariat ([hidden email]).  

 

 

 

 


CVE_Board_Meeting 14 April 2021 FINAL.pdf (445K) Download Attachment