CVE Board Meeting summary - 31MAR2021

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

CVE Board Meeting summary - 31MAR2021

CVE Program Secretariat

Members of CVE Board in Attendance

Beverly Alvarez, AMD

Ken Armstrong, EWA-Canada, An Intertek Company

Tod Beardsley, Rapid7 

Chris Coffin, The MITRE Corporation (MITRE At-Large)

Jessica Colvin JPMorgan Chase

Mark Cox, Red Hat, Inc.

William Cox, Synopsys, Inc.

Patrick Emsweller, Cisco Systems, Inc.

Jay Gazlay, Cybersecurity and Infrastructure Security Agency (CISA)

Tim Keanini, Cisco Systems, Inc.

Kent Landfield, McAfee

Scott Lawler, LP3

Art Manion, CERT/CC (Software Engineering Institute, Carnegie Mellon University)

Pascal Meunier, CERIAS/Purdue University

Ken Munro, Pen Test Partners LLP

Tom Millar, Cybersecurity and Infrastructure Security Agency (CISA)

Kathleen Noble, Intel Corporation

Lisa Olson, Microsoft

Shannon Sabens, CrowdStrike

Takayuki Uchiyama, Panasonic Corporation

David Waltermire, National Institute of Standards and Technology (NIST)

James “Ken” Williams, Broadcom Inc.

 

Members of MITRE CVE Team in Attendance

Jo Bazar

Kris Britton

Christine Deal

Jonathan Evans

Chris Levendis

02:00-02:05:     Introductions and Roll Call

02:05-02:35:     Open discussion items 

02:35-03:55:     Review of Action items (see attached excel file)

03:55-04:00:     Wrap-up

New Actions items from today’s Board Meeting

 

See attached Excel spreadsheet for open action items from prior meetings (CVE Board Meeting 14 April21– Agenda and Action items)

#

Action Item

Responsible Party

Due

Status

Comments

03.31.01

Chris L. will discuss modifying the CVE Program document templates (PowerPoint, flyers, etc.) with Jay G.

Chris L. (MITRE)

 

Not Started

Assigned on 3/31/2021

03.31.02

Send email to CNAs about deprecations of format, to understand the impact and why they are using Flat file and CSV formats.

Kent L.

 

Not Started

Assigned on 3/31/2021

 

Discussion Items

§   Revised Directive on Security of Network and Information Systems (NIS2) Update - Kent Landfield

o   Kent provided an update on the draft NIS2 Directive, its potential impact on the CVE program and further clarification on the NIS2 objectives. NIS2 is specifying there be established a coordination capability across the EU and EU countries, with national level Member State CERTs working together to create a coordinated environment for action and information sharing. Kent explained that EU’s DG CONNECT, and EU Members of Parliament (MEP) are interested in getting more involved and in integrating with the CVE Program. Kent has the action of scheduling a discussion with the Secretariat and members of DG Connect that will be involved with the standup and support of the effort.

§  Deprecation of acceptable CVE formats - Kent Landfield

  • Background: Currently, the CVE Program supports three different formats for submitting CVE-related record information: a flat file format, a CSV format, and a JSON format. The flat file and CSV formats have not changed since their creation and there is no current formal mechanism to update these formats. Today the non-JSON formats require manual processing and CPS support.  It should be noted that AWG services have no plans to support the non-JSON formats at this point. Today, 30% to 40% of CNAs in the CVE Program use these legacy formats.
    • The program is moving towards CVE JSON version 5 (JSON5) and are getting close to finalizing it. JSON makes it easier to express relationships between fields, easier to extend, to add support for other capabilities (such as additional language support), is well-defined, and a community consensus is currently on track to be achieved. It is the intent of the Program to publish a JSON5 format and use that as the basis for our automation services going forward.
    • The Flat File and CSV formats are not well documented and currently do not support all the fields supported by JSON5.
      • The legacy formats only support the required fields today. These formats have been difficult to work with and add unnecessary complexity when the required information is modified or updated. As we move forward with automated services, we need to reduce code complexity and remove things that inhibit adoption of the authorized, automated, self-service CVE record update services.
  • During the March 29, 2021, SPWG meeting, options for dealing with the situation were discussed. 
  1. Continue with current process, with MITRE manually dealing with these formats.  
  2. RSUS could support submissions using all three formats. 
  3. The new partner portal section of the website could support uploads using all three formats. 
  4. The final option discussed was deprecation of legacy formats in favor of JSON5. For those CNAs who have automated current submissions using flat files or CSV formats, convertors could be created for use by the CNAs. Or they could be given the documentation to assure they have the knowledge to upgrade their existing automation to support the JSON5 format.
  • The SPWG agreed to properly address submission formats, a few things need to be completed first.
  1. The CVE JSON 5 format needs to be finalized.
  2. Documentation for the JSON5 format needs to be developed.
  3. Submission capabilities, such as a GUI for uploading and modifying records in RSUS, via automation and via the new partner portal will need to be developed.
    • It is understood all this is dependent on the user registry for authentication and authorization. There were discussions of working with Chandan to use Vulnogram as that GUI.  This could be modified to integrate with the partner portal and a provide a version for CNA submissions via automation.

 

  • SPWG’s Board Recommendation: The SPWG recommends the CVE Program adopt JSON5 and deprecates all legacy formats for submission and update of CVE records, when the proper environment for doing so exists.
  • The Board agreed the SPWG will send an email to the CNAs about the impact of deprecating to one format, and to get a better understanding for why they are still using Flat File and CSV. In addition, the deprecation of acceptable formats, will be added to the CVE Summit agenda to discuss further with the CNAs.

Board Decisions

Next CVE Board Meetings 

  • Wednesday, April 14, 2021 9:00am-11:00am (EDT)
  • Wednesday, April 28, 2021 2:00pm-4:00pm (EDT)
  • Wednesday, May 12, 2021 9:00am-11:00am (EDT)
  • Wednesday, May 26, 2021 2:00pm-4:00pm (EDT)
  • Wednesday, June 9, 2021 9:00am-11:00am (EDT)
  • Wednesday, June 23, 2021 2:00pm-4:00pm (EDT)

Open Discussion Items (to be discussed at future meetings)

See attached Excel spreadsheet (CVE Board Meeting 14April21– Agenda and Action items)

CVE Board Recordings

§  The CVE Board meeting recording archives are in transition to a new platform. Once the new platform is ready, the Board recordings will be readily available to CVE Board Members. Until then, to obtain a recording of a CVE Board Meeting, please reach out to CVE Program Secretariat ([hidden email]).  

 

 

 

 


CVE_Board_Meeting 31 March 2021 FINAL.pdf (368K) Download Attachment