DWF and CVE Integration Proposal

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

DWF and CVE Integration Proposal

Landfield, Kent B
All,

Following up on the conversations we had on the Board call last week, Kurt, the DWF Board, myself and other CVE Board members have been working to put together the proposal as requested by MITRE.  We have tried to lay out what the intent, parameters, expectations and hopefully what the successful outcome will result in.

We were pleased to hear MITRE’s agreement with the overall objective of the project on the call and to see it listed in the minutes of the Board meeting.  As requested by Jon Baker, we have documented the proposal and it is submitted below.

We believe it is in the best interest of CVE and the community to initiate the DWF / CVE Integration Project as soon possible.


DWF and CVE Integration Proposal

Proposers:
Harold Booth, NIST ([hidden email]<mailto:[hidden email]>)
Larry W. Cashdollar, Akamai Technologies ([hidden email]<mailto:[hidden email]>)
Kent Landfield, Intel ([hidden email]<mailto:[hidden email]>)
Art Manion, CERT/CC ([hidden email]<mailto:[hidden email]>)
Brian Martin, OSF / OSVDB ([hidden email]<mailto:[hidden email]>)
Kurt Seifried, Red Hat ([hidden email]<mailto:[hidden email]>)
David Waltermire, NIST ([hidden email]<mailto:[hidden email]>)
Zachary Wikholm, Independent ([hidden email]<mailto:[hidden email]>)
Area of Focus
The Distributed Weakness Filing (DWF) Project provides a community based Open Source process oriented solution to getting CVE identifiers into the hands of people that need them. The DWF aims to work with security researchers and other “producers” of CVE IDs to assure the timely assignment of IDs. The project’s major focus is to become a CVE Numbering Authority (CNA) targeted primarily at the Open Source community.

Proposing a New Type of CNA
The overall purpose of this Proof of Concept (PoC)  is to test the validity of creating a new class of CNA. In the past CNAs have been, for the most part, an endpoint in the CVE ID issuance process. Authorized CNAs have been issued a block from the CVE ID pool they have then used to issue their own organizational IDs. This proposal is to create a Root CNA. The DWF Root CNA will be able to act as an existing CNA by issuing CVE IDs as requested. Additionally, the DWF Root CNA will be able to  train and coordinate other organizations and people to create CNAs that live within the DWF namespace.

As this is a PoC, the plan is to take a “fail fast” approach. DWF will be experimenting where we believe good ideas should be put into an operational production environment to test the usefulness of the idea.

The following are the proposed specifics of the effort:


●    The DWF Project will act as a CNA and ensure no conflicts between DWF and current CVE ID ranges. The DWF will start at a high range of numbers to avoid conflicts with CVE numbers.

●     DWF Project will use the ID range CVE-YEAR-1000000 through CVE-YEAR-1999999.

●    The DWF will assign CVE IDs to answer requests sent directly to the DWF by researchers, vendors and others.

●    Any subordinate DWF authorized CNAs will only be allowed to exist under the DWF hierarchy and be restricted to the DWF authorized namespace (that is CVE-YEAR-1000000 through CVE-YEAR-1999999).
The DWF project will continue to work with MITRE and others to create guidelines and requirements for CVE requests, CNA creation, curation of CVEs and so forth. As mentioned earlier, the DWF will focus on Open Source software, security researchers and security vendors that find and report security vulnerabilities.

The DWF Project will continue to coordinate closely with MITRE and the CVE Editorial Board to ensure compatibility with existing and future CVE requirements and processes such as “what counts as a vulnerability”, SPLIT/MERGE and so forth.

DWF will work with MITRE and the CVE Editorial Board to create a base set of documentation of best practices that can assist with the development and processes of the Root CNA usage and deployment.  While targeted towards DWF, the documentation can be used by others within the CVE management community.
Proposed Outcome
The intent of this POC is to determine the effectiveness of new techniques, ideas and a new hierarchy-based model for CNA creation and CVE issuance. If successful, this approach will allow for other Root CNA authorities to be set up. Future CNAs could be assigned based on technology sectors or national boundaries thus allowing expansion and expertise in areas of vulnerability identification not currently possible in the existing CVE management approach/scheme.

---
Kent Landfield
+1.817.637.8026
Reply | Threaded
Open this post in threaded view
|

Re: DWF and CVE Integration Proposal

Pascal Meunier
That sounds excellent.  The devil will be in the details, such as business continuity planning and lifecycle planning
(e.g., what to do if/when a root CNA winds down).  There's an implicit assumption that, using the current DWF setup as
example, GitHub won't fail, and so on.  However that should all be fixable later and is no reason to delay.

Great start!  I can't wait to see that seed bloom.

Pascal



On 04/06/2016 06:52 AM, Landfield, Kent B wrote:

> All,
>
> Following up on the conversations we had on the Board call last week, Kurt, the DWF Board, myself and other CVE Board members have been working to put together the proposal as requested by MITRE.  We have tried to lay out what the intent, parameters, expectations and hopefully what the successful outcome will result in.
>
> We were pleased to hear MITRE’s agreement with the overall objective of the project on the call and to see it listed in the minutes of the Board meeting.  As requested by Jon Baker, we have documented the proposal and it is submitted below.
>
> We believe it is in the best interest of CVE and the community to initiate the DWF / CVE Integration Project as soon possible.
>
>
> DWF and CVE Integration Proposal
>
> Proposers:
> Harold Booth, NIST ([hidden email]<mailto:[hidden email]>)
> Larry W. Cashdollar, Akamai Technologies ([hidden email]<mailto:[hidden email]>)
> Kent Landfield, Intel ([hidden email]<mailto:[hidden email]>)
> Art Manion, CERT/CC ([hidden email]<mailto:[hidden email]>)
> Brian Martin, OSF / OSVDB ([hidden email]<mailto:[hidden email]>)
> Kurt Seifried, Red Hat ([hidden email]<mailto:[hidden email]>)
> David Waltermire, NIST ([hidden email]<mailto:[hidden email]>)
> Zachary Wikholm, Independent ([hidden email]<mailto:[hidden email]>)
> Area of Focus
> The Distributed Weakness Filing (DWF) Project provides a community based Open Source process oriented solution to getting CVE identifiers into the hands of people that need them. The DWF aims to work with security researchers and other “producers” of CVE IDs to assure the timely assignment of IDs. The project’s major focus is to become a CVE Numbering Authority (CNA) targeted primarily at the Open Source community.
>
> Proposing a New Type of CNA
> The overall purpose of this Proof of Concept (PoC)  is to test the validity of creating a new class of CNA. In the past CNAs have been, for the most part, an endpoint in the CVE ID issuance process. Authorized CNAs have been issued a block from the CVE ID pool they have then used to issue their own organizational IDs. This proposal is to create a Root CNA. The DWF Root CNA will be able to act as an existing CNA by issuing CVE IDs as requested. Additionally, the DWF Root CNA will be able to  train and coordinate other organizations and people to create CNAs that live within the DWF namespace.
>
> As this is a PoC, the plan is to take a “fail fast” approach. DWF will be experimenting where we believe good ideas should be put into an operational production environment to test the usefulness of the idea.
>
> The following are the proposed specifics of the effort:
>
>
> ●    The DWF Project will act as a CNA and ensure no conflicts between DWF and current CVE ID ranges. The DWF will start at a high range of numbers to avoid conflicts with CVE numbers.
>
> ●     DWF Project will use the ID range CVE-YEAR-1000000 through CVE-YEAR-1999999.
>
> ●    The DWF will assign CVE IDs to answer requests sent directly to the DWF by researchers, vendors and others.
>
> ●    Any subordinate DWF authorized CNAs will only be allowed to exist under the DWF hierarchy and be restricted to the DWF authorized namespace (that is CVE-YEAR-1000000 through CVE-YEAR-1999999).
> The DWF project will continue to work with MITRE and others to create guidelines and requirements for CVE requests, CNA creation, curation of CVEs and so forth. As mentioned earlier, the DWF will focus on Open Source software, security researchers and security vendors that find and report security vulnerabilities.
>
> The DWF Project will continue to coordinate closely with MITRE and the CVE Editorial Board to ensure compatibility with existing and future CVE requirements and processes such as “what counts as a vulnerability”, SPLIT/MERGE and so forth.
>
> DWF will work with MITRE and the CVE Editorial Board to create a base set of documentation of best practices that can assist with the development and processes of the Root CNA usage and deployment.  While targeted towards DWF, the documentation can be used by others within the CVE management community.
> Proposed Outcome
> The intent of this POC is to determine the effectiveness of new techniques, ideas and a new hierarchy-based model for CNA creation and CVE issuance. If successful, this approach will allow for other Root CNA authorities to be set up. Future CNAs could be assigned based on technology sectors or national boundaries thus allowing expansion and expertise in areas of vulnerability identification not currently possible in the existing CVE management approach/scheme.
>
> ---
> Kent Landfield
> +1.817.637.8026
>
Reply | Threaded
Open this post in threaded view
|

Re: DWF and CVE Integration Proposal

Kurt Seifried


On Wed, Apr 6, 2016 at 7:51 AM, Pascal Meunier <[hidden email]> wrote:
That sounds excellent.  The devil will be in the details, such as business continuity planning and lifecycle planning (e.g., what to do if/when a root CNA winds down).  There's an implicit assumption that, using the current DWF setup as example, GitHub won't fail, and so on.  However that should all be fixable later and is no reason to delay.

Quite the opposite, I assume at some point GitHub will fail/pull a source forge or do something else that results in us having to move. And that's ok because everything is in Git and trivial to completely keep an update to date archive of (just issue a pull request every X hours for your local copy). We would potentially lose the Issues (bug reports) but that would be far from a crippling blow (also assuming we can copy/export the issues data).

As for organization continuity that's why there is 5 members on the DWF board.
 

Great start!  I can't wait to see that seed bloom.

Pascal




On 04/06/2016 06:52 AM, Landfield, Kent B wrote:
All,

Following up on the conversations we had on the Board call last week, Kurt, the DWF Board, myself and other CVE Board members have been working to put together the proposal as requested by MITRE.  We have tried to lay out what the intent, parameters, expectations and hopefully what the successful outcome will result in.

We were pleased to hear MITRE’s agreement with the overall objective of the project on the call and to see it listed in the minutes of the Board meeting.  As requested by Jon Baker, we have documented the proposal and it is submitted below.

We believe it is in the best interest of CVE and the community to initiate the DWF / CVE Integration Project as soon possible.


DWF and CVE Integration Proposal

Proposers:
Harold Booth, NIST ([hidden email]<mailto:[hidden email]>)
Larry W. Cashdollar, Akamai Technologies ([hidden email]<mailto:[hidden email]>)
Kent Landfield, Intel ([hidden email]<mailto:[hidden email]>)
Art Manion, CERT/CC ([hidden email]<mailto:[hidden email]>)
Brian Martin, OSF / OSVDB ([hidden email]<mailto:[hidden email]>)
Kurt Seifried, Red Hat ([hidden email]<mailto:[hidden email]>)
David Waltermire, NIST ([hidden email]<mailto:[hidden email]>)
Zachary Wikholm, Independent ([hidden email]<mailto:[hidden email]>)
Area of Focus
The Distributed Weakness Filing (DWF) Project provides a community based Open Source process oriented solution to getting CVE identifiers into the hands of people that need them. The DWF aims to work with security researchers and other “producers” of CVE IDs to assure the timely assignment of IDs. The project’s major focus is to become a CVE Numbering Authority (CNA) targeted primarily at the Open Source community.

Proposing a New Type of CNA
The overall purpose of this Proof of Concept (PoC)  is to test the validity of creating a new class of CNA. In the past CNAs have been, for the most part, an endpoint in the CVE ID issuance process. Authorized CNAs have been issued a block from the CVE ID pool they have then used to issue their own organizational IDs. This proposal is to create a Root CNA. The DWF Root CNA will be able to act as an existing CNA by issuing CVE IDs as requested. Additionally, the DWF Root CNA will be able to  train and coordinate other organizations and people to create CNAs that live within the DWF namespace.

As this is a PoC, the plan is to take a “fail fast” approach. DWF will be experimenting where we believe good ideas should be put into an operational production environment to test the usefulness of the idea.

The following are the proposed specifics of the effort:


●    The DWF Project will act as a CNA and ensure no conflicts between DWF and current CVE ID ranges. The DWF will start at a high range of numbers to avoid conflicts with CVE numbers.

●     DWF Project will use the ID range CVE-YEAR-1000000 through CVE-YEAR-1999999.

●    The DWF will assign CVE IDs to answer requests sent directly to the DWF by researchers, vendors and others.

●    Any subordinate DWF authorized CNAs will only be allowed to exist under the DWF hierarchy and be restricted to the DWF authorized namespace (that is CVE-YEAR-1000000 through CVE-YEAR-1999999).
The DWF project will continue to work with MITRE and others to create guidelines and requirements for CVE requests, CNA creation, curation of CVEs and so forth. As mentioned earlier, the DWF will focus on Open Source software, security researchers and security vendors that find and report security vulnerabilities.

The DWF Project will continue to coordinate closely with MITRE and the CVE Editorial Board to ensure compatibility with existing and future CVE requirements and processes such as “what counts as a vulnerability”, SPLIT/MERGE and so forth.

DWF will work with MITRE and the CVE Editorial Board to create a base set of documentation of best practices that can assist with the development and processes of the Root CNA usage and deployment.  While targeted towards DWF, the documentation can be used by others within the CVE management community.
Proposed Outcome
The intent of this POC is to determine the effectiveness of new techniques, ideas and a new hierarchy-based model for CNA creation and CVE issuance. If successful, this approach will allow for other Root CNA authorities to be set up. Future CNAs could be assigned based on technology sectors or national boundaries thus allowing expansion and expertise in areas of vulnerability identification not currently possible in the existing CVE management approach/scheme.

---
Kent Landfield
<a href="tel:%2B1.817.637.8026" value="+18176378026" target="_blank">+1.817.637.8026




--

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: DWF and CVE Integration Proposal

Pascal Meunier
Great, I'm glad you're thinking ahead of me.

Cheers,
Pascal

On 04/06/2016 09:57 AM, Kurt Seifried wrote:

> On Wed, Apr 6, 2016 at 7:51 AM, Pascal Meunier <[hidden email]>
> wrote:
>
>> That sounds excellent.  The devil will be in the details, such as business
>> continuity planning and lifecycle planning (e.g., what to do if/when a root
>> CNA winds down).  There's an implicit assumption that, using the current
>> DWF setup as example, GitHub won't fail, and so on.  However that should
>> all be fixable later and is no reason to delay.
>>
>
> Quite the opposite, I assume at some point GitHub will fail/pull a source
> forge or do something else that results in us having to move. And that's ok
> because everything is in Git and trivial to completely keep an update to
> date archive of (just issue a pull request every X hours for your local
> copy). We would potentially lose the Issues (bug reports) but that would be
> far from a crippling blow (also assuming we can copy/export the issues
> data).
>
> As for organization continuity that's why there is 5 members on the DWF
> board.
>
>
>>
>> Great start!  I can't wait to see that seed bloom.
>>
>> Pascal
>>
>>
>>
>>
>> On 04/06/2016 06:52 AM, Landfield, Kent B wrote:
>>
>>> All,
>>>
>>> Following up on the conversations we had on the Board call last week,
>>> Kurt, the DWF Board, myself and other CVE Board members have been working
>>> to put together the proposal as requested by MITRE.  We have tried to lay
>>> out what the intent, parameters, expectations and hopefully what the
>>> successful outcome will result in.
>>>
>>> We were pleased to hear MITRE’s agreement with the overall objective of
>>> the project on the call and to see it listed in the minutes of the Board
>>> meeting.  As requested by Jon Baker, we have documented the proposal and it
>>> is submitted below.
>>>
>>> We believe it is in the best interest of CVE and the community to
>>> initiate the DWF / CVE Integration Project as soon possible.
>>>
>>>
>>> DWF and CVE Integration Proposal
>>>
>>> Proposers:
>>> Harold Booth, NIST ([hidden email]<mailto:[hidden email]>)
>>> Larry W. Cashdollar, Akamai Technologies ([hidden email]<mailto:
>>> [hidden email]>)
>>> Kent Landfield, Intel ([hidden email]<mailto:
>>> [hidden email]>)
>>> Art Manion, CERT/CC ([hidden email]<mailto:[hidden email]>)
>>> Brian Martin, OSF / OSVDB ([hidden email]<mailto:
>>> [hidden email]>)
>>> Kurt Seifried, Red Hat ([hidden email]<mailto:[hidden email]
>>>> )
>>> David Waltermire, NIST ([hidden email]<mailto:
>>> [hidden email]>)
>>> Zachary Wikholm, Independent ([hidden email]<mailto:
>>> [hidden email]>)
>>> Area of Focus
>>> The Distributed Weakness Filing (DWF) Project provides a community based
>>> Open Source process oriented solution to getting CVE identifiers into the
>>> hands of people that need them. The DWF aims to work with security
>>> researchers and other “producers” of CVE IDs to assure the timely
>>> assignment of IDs. The project’s major focus is to become a CVE Numbering
>>> Authority (CNA) targeted primarily at the Open Source community.
>>>
>>> Proposing a New Type of CNA
>>> The overall purpose of this Proof of Concept (PoC)  is to test the
>>> validity of creating a new class of CNA. In the past CNAs have been, for
>>> the most part, an endpoint in the CVE ID issuance process. Authorized CNAs
>>> have been issued a block from the CVE ID pool they have then used to issue
>>> their own organizational IDs. This proposal is to create a Root CNA. The
>>> DWF Root CNA will be able to act as an existing CNA by issuing CVE IDs as
>>> requested. Additionally, the DWF Root CNA will be able to  train and
>>> coordinate other organizations and people to create CNAs that live within
>>> the DWF namespace.
>>>
>>> As this is a PoC, the plan is to take a “fail fast” approach. DWF will be
>>> experimenting where we believe good ideas should be put into an operational
>>> production environment to test the usefulness of the idea.
>>>
>>> The following are the proposed specifics of the effort:
>>>
>>>
>>> ●    The DWF Project will act as a CNA and ensure no conflicts between
>>> DWF and current CVE ID ranges. The DWF will start at a high range of
>>> numbers to avoid conflicts with CVE numbers.
>>>
>>> ●     DWF Project will use the ID range CVE-YEAR-1000000 through
>>> CVE-YEAR-1999999.
>>>
>>> ●    The DWF will assign CVE IDs to answer requests sent directly to the
>>> DWF by researchers, vendors and others.
>>>
>>> ●    Any subordinate DWF authorized CNAs will only be allowed to exist
>>> under the DWF hierarchy and be restricted to the DWF authorized namespace
>>> (that is CVE-YEAR-1000000 through CVE-YEAR-1999999).
>>> The DWF project will continue to work with MITRE and others to create
>>> guidelines and requirements for CVE requests, CNA creation, curation of
>>> CVEs and so forth. As mentioned earlier, the DWF will focus on Open Source
>>> software, security researchers and security vendors that find and report
>>> security vulnerabilities.
>>>
>>> The DWF Project will continue to coordinate closely with MITRE and the
>>> CVE Editorial Board to ensure compatibility with existing and future CVE
>>> requirements and processes such as “what counts as a vulnerability”,
>>> SPLIT/MERGE and so forth.
>>>
>>> DWF will work with MITRE and the CVE Editorial Board to create a base set
>>> of documentation of best practices that can assist with the development and
>>> processes of the Root CNA usage and deployment.  While targeted towards
>>> DWF, the documentation can be used by others within the CVE management
>>> community.
>>> Proposed Outcome
>>> The intent of this POC is to determine the effectiveness of new
>>> techniques, ideas and a new hierarchy-based model for CNA creation and CVE
>>> issuance. If successful, this approach will allow for other Root CNA
>>> authorities to be set up. Future CNAs could be assigned based on technology
>>> sectors or national boundaries thus allowing expansion and expertise in
>>> areas of vulnerability identification not currently possible in the
>>> existing CVE management approach/scheme.
>>>
>>> ---
>>> Kent Landfield
>>> +1.817.637.8026
>>>
>>>
>
>