DWF和CVE集成方案

之后,所有的谈话我们董事会上周称,库尔特,DWF董事会,自己和其他CVE董事会成员一直在努力放在一起建议应斜接。我们试图制定的意图,参数,期望和希望成功的结果将会导致什么。我们很高兴听到斜方的协议和项目的总体目标中列出的电话,看到它的董事会会议记录。所要求的乔恩·贝克,记录下面的建议并提交。我们相信这是在最佳利益的CVE和社区发起DWF / CVE尽早集成项目。DWF和技术集成方案提议:哈罗德·布斯NIST (harold.booth@nist.gov <mailto: harold.booth@nist.gov>)拉里·w·Cashdollar Akamai技术(larry@akamai.com <mailto: larry@akamai.com肯特Landfield >),英特尔(kent.b.landfield@intel.com <mailto: kent.b.landfield@intel.com马尼恩>)艺术,CERT / CC (amanion@cert.org <mailto: amanion@cert.org>)布莱恩·马丁OSF / OSVDB (jericho@attrition.org <mailto: jericho@attrition.org>)Kurt Seifried, Red Hat (kseifried@redhat.com <mailto: kseifried@redhat.com>)大卫•Waltermire NIST (david.waltermire@nist.gov <mailto: david.waltermire@nist.gov>)Zachary Wikholm、独立(kestrel@trylinux.us <mailto: kestrel@trylinux.us>)申请区域集中分布的缺点(DWF)项目提供了一个基于社区的开源面向过程的解决方案让CVE标识符到需要它们的人手中。DWF旨在工作与安全研究人员和其他的“生产者”CVE id,以确保及时分配id。项目的主要关注点是成为一个CVE编号权威(CNA)主要针对开源社区。提出一种新型的CNA的总体目的这一概念验证(PoC)是测试创建一个新的类CNA的有效性。过去CNAs一直,在大多数情况下,端点的CVE ID发行过程。授权必须发行CVE ID池中的一块然后他们用于发行自己的组织ID。这个建议是创建一个根CNA。DWF根CNA能够充当一个现有CNA通过发行CVE id要求。此外,DWF根CNA能够培训和协调其他组织和人民创造CNAs居住DWF的名称空间。这是一个PoC,计划是“快速失败”的方法。 DWF will be experimenting where we believe good ideas should be put into an operational production environment to test the usefulness of the idea. The following are the proposed specifics of the effort: ● The DWF Project will act as a CNA and ensure no conflicts between DWF and current CVE ID ranges. The DWF will start at a high range of numbers to avoid conflicts with CVE numbers. ● DWF Project will use the ID range CVE-YEAR-1000000 through CVE-YEAR-1999999. ● The DWF will assign CVE IDs to answer requests sent directly to the DWF by researchers, vendors and others. ● Any subordinate DWF authorized CNAs will only be allowed to exist under the DWF hierarchy and be restricted to the DWF authorized namespace (that is CVE-YEAR-1000000 through CVE-YEAR-1999999). The DWF project will continue to work with MITRE and others to create guidelines and requirements for CVE requests, CNA creation, curation of CVEs and so forth. As mentioned earlier, the DWF will focus on Open Source software, security researchers and security vendors that find and report security vulnerabilities. The DWF Project will continue to coordinate closely with MITRE and the CVE Editorial Board to ensure compatibility with existing and future CVE requirements and processes such as “what counts as a vulnerability”, SPLIT/MERGE and so forth. DWF will work with MITRE and the CVE Editorial Board to create a base set of documentation of best practices that can assist with the development and processes of the Root CNA usage and deployment. While targeted towards DWF, the documentation can be used by others within the CVE management community. Proposed Outcome The intent of this POC is to determine the effectiveness of new techniques, ideas and a new hierarchy-based model for CNA creation and CVE issuance. If successful, this approach will allow for other Root CNA authorities to be set up. Future CNAs could be assigned based on technology sectors or national boundaries thus allowing expansion and expertise in areas of vulnerability identification not currently possible in the existing CVE management approach/scheme. --- Kent Landfield +1.817.637.8026