[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CNA requirements

I've actually never heard of ISO 29147, just checked and it costs well over $100 to get a copy of, so that's not going to work for most open source projects. More to the point we can boil down what is needed to the 5 steps I list in my previous email. 

On Tue, May 31, 2016 at 8:16 AM, Millar, Thomas <Thomas.Millar@hq.dhs.gov> wrote:
Perhaps the removal of the word "mature" is the fastest way to an acceptable resolution. Adjectives are hard.

A secure engineering life cycle including regular vulnerability disclosure and remediation activities, and/or self-attested compliance with ISO 29147, might work as a definition.

Tom Millar, US-CERT

Sent from +1-202-631-1915

From: owner-cve-editorial-board-list@lists.mitre.org on behalf of Adinolfi, Daniel R
Sent: Tuesday, May 31, 2016 3:01:09 PM
To: jericho; Kurt Seifried
Cc: cve-editorial-board-list
Subject: Re: CNA requirements


Since we seem to not all agree on what a mature security process is, we should probably take a moment to define it. How would you (or others on the Board; please chime in) define or describe a "mature" security process? I'm guessing that there could be many definitions of such a thing, and if CVE would like to see their CNAs have a mature process, we will need to have a stick to measure "mature" against.

What does a mature process look like? How much does the process depend on the organization and how they do software/hardware dev and QA, handle PR issues, support their customers, etc? Or should our definition be a standard, regardless of the organizational details? Are we just measuring how they respond to vulnerabilities in their products, or should we measure beyond that part of their operational processes?

One of the working groups coming out of recent Editorial Board meetings is working on creating standards/guidelines for CVE submissions as part of the bigger community of practice discussion. Should we include this discussion in that working group as well?


P.S. SGI does exist. Their CNA contact is Michael O'Connor, and they can be reached publicly at security-info@sgi.com.

On 5/28/16, 02:45, "owner-cve-editorial-board-list@lists.mitre.org on behalf of jericho" <owner-cve-editorial-board-list@lists.mitre.org on behalf of jericho@attrition.org> wrote:

>On Tue, 17 May 2016, Kurt Seifried wrote:
>: On Tue, May 17, 2016 at 8:54 AM, Waltermire, David A. (Fed) <
>: david.waltermire@nist.gov> wrote:
>: > IMHO, I believe we need to address this in a way that supports a
>: > non-hierarchical, graph of communications between CNAs. This models what
>: > happens in the real world. It should be possible for any CNA to find any
>: > other CNA, get their contact info, and then reach out to them to coordinate
>: > on a CVE assignment. Relying on parent CNAs does not make this work.
>And this is where we get into a meta-discussion...
>: So I've been thinking about this a bit and looking back at some
>: situations in the last 5000 or so CVE's I've assigned and some things
>: are obvious:
>: 1) Being a CNA requires you to have a mature security process, if you
>Patently false.
>- Apple is a CNA, they do not have a mature security process.
>- IBM is a CNA, they have a convoluted disgusting security process. (Love
>  Lisa and Scott, but it's true! Also, why isn't IBM on the board?)
>- Oracle is a CNA, they do not have a mature security process.
>- SGI is a CNA, they ... uh, don't exist?
>That said, your outline on defining CNA requirements is great and helpful.
>=) Just don't equivocate here.


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: June 01, 2016