[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: New CNA - Booz Allen Hamilton

How do you propose we “work out federation and governance” other than by doing it and learning as we go? Those priorities aren’t competing. They work in parallel, in my view.

Tom Millar, US-CERT

Sent from +1-202-631-1915

From: Waltermire, David A. (Fed)
Sent: Tuesday, November 07, 2017 2:44:18 AM
To: Millar, Thomas; jericho; Coffin, Chris
Cc: cve-editorial-board-list
Subject: RE: New CNA - Booz Allen Hamilton


The primary reason we are seeing new CNAs is because Dan is out advertising that the CVE program is looking for new CNAs. I am not calling Dan out by saying this. He is doing what he has been told to do. I believe we should be spending MITRE resources, which have limits, to work with the board to improve the structure and overall governance of the CVE program. 

I am not suggesting we plateau the aquisition of CNAs, but instead that we not actively seek them out. If new CNAs come to the program on their own, I am good with bringing them in. We can then use the time saved to focus resources on making federation a reality and working out how the federated model can be better governed. In my view, working on these things is critical to the long term success of CVE. We are not making progress as quickly as I had hoped. This is a good time to consider what we can do differently to reprioritize.

Do you agree that working out federation and governance for the program is a priority? If not, what do you see as the biggest priorities?


-------- Original Message --------
From: owner-cve-editorial-board-list@lists.mitre.org on behalf of "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>
Date: Mon, November 06, 2017 5:00 PM -0500
To: jericho <jericho@attrition.org>, "Coffin, Chris" <ccoffin@mitre.org>
CC: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: RE: New CNA - Booz Allen Hamilton

The big NIST contract with BAH ended some years ago, iirc.

Grep for "booz" through the CERT KB turns up one mention, a possible heap overflow due to an upstream product. Nothing in NVD.


Looking through job listings they do hire a ton of pen testers so I'd presume they want to be able to assign for vulnerabilities they find in the course of gigs. However, stating "we can even assign a CVE to anything we find" - as a feature of their service offerings - might be problematic.

All that said, I personally tend to agree with Kurt. At this point in time, I would not expect to see the rate of new CNAs plateau - and I would prefer to run into these issues now, and learn and adapt from them more quickly, than drag this painful transformation out and risk losing momentum.

-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org [
mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of jericho
Sent: Monday, November 6, 2017 16:46
To: Coffin, Chris <ccoffin@mitre.org>
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: RE: New CNA - Booz Allen Hamilton
Importance: High

On Mon, 6 Nov 2017, Coffin, Chris wrote:

: In this case, BAH was interested and was willing to participate in the
: program as a CNA for their own products. They are also willing to fill
: the gaps where other CNAs do not provide coverage. Our understanding
: from the discussion was that this CNA falls into the category of a large
: and established organization that should be part of the CVE program,
: especially if they are reaching out to us to participate. It was the
: smaller research organizations that were the issue, right?

In the interest of transparency, and because I don't know if this represents a conflict or not, or is tangentially related... but could NIST/NVD clarify BAH's current role in the NVD process?

For those not aware, for several years NIST would out-source the NVD meta-data generation (e.g. CPE, CVSS scoring) to junior BAH consultants. I don't know how long that went on, if it is still does, or if they changed vendors over the year.

I had asked both MITRE and NVD many years back about their involvement in the context of "when they find an error in a CVE, who do they report to"
and I don't recall getting a real answer other than what in my memory was bureaucratic speak for "don't worry, it's handled".


Page Last Updated or Reviewed: November 07, 2017