CVE Board Meeting summary - 6JAN2021

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

CVE Board Meeting summary - 6JAN2021

Jo E Bazar

Members of CVE Board in Attendance

Beverly Alvarez, Lenovo Group Ltd.

Ken Armstrong, EWA-Canada, An Intertek Company

Tod Beardsley, Rapid7 

Chris Coffin, The MITRE Corporation (MITRE At-Large)

Jessica Colvin JPMorgan Chase

Mark Cox, Red Hat, Inc.

William Cox, Synopsys, Inc.

Patrick Emsweller, Cisco Systems, Inc.

Jay Gazlay, Cybersecurity and Infrastructure Security Agency (CISA)

Tim Keanini, Cisco Systems, Inc.

Kent Landfield, McAfee

Scott Lawler, LP3

Art Manion, CERT/CC (Software Engineering Institute, Carnegie Mellon University)

Pascal Meunier, CERIAS/Purdue University

Tom Millar, Cybersecurity and Infrastructure Security Agency (CISA)

Kathleen Noble, Intel Corporation

Lisa Olson, Microsoft

Shannon Sabens, CrowdStrike

Kurt Seifried, Cloud Security Alliance

Takayuki Uchiyama, Panasonic Corporation

David Waltermire, National Institute of Standards and Technology (NIST)

Ken Williams, Broadcom Inc.

 

Members of MITRE CVE Team in Attendance

Jo Bazar

Kris Britton

Christine Deal

Jonathan Evans

Chris Levendis

02:00-02:05:     Introductions and Roll Call

02:05-03:35:      Open discussion items 

03:35-03:55:      Review of Action items (see attached excel file)

03:55-04:00:      Wrap up

Review of Action Items from last Board Meeting

See attached Excel spreadsheet (CVE Board Meeting 20Jan21 – Agenda and Action items)

Discussion Items

  • CVE IDs for Docker Containers – Chris Levendis (MITRE)
    • The group discussed in detail about if CVE ID’s should be assigned to vulnerabilities in Docker Containers.
      • Question: Should we assign for these types of issues? Can the CVE Program afford to do it? 
        • Description of issue: Insecure defaults configuration for the admin password. The issue occurs because the base docker image was configured incorrect, and is used by other people, creating their own docker image.
      • If we do not assign, a policy needs to be put in place.
        • Proposal: Documenting corner cases in a public way to reveal decision making processes (e.g., best practices for making these decisions)
      • Outcome: Guidance from the CVE Board on how to handle these types of vulnerabilities.
    • The group agreed to begin drafting up guidance on how to handle these types of issues. Pascal has offered to begin writing the first draft once additional information about the issue is provided from MITRE.
  • New CVE Branding Statement – Shannon Sabens (OCWG Chair)
    • Short form:
      • The mission of the Common Vulnerabilities and Exposures (CVE®) Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
    • Long form:
      • The mission of the Common Vulnerabilities and Exposures (CVE®) Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog. The vulnerabilities are discovered, by vendors and researchers then assigned and published by organizations from around the world that have partnered with the CVE Program as CVE Numbering Authorities (CNAs) and Root CNAs. As CNAs, vendors publish CVE Records to communicate consistent descriptions of vulnerabilities to their customers, while IT and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities.
    • The group approved the short form and agreed the long form needs more work, removing vendors and researchers and Root CNAs.
    • The OCWG will provide another draft of the long form incorporating the feedback from the CVE Board. 
  • CVE Infrastructure - Next Steps – Kris Britton (AWG Chair/MITRE)
    • ID Reservation (IDR) Service: Self-service allowing CNAs to get either an arbitrary number of non-sequential IDs, or a block of sequential IDs
      • Status: IDR Phase 1 deployed December 10; no significant issues were encountered
    • Record Submission and Upload Service (RSUS): Replace the Github submission service so that CNAs can submit CVE information directly to the database, without the need for manual review
      • Status: Beginning the process to convert finalized requirements into user stories
      • Next milestone: User stories will be presented in the next SPWG meeting and the sprint plan will be presented in AWG in late January. 
    • User Registry: Provides permissions that will control who has access to features and information that are not publicly available.
      • Status: Beginning the process to convert finalized requirements into user stories
      • Next milestone: User stories will be completed and presented to SPWG. 
  • CNA Board Liaison Position - Chris Levendis (MITRE)
    • One person has been nominated as the CNA Board Liaison, Tod Beardsley.  The group agreed to hold the election anyway. MITRE will initiate the election this week.
  • Hot off the Press - Root News – Jo Bazar (MITRE)
    • JPCERT is now an active Root, announcing 2 new CNAs in December.
      • Line Corporation and Mitsubishi Electric Corporation
    • Spanish National Cybersecurity Institute, S.A. (INCIBE) is in the process of becoming a Root. Root Onboarding meetings will begin in late January.
  • CVE Board Nomination - Katie Noble (INTEL)
    • The interview will be 30 -45 minutes in length and immediately following, a 30 minute for post discussion.
    • MITRE will send a Doodle Poll to find the best time to conduct the interview, the next CVE Board meetings on Jan 20th and Feb 3, 2021.
  • Polling Results around CVE Program name - Katie Noble (INTEL)
    • The group agreed to discuss this topic at the next meeting, when there are more folks in attendance. Katie presented the polling results, about 70 people responded.
  • CVE Global Summit: Tod Beardsley (CNACWG Chair)
    • CVE Global Summit Working Group readout will be on Tuesday, January 26, at 10:00AM – 12:00PM. Each Working group will have 20 minutes to present.
    • CVE Global Summit 2021 planning is will initiated.
  • Malware - Chris Levendis (MITRE)
    • The group briefly chatted about this issue and agreed there is no consensus on this issue. Malware to one organization is not malware to another organization. 

Board Decisions

N/A

Next CVE Board Meetings 

Open Discussion Items (to be discussed at future meetings)

See attached Excel spreadsheet (CVE Board Meeting 20Jan21 – Agenda and Action items)

CVE Board Recordings

  • The CVE Board meeting recording archives are in transition to a new platform. Once the new platform is ready, the Board recordings will be readily available to CVE Board Members. Until then, to obtain a recording of a CVE Board Meeting, please reach out to Jo Bazar ([hidden email]).  

 


CVE_Board_Meeting 6 January 2021 FINAL.pdf (425K) Download Attachment