[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: policy, feelings, and the reality (was Re: nomination for ...)




I think there are some good questions for the board to consider
here. I think the reason the board has not taken these up is that we
do not meet regularly, and do not regularly bring up and discuss
issues. The board has mainly been reactive to Mitre prompting. This is
probably historical, as the board was originally an advisory body
designed to review content of the CVE candidates. That role has moved
to Mitre, and the board mainly tends to act as a consultant when
asked. It could stand to become more proactive.

Probably the most interesting things we should take up are:

1. Is CVE providing adequate coverage of vulnerabilities? Are all of
the 10K+ vulnerabilities that Brian has identified ones that the CVE
should cover? If some portion of them are, then how should the
coverage be changed to include them? We have had these discussions in
the past, and have decided that there are limits to what should be
covered (i.e. software that few people use, apps, scripts,
games). I’m not saying that the limits we decided on are the right
ones. It is worth discussing again. It would be interesting to see
some categorization of the vulnerabilities that Brian has identified
that are not in the 4K issued CVE ID’s. Then we can see what types
of gaps in coverage we may be lacking.


2. Are CNAs living up to their responsibilities? This is probably more
of an executive function (rather than a board function), but if we
don’t have clear responsibilities laid out, and if MITRE needs
peers or industry voices to pressure these CNA’s into doing the
right thing, then the board has a role.


Andy

> On Oct 17, 2015, at 10:12 AM, Pascal Meunier <pmeunier@cerias.purdue.edu> wrote:
> 
> On 10/17/2015 01:21 AM, jericho wrote:
>> 
>> On Wed, 14 Oct 2015, Pascal Meunier wrote:
>> 
>> : as a repudiation of Brian's methods, and an unwillingness to respond to
>> : trolling;  it should not be interpreted as apathy.
>> 
>> Yet, that is exactly what it is. You may not like my methods, but very
>> few people are doing anything to change CVE and try to motivate MITRE to
>> improve.
> 
> The end does not justify the means.  I admire how you noticed many things I didn't,
> but the way you communicated with the board on this particular issue was
> over-the-top.  Simply reminding the board and MITRE that you wanted him
> nominated 2 years ago, for reasons you explained then, and would like this
> revisited, should have sufficed and should have been effective.
> 
>> 
>> I am curious if you/Purdue and Andy/Cisco want to also speak up as to why
>> it is so crucial we follow this documented procedure, when the board has
>> gone 15 years without many other procedures that should have been
>> documented, and never were?
> 
> As a justification for ignoring procedures on purpose, this sounds to me like shooting your good
> foot because your other leg is amputated.  I provided a reasoning of why I thought it mattered.
> 
>> Would you also like to give your respective
>> organization's official opinion on MITRE not following their own
>> documented policy in several regards in the last 90 days?
> 
> If you want an "official" statement that will take time, and I'm not sure how useful
> that will be.  Policies exist in part so that failures to follow them can be
> pointed out clearly and corrections made.  I thought Steve's email from 9/24
> ("Upcoming changes for CVE") was very promising.  Issues with the public archives
> seem to have been solved with Nabble;  your monitoring certainly made the need
> for improvement clear.  Are there specific policies for which you believe the
> above insufficient?
> 
> 
>> Perhaps Steve
>> Christey can explain why it was more important to quote that policy to me
>> than work on the extensive backlog of CVE requests in their queue, some
>> older than 50 days now.
> 
> Probably because what you wrote was excessive and too disruptive to be ignored, which
> was by your design.  However, you interest me in the state of the backlog and if
> perhaps MITRE could regularly provide us with very succinct status data, e.g.,
> how many issues are waiting assignment, and what is the longest wait time.  Not
> too often and detailed to be a significant burden, but often enough that the board
> could discuss it and make appropriate suggestions.
> 
>> 
>> For those who know me, they know I am pretty keen on following documented
>> policy and standards. I also recognize when they should be lobbied for
>> change, or ignored. However, since many other requests (most polite even!)
>> have fallen on deaf (apathetic?) ears, this is a testament to my method.
>> My second email prompted a few people to reply, and it prompted MITRE to
>> start the discussion per their policy.
> 
> Only if any response is better than none.  However, this email you
> just wrote helps me understand your frustration and it brings
> up issues we can discuss and act upon.  Thank you.
> 
>> Oh, by the way, the idea of
>> bringing Kurt on the board was brought up privately at least twice to
>> MITRE, to at least two people, in the last few years. That didn't work,
>> but per policy, shouldn't it have started the process?
> 
> I am only aware of the one public time in July 2013.  According to the policy there
> are many reasons why the process might not have reached stage 3.  I wonder if
> nothing at all was started on those occasions, or if the process didn't reach
> stage 3 for some reason.  The two would appear the same to me.
> 
>> 
>> Meanwhile, other policies that should have existed a decade ago still
>> don't exist, legitimate questions aimed at trying to better understand the
>> MITRE process are unanswered, CNAs are still issuing advisories that do
>> not follow CVE procedures unchecked, one CNA is selectively issuing CVEs
>> for some vulnerabilities and not assigning for others (Andy, want to look
>> into that for us?), and more.
>> 
>> I'm really sorry I hurt your feelings, but personally I would rather see
>> things change for the better first. When MITRE is back to operating at the
>> previous capacity they were 9 months ago, or even better, 3 years ago,
>> then I vote we have a group hug and worry about the rest.
> 
> Thanks, and I understand your motivation better now.
> 
>> The entire
>> industry has been going downhill quickly as evident by the number of
>> organizations compromised every day that we hear about. Vulnerabilities
>> are not slowing down,
> 
> That particular point is a source of bewilderment to me.  New vulnerability types
> are rare and most vulnerabilities seem like a repeat of the same
> mistakes over and over by a horrible zombie horde.  Is there not enough
> accessible secure programming material (BTW, I like the OWASP
> secure coding cheat sheets)?  Is it not good enough?  Do we not
> have better tools available?  Doesn't Coverity offer free scans of open-source
> projects in Java, C/C++, C# or JavaScript?  Did we not integrate
> secure programming into classes?  Are the wrong or insufficient incentives in place?
> Why is it that U.S. hospital IP addresses are so often listed on Spamhaus as
> having botnet infections, despite HIPAA (this is anecdotal and not a systematic
> survey, yet what I observed was disturbing)?
> 
>> despite claims otherwise based on some horrible
>> analysis of CVE numbers in recent years, and a significant chunk of our
>> industry is using security products that are based on the CVE dataset and
>> compete to see which of them has the 'best' coverage of one of the worst
>> vulnerability databases. Is it any wonder our industry can't protect
>> clients? Personally, I joined this board with some hesitation because I
>> read the archives first, and saw what I was getting into. But I joined to
>> try to make a difference and help CVE improve as a whole. The archives,
>> and dialogue since joining, make it very clear I am in the minority.
>> 
>> If you feel differently, I would love to get your opinion on why CVE has
>> just over 4,100 live IDs for 2015 compared to the 10,743 disclosed
>> vulnerabilities I am aware of.
> 
> You have a point there.
> 
>> Do you feel that MITRE is doing a
>> sufficient job? Do you feel the board is doing a good job in helping guide
>> MITRE, give valuable input, ask questions to learn more about the process,
>> and generally improve how things are going?
> 
> I admit having been reactive instead of proactive for the CVE, and relying on
> MITRE (and CERIAS) to bring up issues they wanted to discuss.  It's why I thought
> I was here and what was expected.  Asking "is it enough?" is interesting and
> requires looking at it as a committed stakeholder.  I am looking forward to
> Julie Connolly's email.  However, I feel I don't have much to contribute to
> the CNA issue and discussion, as I (and CERIAS) have little involvement in
> that process.
> 
>> Honest questions.
> 
> Good questions too.
> 
> Pascal

smime.p7s


Page Last Updated or Reviewed: October 26, 2015