[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Juniper to be added to the official list of CNAs

On Wed, 27 Apr 2016, Art Manion wrote:

: I believe Brian that Juniper has issues.  I have first hand 
: with another vendor CNA who has not followed the rules.  I'm pretty 
: there are other examples.

A bit of an understatement. =)

Almost every single CNA has had screw-ups in assignments in the last 12 
months, including Oracle, Microsoft, and Adobe. The one CNA I can't 
fault with lately is Silicon Graphics.

: Speaking of consequences, what if Juniper doesn't follow the rules? 
: Withdraw their CNA status?  Then who is going to issue CVE IDs for 
: Juniper vulnerabilities?  If a CNA assigns incorrectly, reject their 
: assignments.  If the CNA actually wants their CVE IDs to count, 
: shape up.  If they don't, de-list them.  And yes, this does sound 
: laissez-faire.  The current model doesn't scale.

And I have spoken to this point as well. We don't just need rules, we 
a clear path on how MITRE will deal with them if they aren't following 
rules. Unless MITRE decided to keep me out of the loop after I reported 
CNAs not following rules many times, then I don't believe MITRE has 
following up with them much at all. Or perhaps for a fraction of my 

I can't imagine MITRE will actually revoke a CNA, because it goes 
their selfish interests (CVE is part of a multi-million dollar contract 
they enjoy every year). That is a grim reality we need to remember as 
discuss this problem. I only bring it up because many of us had 
that MITRE bring on more CNAs several years ago, and that was met with 
silence or opposition (usually in private). Now that they are being 
to task, it seems greenlighting new CNAs could be their answer, even if 
the vendor has a history of bad assignments and board members object.

I think what bothers me about this discussion isn't just that I had 
with Juniper before the CNA status came up, but now that it is 
what is happening? It would take less than eight hours for one of the 
abundant MITRE employees tasked with CVE duties to audit Juniper's 
advisories for the last couple of years, and determine how accurate 
assignments are. Given that Juniper has been requesting those IDs from 
MITRE, they could further compare the email requests to the public 
advisories to really gauge Juniper's understanding of the process. That 
something I cannot do, since I don't see the ID request emails. Yet, I 
track CNA failures in a passing degree via several other data 
initiatives that have a side effect of giving me that data, and more.

Eight hours of figuring out where Juniper stands in this process is a 
no-brainer to me, given that every bad public assignment can snowball 
cause serious grief for their customers, and in turn for any CVE 
The ROI on such a brief audit is clear.

In fact, every CNA, current or proposed, should be audited once a year, 
ensure they are following assignment guidelines. What seems minor and 
pedestrian on the surface to many (e.g. assigning a 2016 ID to a 2015 
issue), can also snowball in huge ways, as seen in the 2016 Verizon 
report (pg13, 'Vulnerabilities' section) where the methodology is not 
defined, and they may be using the year of the ID to attribute 
attributes. Even if they don't, *many* others have historically done 
that when generating yearly vuln totals based on CVE data. These stats 
about the only you see in any media, industry or mainstream. Because 
didn't think that 'disclosure date' was important to track in 1999, 
almost every vulnerability stat today is absurd and wrong.

: Growing CVE is going decrease fidelity.  As far as I've thought about 
: it, MITRE acting as CNA registrar/auditor/manager and ultimate 
: of assignments from many CNAs might work as an organizational model.

In a perfect CVE world, MITRE would only act as a manager and auditor 
CNAs and do no assignments themselves (I could also argue they aren't 
qualified to do so anymore, but that is academic pedantry and a losing 
argument due to social perception, not fact). I don't get how it is 
and this is just being brought up as a possible model falls somewhere 
between amusing and disgusting, especially since I have never seen 
propose it, while half a dozen other industry professionals have in the 
previous years.

Page Last Updated or Reviewed: April 27, 2016