[日期Prev] [日期Next] [线Prev] [线程接下来] [日期Index] [线Index]

CVE董事会Meeting summary – 28 November 2018

CVE董事会Meeting – 28 November 2018

出席董事会成员

Kent Landfield,McAfee

Art Manion,CERT/CC (Software Engineering Institute, Carnegie Mellon University)

Beverly Miller,Lenovo Group Ltd.

Scott Moore,IBM

丽莎·奥尔森(Lisa Olson),Microsoft

Kurt Seifried,Cloud Security Alliance

戴维·沃尔特里尔(David Waltermire),National Institute of Standards and Technology (NIST)

肯·威廉姆斯,Broadcom Inc.

Members of MITRE CVE Team in Attendance

乔·巴扎尔(Jo Bazar)

Chris Coffin

Jonathan Evans

乔·塞恩

George Theall

其他与会者

Chris Johnson(nist)

Agenda

2:00 – 2:15: Introductions, action items from the last meeting

2:15 - 2:30:工作组

  • Strategic Planning- 肯特·兰德菲尔德/克里斯·科芬
  • Automation- 克里斯·约翰逊(Chris Johnson)
  • Cloud Security Alliance- Kurt Seifried

2:30 - 2:45:CNA更新

  • DWF- Kurt Seifried
  • MITRE– Jonathan Evans
  • JPCERT- Taki Uchiyama

2:45 –3:15:CVE团队网络刮擦 -Chris Coffin

3:15 – 3:50: Open DiscussionBoard

3:50 – 4:00: Action items, wrap-up

Review of Action Items from Board Meeting held 14 November 2018

工作组更新

  • Strategic Planning- 肯特·兰德菲尔德/克里斯·科芬
    • Strategic Planning工作小组met on Monday, November 26th
    • Quality Working Group was initially introduced to the SPWG by Jonathan Evans to address the quality of CVE descriptions. Since that time, the scope of the Quality WG scope has expanded to include CVE output as a whole:
      • What does CVE look like to consumers?
      • 他们如何使用数据?
      • 哪些要素最重要?
      • 速度和质量之间的权衡是什么?
      • 我们应该重新审视CVE条目的内容,包括最低所需数据等吗?
    • 美国银行有兴趣参加CVE计划。他们参加了本周的自动化工作组会议。克里斯认为,这将有助于在质量工作组中增加消费者的观点。
    • Dave Waltermire,Kent Landfield,Chris Johnson,Chris Levendis和Chris Coffin提出作为联合主席参加质量WG。
    • The SPWG continued the discussion on the responsibilities of Root CNAs with an eye to more tightly defining those responsibilities. Results of this work will be presented in the near future.
  • Automation- 克里斯·约翰逊(Chris Johnson)
    • The Automation Working Group met on Monday, November 26th.
    • The AWG identified a set of high-level topics for future meetings:
      • Cross-cutting issues
      • 高级工作流
      • Identifying the dependences that exist between the services being worked by the project teams
    • The AWG will also study the privacy and security issues surrounding the data that will be collected, which will help with future scope discussions.
    • CVE ID Allocation Service
      • At the most recent需求会议,与会者确定了许多用例,并开始深入CVE属性。
      • CVE ID分配服务负责人Schmitty将发布会议注释的github站点的会议注释,位于:https://github.com/cveproject/cve-id-aslocation-service
      • The group also discussed capturing CNA profile information, including the number of CVE IDs, basic attributes of CNAs that would be stored in a repository.
      • 克里斯·科芬(Chris Coffin)建议该小组,任何建议对规则和流程的更改都必须通过SPWG和董事会进行审查和批准。
    • Chris Coffin advised the Board that a new MITRE team member, Lew Loren, is joining the CVE project. Lew will lead the implementation of the new content production system and will be a liaison between the CVE Working Groups. He will take on a technical advisory role for AWG development projects and will lead the Credentialing, Authentication, and Authorization project.
  • Cloud Security Alliance- Kurt Seifried
    • The CSA group is reviewing use cases and the CVE value proposition. CSA is hearing from some organizations that CVE for Services is a bad idea. It appears that some of the cloud service providers do not want the additional overhead of providing CVEs for their services, and in some cases do not want the additional visibility of publicly announcing vulnerabilities.
    • CSA还一直在研究包含规则3的可能修改。当前,CVE不正式涵盖硬件或云服务。董事会将不得不讨论是否将CVE扩展到这些领域。
      • Board members felt that if there was an issue that was internal facing and had no user impact or user action required, a CVE may not be necessary. It is important to clearly define what gets a CVE.
    • 库尔特(Kurt)认为,云服务集团的CVE已经完成了他们在当前CVE范围范围内可以做的所有事情。有些云服务组织认为服务CVE是必要的,并且有些云服务组织没有。该小组很好地定义了问题空间。
      • Dave补充说,我们应该考虑识别不同类别的CVE,以便可以过滤它们并允许CNAS灵活性。
      • If there is a meaningful group of cloud service providers and consumers that feels that CVEs for services is important, we should explore a way of piloting support for this sector.
      • 库尔特将产生一个定义问题并提出可能解决方案的文档。Kurt将在2019年1月将此文件发送给董事会审查。
      • Microsoft’s reticence is that they do not want to devalue CVE by assigning IDs to everything regardless of whether there is action or no action. Microsoft does not want to be in the position of having to evaluate every request for a flood of new service CVEs that may have no user impact.

CNA Updates

  • DWF- Kurt Seifried
    • DWF清除了CVE分配积压。
    • A meeting with the CVE team is scheduled for December 5th讨论简化CNA过程。
  • MITRE– Jonathan Evans
    • Johnson Controls has nearly completed the CNA onboarding process.
    • ABB CNA onboard session scheduled on December 11th
    • Bugcrowd要求成为CNA。Miter已从Bugcrowd索取了其他信息。这是他们的3rdrequest; the two previous engagements were not completed on the BugCrowd side.
    • Another researcher requested to be CNA; we have put a hold on new researcher CNAs at the request of the Board.
    • We are working through some issues with the Intuit request and we are making progress.
    • Getting request for 2019 IDs but some CNAs have RBP’s that need to be cleaned up before new IDs can be issued.
    • SUSE and Microfocus announced that they are going to split into separate companies and that they want to be separate CNAs.
  • JPCERT- Taki Uchiyama
    • JPCERT expressed that they do not have an interest from vendor CNAs, and they would like to be removed from Root CNA status at this time. If they do receive interest from vendor CNAs, they would like to be able to restart Root CNA status.
      • 董事会对此更改没有任何问题。

CVE团队网络刮擦

  • The objective of increasing CVE web scraping is to address the perceived gap in lack of CVE coverage.
  • MITRE and DHS want to address the gap by enhancing up the web scraping process.
  • We plan to find source information in areas of IT that CVE has not been able to cover through traditional means.
  • We would identify the resources to use and automate the scraping process and populate the CVE IDs.
  • 提出了一个建议,以制作仅URL CVE ID,而不是ID的传统描述/内容部分,以加快消费和创造的速度。其他成员建议这将导致CVES不太有用。
  • Chris C. noted that the Board may need to revisit the CVE ID requirements.

Open Discussion Items

  • 没有任何

Meeting Action Items

  • Kent Landfield is looking into hosting the 2019 CNA Summit; MITRE will follow up with Kent.
    • 议程项目:CVE服务,包括治理

Board Decisions

  • 投票:Kathleen Trimble CVE董事会会员

未来的讨论主题

  1. 我们如何更好地传达我们对CVE计划的未来愿景?我们如何更好地推销CVE计划并传达正在形成的巨大变化?
  2. How do we provide more status information to the public around metrics and ongoing activities we are engaged in?
  3. CNA Process – Front Door or Back Door; How should CNAs communicate with each other, and how would that information be managed?
    1. Set up an excel spreadsheet to share contact info amongst the CNAs?

4) CNA Scope Issues

The Board discussed thatCNA documentation around roles and responsibilities are needed, current documentation is not clear, CNA assign CVE within their scope. Scope may or may not cover CVE for their customers.

o CNA Rules- The rules state CNAs must be responsive but does not provide a specific timeframe. The rules state if a CNA plans to assign a CVE for a vulnerability another vendor’s product, to the assigning CNA should contact the vendor. The vendor would then make a determination.

o New Approach to CNAs and Roots- A given Root has a scope. A portion of the scope gets delegated to a CNA (i.e., product or area of research). If a portion of the scope is not delegated to a CNA, that scope stays with the Root. It is the Root’s responsibility to do the CVE assignment as the CNA of last resort.

o Action Item– CNA Rules need to be updated to reflect this new approach.

5) Eliminate duplication CVE assignment discussion

o The Board discussed that specifying CNA scope will help eliminate duplicate CVE assignments. Art explained that having open communication with other CNAs when making CVE assignments is critical; keeping this communication at the CNA level (not at Root/Primary level) will help with duplication.

o Recommendation 1:过程建议需要添加到CNA培训中

o Recommendation 2:CNA rules need to be updated to minimize duplicate assignments.

o Jonathan explained that duplication of CVE assignments occurs the most with DWF.

6)研究员CNA

o The Board discussed researcher CNAs that have with ambiguous scopes. These CNAs have issued thousands of CVEs.

o Recommendation 1:Avoid adding any new researcher CNAs until there are specific qualifications and guidelines for what qualifies as a researcher CNA. This includes defined scope rules yet to be discussed.

o Recommendation 2:Make the scope naturally programmatic for researcher CNAs.

o Recommendation 3:更改研究人员CNA的过程。谁负责协调ID分配?谁发行了CVE ID并填写信息?公司应该有一种更简单的方法要求CVE ID。

o Recommendation 4:更好地定义研究人员CNA的角色和责任。

o Recommendation 5:Need to address the researcher CNA ambiguous scope issue before onboarding additional researcher CNAs.

o 建议6:Explore the possibility of researchers participating in the CNA program without becoming CNAs.

o 建议7:Need a testing/certification program for CNAs to make sure they can adequately perform their role, especially researchers.

o 董事会同意探索有关研究人员CNA模棱两可范围问题的更好解决方案。

7) 有效地操作根CNA

o Further discussion is needed regarding how we can operationalize Root CNAs more effectively.

o 需要关于MITER在操作根中的作用的其他讨论。

8) Product Type Tagging/Categorization

o 随着CVE的生产编号的上升,将越来越需要查看整个CVE主列表的子集

o Define a list of common product areas/domains to be used for categorizing CVE entries (e.g.., Medical devices, automotive, industrial, etc.)

o 标签/类别应附加到产品上,而不将其直接连接到CVE条目。

o Product listings in CVE User Registry would be a potential location.

    • 可以自动化吗?
  1. Future of CVSS
    • Assigning multiple CVSS to a single CVE.
    • Hill discussions around CVSS.

Attachment:CVE_Board_Meeting_28_November_2018.pdf
Description:CVE_Board_Meeting_28_November_2018.pdf

Page Last Updated or Reviewed:December 12, 2018