Vulnerability Discussion at IETF 94 Next Week

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Vulnerability Discussion at IETF 94 Next Week

Waltermire, David A.

The Internet Engineering Task Force (IETF) has a Security Automation and Continuous Monitoring (SACM) working group which is chartered to develop standardized protocols and data formats to support automated assessment of networked computing devices. The standards to be produced by this working group are intended to support standardized assessment capabilities as part of an organization’s typical management infrastructure. These assessment capabilities are intended to support vulnerability, configuration, and software inventory management use cases. DHS, NSA, and NIST have been working with MITRE to develop an IETF Internet Draft that explores vulnerability management in the context of the SACM work.

 

Here is the link to this draft:

 

https://datatracker.ietf.org/doc/draft-coffin-sacm-vuln-scenario/

 

We believe that exploring a use case targeted at automated enterprise vulnerability assessment will help the working group in developing standard protocols and data formats that are targeted to real enterprise needs and ensure much needed interoperability between vulnerability data sources and products. There will be a discussion of this draft at the IETF 94 meeting in Japan next week.

 

Meeting details (also attached):

 

Date/Time: Wednesday, November 4th, 2015 @ 7pm EST

Meeting Venue: https://www.ietf.org/meeting/94/index.html

SACM Agenda: https://www.ietf.org/proceedings/94/agenda/agenda-94-sacm

Remote Participation: Join Meetecho Session

Audio Streaming: http://ietf94streaming.dnsalias.net/ietf/ietf946.m3u

 

As key  members of the vulnerability community we hope you can attend this meeting either in-person or remotely to help encourage the working group to consider working on an end-to-end set of standards that will support automated vulnerability assessment by enterprises in addition to other assessment use cases. We think that this work would add value to the CVE, SCAP, and related efforts.

 

Please let us know if you have any questions.

 

Sincerely,

Dave

 

David Waltermire

Information Technology Laboratory | Computer Security Division

National Institute of Standards and Technology

 


ietf-sacm-vulnerability.ics (3K) Download Attachment