Part 1 of a 3 part series based on Saving CVE with Open Source, a talk that I am giving with Kent Landfield of Intel at RSA 2017.
Put bluntly, 2015 signaled a possible failure of Common Vulnerabilities and Exposures (CVE), the widely-accepted standard and repository for vulnerability reporting. This, however, wasn’t a sudden problem: For a variety of reasons, getting CVEs assigned was becoming a test of patience for many researchers and reporters.
Like many things in life, it is often the times of crisis where we have the best opportunity to actually make change and improve. I’ve been involved with CVE for some time now (since 2001 or so?) and when I joined Red Hat in 2011, a major part of my job was CVE-related (I took over assigning them at Red Hat from Josh Bressers). It was clear to me that CVE needed saving, the biggest question was how? After I spent some time (months) looking at the challenges and trying to find ways to address them, it became apparent to me that the problems with CVE were symptoms, and that the underlying causes went deep enough that they would need to be addressed before we could fix anything else with the standard.
Let’s take a moment to segue sideways into a favorite topic of mine: small independent local restaurants. Traditionally, if you wanted to open a restaurant, you took one or more concepts (burgers, pizza, unlimited refills, etc.), developed a plan, executed on it and hoped that it would work. Despite excellent planning, about 59 percent of these ventures fail in the first year in the U.S But now, I’m seeing a change on how people open restaurants.
For example, we have a new chicken restaurant where I live that did three “pop-ups” long before opening their first location. Basically, they made arrangements with other small restaurants to use their spaces for one day and serve their food for the day, spreading awareness via Twitter and other social media. I went to the first one, and waited in line for quite some time, but the wait was totally worth it. Speaking with the owners now, they shake their heads talking about that first day, but they say something important: “We learned a lot that day, and from the following pop-ups.”
By doing a pop up, they hacked the system and found a way to experiment with a restaurant concept, and iterate it several times to perfect it before actually opening. Rather than running these experiments “in house” (while trying to pay the rent, wages, etc.), they were able to spend a few thousand dollars on food costs (which I suspect they mostly recouped by selling a lot of really good fried chicken) and learn, with time in between pop-ups to analyze what happened. This is in many ways the epitome of the Open Source Way - people sharing and borrowing resources, lessons, expertise and releasing early and often, iterating their way towards success.
This kind of thinking is what needed to be applied to CVE. So I started a project, the Distributed Weakness Filing (DWF) Project, with the idea being to rapidly experiment and iterate with CVE-style assignments and see what would work/didn’t work. I also wanted to poke the CVE system (gently) to wake it up to the realities of what was required of a modern system, which involved conversations with the CVE board. The good news is that CVE took notice and was receptive to change.
Since 2015, we’ve created and accepted a new board charter, and new guidelines for CNAs (CVE Numbering Authorities; in other words, the groups/people who assign CVE IDs). MITRE, the ultimate authority for all things CVE, has created a large number of new CNAs ranging from well-known open source groups like the Apache Foundation to Larry Cashdollar and companies like TIBCO. We’ve also looked at new ways CNAs operate and what exactly CNAs need to do, with an eye towards simplifying the process and making it much faster (the goal is <5 minutes for a requestor to generate a CVE request and <1 minute for the assigner to assign it).
That’s what happened in the past year and half, but in part two, we’ll look at exactly how the sausage is made with CVE and how this impacts (or doesn’t impact) DWF.
저자 소개
Red Hat is the world’s leading provider of enterprise open source software solutions, using a community-powered approach to deliver reliable and high-performing Linux, hybrid cloud, container, and Kubernetes technologies.
Red Hat helps customers integrate new and existing IT applications, develop cloud-native applications, standardize on our industry-leading operating system, and automate, secure, and manage complex environments. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. As a strategic partner to cloud providers, system integrators, application vendors, customers, and open source communities, Red Hat can help organizations prepare for the digital future.
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.