[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CNA requirements



On 2016-05-31 11:35, Kurt Seifried wrote:
> I've actually never heard of ISO 29147, just checked and it costs well
> over $100 to get a copy of, so that's not going to work for most open
> source projects. More to the point we can boil down what is needed to
> the 5 steps I list in my previous email. 
> 
> On Tue, May 31, 2016 at 8:16 AM, Millar, Thomas
> <Thomas.Millar@hq.dhs.gov <mailto:Thomas.Millar@hq.dhs.gov>> wrote:
> 
>     Perhaps the removal of the word "mature" is the fastest way to an
>     acceptable resolution. Adjectives are hard.
> 
>     A secure engineering life cycle including regular vulnerability
>     disclosure and remediation activities, and/or self-attested
>     compliance with ISO 29147, might work as a definition.

It's free:

  http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html

Current version may not be a sufficient measure of maturity, but worth
considering.  Next rev is under development.

That said, to me, CNA maturity is a subset of vulnerability
coordination/disclosure maturity.  They are certainly related, probably
around responsiveness.  But I could imagine a "good" CNA not being
"good" at other vulnerability response aspects.

 - Art


Page Last Updated or Reviewed: June 01, 2016