Suscríbase al feed

Part 1 of a 3 part series based on Saving CVE with Open Source, a talk that I am giving with Kent Landfield of Intel at RSA 2017.

Put bluntly, 2015 signaled a possible failure of Common Vulnerabilities and Exposures (CVE), the widely-accepted standard and repository for vulnerability reporting. This, however, wasn’t a sudden problem: For a variety of reasons, getting CVEs assigned was becoming a test of patience for many researchers and reporters.

Like many things in life, it is often the times of crisis where we have the best opportunity to actually make change and improve. I’ve been involved with CVE for some time now (since 2001 or so?) and when I joined Red Hat in 2011, a major part of my job was CVE-related (I took over assigning them at Red Hat from Josh Bressers). It was clear to me that CVE needed saving, the biggest question was how? After I spent some time (months) looking at the challenges and trying to find ways to address them, it became apparent to me that the problems with CVE were symptoms, and that the underlying causes went deep enough that they would need to be addressed before we could fix anything else with the standard.

Let’s take a moment to segue sideways into a favorite topic of mine: small independent local restaurants. Traditionally, if you wanted to open a restaurant, you took one or more concepts (burgers, pizza, unlimited refills, etc.), developed a plan, executed on it and hoped that it would work. Despite excellent planning, about 59 percent of these ventures fail in the first year in the U.S But now, I’m seeing a change on how people open restaurants.

For example, we have a new chicken restaurant where I live that did three “pop-ups” long before opening their first location. Basically, they made arrangements with other small restaurants to use their spaces for one day and serve their food for the day, spreading awareness via Twitter and other social media. I went to the first one, and waited in line for quite some time, but the wait was totally worth it. Speaking with the owners now, they shake their heads talking about that first day, but they say something important: “We learned a lot that day, and from the following pop-ups.”

By doing a pop up, they hacked the system and found a way to experiment with a restaurant concept, and iterate it several times to perfect it before actually opening. Rather than running these experiments “in house” (while trying to pay the rent, wages, etc.), they were able to spend a few thousand dollars on food costs (which I suspect they mostly recouped by selling a lot of really good fried chicken) and learn, with time in between pop-ups to analyze what happened. This is in many ways the epitome of the Open Source Way - people sharing and borrowing resources, lessons, expertise and releasing early and often, iterating their way towards success.

This kind of thinking is what needed to be applied to CVE. So I started a project, the Distributed Weakness Filing (DWF) Project, with the idea being to rapidly experiment and iterate with CVE-style assignments and see what would work/didn’t work. I also wanted to poke the CVE system (gently) to wake it up to the realities of what was required of a modern system, which involved conversations with the CVE board. The good news is that CVE took notice and was receptive to change.

Since 2015, we’ve created and accepted a new board charter, and new guidelines for CNAs (CVE Numbering Authorities; in other words, the groups/people who assign CVE IDs). MITRE, the ultimate authority for all things CVE, has created a large number of new CNAs ranging from well-known open source groups like the Apache Foundation to Larry Cashdollar and companies like TIBCO. We’ve also looked at new ways CNAs operate and what exactly CNAs need to do, with an eye towards simplifying the process and making it much faster (the goal is <5 minutes for a requestor to generate a CVE request and <1 minute for the assigner to assign it).

That’s what happened in the past year and half, but in part two, we’ll look at exactly how the sausage is made with CVE and how this impacts (or doesn’t impact) DWF.

Sobre los autores

Red Hat is the world’s leading provider of enterprise open source software solutions, using a community-powered approach to deliver reliable and high-performing Linux, hybrid cloud, container, and Kubernetes technologies.

Red Hat helps customers integrate new and existing IT applications, develop cloud-native applications, standardize on our industry-leading operating system, and automate, secure, and manage complex environments. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. As a strategic partner to cloud providers, system integrators, application vendors, customers, and open source communities, Red Hat can help organizations prepare for the digital future.

Read full bio

Navegar por canal

automation icon


Las últimas novedades en la automatización de la TI para los equipos, la tecnología y los entornos

AI icon

Inteligencia artificial

Descubra las actualizaciones en las plataformas que permiten a los clientes ejecutar cargas de trabajo de inteligecia artificial en cualquier lugar

open hybrid cloud icon

Nube híbrida abierta

Vea como construimos un futuro flexible con la nube híbrida

security icon


Vea las últimas novedades sobre cómo reducimos los riesgos en entornos y tecnologías

edge icon

Edge computing

Conozca las actualizaciones en las plataformas que simplifican las operaciones en el edge

Infrastructure icon


Vea las últimas novedades sobre la plataforma Linux empresarial líder en el mundo

application development icon


Conozca nuestras soluciones para abordar los desafíos más complejos de las aplicaciones

Original series icon

Programas originales

Vea historias divertidas de creadores y líderes en tecnología empresarial