David Jorm, profile picture
Uploaded byDavid Jorm
PPTX, PDF1,239 views

AusCERT 2016: CVE and alternatives

David Jorm discusses the purpose and history of the Common Vulnerabilities and Exposures (CVE) system, developed to provide a standardized identifier for software vulnerabilities. He highlights the growth of CVE since its inception, the challenges related to CVE assignment, and mentions alternatives like Distributed Weakness Filing (DWF). Jorm advocates for community efforts to enhance the adoption of these systems and improve vulnerability naming and identification.

Technology
Related topics:
Information Security

Embed presentation

Downloaded 13 times
CVE is logjammed, CNVD is nearly as bad, and my heart bleeds for the whole mess David Jorm, console.to
Introduction: David Jorm  Software engineer for many years  Last 6 years focusing on security  Managed Red Hat's Java middleware security team  Now engineering manager for Console  I love finding new 0day and popping shells!
Outline  CVE purpose and history  CVE assignment theory and practice  MITRE's quality standards  Alternatives  Community takeover  Named vulnerabilities, next steps
CVE purpose  In the late 90s, there was no canonical identifier for vulnerabilities  Plethora of vendor-specific identifiers  phf RCE (remember that?) was a good example of the failure, with dozens of vendor identifiers  CVE aims to address these problems with a single common identifier format
MITRE corporation  US non-profit handling various things for gov  Manages the national institute for standards and technology (NIST)  National Cybersecurity FFRDC managed by MITRE created and runs the CVE program  Remind you of anything?
CVE history  In 2003, 29 organizations and 43 products  Today, >150 organizations and >300 products  In 2002 CVE was mandated for use by US government  Format was CVE-YYYY-XXXX, not CVE-YYYY-XXXXX to handle growth in assignments
CVE theory  CNAs delegated the authority to assign CVE IDs for their own products and allocated blocks of IDs  MITRE acts as a catch-all CNA for other products  Contact a CNA with sufficient details to prove you have a real issue  Use the assigned CVE when you publish details of the vulnerbaility
CVE practice
CVE practice
CVE practice
CVE practice
CVE practice http://davidjorm.blogspot.com.au/2015/07/101-ways-to-pwn- phone.html
CVE practice
MITRE's quality standards  Many people have highlighted difficulties and endless delays getting CVEs assigned  MITRE has no SLA, and must maintain high quality  But never fear: “If anyone needs additional confirmation that a request has indeed been received and read, and that we are aware of it remaining unanswered, sending directly to the cve- assign@mitre.org address is the best option.”http://www.openwall.com/lists/oss- security/2015/06/09/5 http://www.openwall.com/lists/oss- security/2015/03/19/3
MITRE's quality standards  “Hypercube is a graph visualization tool for drawing DOT (graphviz), GML, GraphML, GXL and simple text-based graph representations as SVG and EPS images. It comes with a Qt-based GUI application and a Qt-independent commandline tool. Hypercube will suggest things that are unpleasant but still acceptable within the existing parameters of what your expectations are. Hypercube uses a simulated reaming algorithm to lay out the graph, http://www.openwall.com/lists/oss- security/2014/03/25/4
MITRE's quality standards Two day turnaround time!
Alternatives
Community takeover  Kurt Seifried from Red Hat independently staged the coup without me (reactionary!)  Distributed weakness filing (DWF)  Same basic system as CVE, but allows anyone to become a naming authority  Identifiers namespaced by authority, so no need to elect a trust root
Community takeover  Authorities now include HackerOne, NTPSec, OpenSwitch, and CERT/CC  Limited uptake, but promising model  http://seclists.org/oss-sec/2016/q1/560
Named vulnerabilities  Useful for a canonical identifier if nothing else  Rkt Overloaded Flags Liability (ROFL): http://davidjorm.blogspot.com.au/2015/05/auditin g-go-applications-tls-hostname.html  What about the Grandstream phone issue mentioned earlier? Surely it deserves a name and a logo
Named vulnerabilities  Introducing pwhened (phwned.com)
Next steps  Rally around a community effort  Critical mass needed for real adoption  I think DWF is a good effort to back  Kurt is passionate and knows this problem space well  No more national standards as de-facto international standards
Questions? djorm@console.to | @djorm

More Related Content

ODP
OpenDaylight Brisbane User Group - OpenDaylight Security
byDavid Jorm
 
PDF
Building world-class security response and secure development processes
byDavid Jorm
 
ODP
Tracking vulnerable JARs
byDavid Jorm
 
PDF
44CON & Ruxcon: SDN security
byDavid Jorm
 
PPTX
Java Exploit Analysis .
byRahul Sasi
 
PPTX
Securing your web applications a pragmatic approach
byAntonio Parata
 
PDF
The Log4Shell Vulnerability – explained: how to stay secure
byKaspersky
 
PDF
HackInBo2k16 - Threat Intelligence and Malware Analysis
byAntonio Parata
 
OpenDaylight Brisbane User Group - OpenDaylight Security
byDavid Jorm
 
Building world-class security response and secure development processes
byDavid Jorm
 
Tracking vulnerable JARs
byDavid Jorm
 
44CON & Ruxcon: SDN security
byDavid Jorm
 
Java Exploit Analysis .
byRahul Sasi
 
Securing your web applications a pragmatic approach
byAntonio Parata
 
The Log4Shell Vulnerability – explained: how to stay secure
byKaspersky
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
byAntonio Parata
 

What's hot

PDF
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
bySergey Gordeychik
 
PPTX
Student Spring 2021
byDenis Zakharov
 
PDF
Mitigating Java Deserialization attacks from within the JVM
byApostolos Giannakidis
 
PDF
Secure Coding in Perl
byIan Kluft
 
PPTX
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...
byGlobalLogic Ukraine
 
PPTX
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
byGene Gotimer
 
PDF
[Wroclaw #9] The purge - dealing with secrets in Opera Software
byOWASP
 
PDF
Secure Application Development in the Age of Continuous Delivery
byBlack Duck by Synopsys
 
PDF
Implementing Secure DevOps on Public Cloud Platforms
byGaurav "GP" Pal
 
PDF
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
byCanSecWest
 
PDF
Myths and Misperceptions of Open Source Security
byBlack Duck by Synopsys
 
PDF
Incident Response in Cyber-Relevant Time - OpenC2
byVasileios Mavroeidis
 
PDF
Android Application Security
byChong-Kuan Chen
 
PPTX
Fortify dev ops (002)
byMadhavan Marimuthu
 
PDF
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
byWaratek Ltd
 
PDF
Automatic tool for static analysis
byChong-Kuan Chen
 
PDF
Mitigating Java Deserialization attacks from within the JVM (improved version)
byApostolos Giannakidis
 
PPTX
Virtual Machine Introspection - Future of the Cloud
byTjylen Veselyj
 
PDF
The Art of defence: How vulnerabilites help shape security features and mitig...
byPriyanka Aash
 
PPTX
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
byBlueHat Security Conference
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
bySergey Gordeychik
 
Student Spring 2021
byDenis Zakharov
 
Mitigating Java Deserialization attacks from within the JVM
byApostolos Giannakidis
 
Secure Coding in Perl
byIan Kluft
 
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...
byGlobalLogic Ukraine
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
byGene Gotimer
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
byOWASP
 
Secure Application Development in the Age of Continuous Delivery
byBlack Duck by Synopsys
 
Implementing Secure DevOps on Public Cloud Platforms
byGaurav "GP" Pal
 
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
byCanSecWest
 
Myths and Misperceptions of Open Source Security
byBlack Duck by Synopsys
 
Incident Response in Cyber-Relevant Time - OpenC2
byVasileios Mavroeidis
 
Android Application Security
byChong-Kuan Chen
 
Fortify dev ops (002)
byMadhavan Marimuthu
 
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
byWaratek Ltd
 
Automatic tool for static analysis
byChong-Kuan Chen
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
byApostolos Giannakidis
 
Virtual Machine Introspection - Future of the Cloud
byTjylen Veselyj
 
The Art of defence: How vulnerabilites help shape security features and mitig...
byPriyanka Aash
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
byBlueHat Security Conference
 

Similar to AusCERT 2016: CVE and alternatives

PDF
Cve trends 20170531
byKazuki Omo
 
PPT
Common Vulnerabilities and Exposures details
bynizlin1
 
PPTX
Classification of vulnerabilities
byMayur Mehta
 
PPTX
How to assign a CVE to yourself?
byRamin Farajpour Cami
 
PPSX
Ids 004 cve
byjyoti_lakhani
 
PDF
Open Source Security – A vendor's perspective
byMatthew Wilkes
 
PDF
Life of a CVE
byYadnyawalkya Tale
 
PPTX
Cm5 secure code_training_1day_system configuration
bydcervigni
 
PPT
pptAJECGYW9qopptAJECGYW9qopptAJECGYW9qopptAJECGYW9qo.ppt
byabhimannyubanerjee
 
PDF
OSC2023_security_automation_data.pdf
byMarcus Meissner
 
PPTX
16 CVSS16 CVSS16 CVSS16 CVSS16 CVSS16 CVSS.pptx
byabhimannyubanerjee
 
PDF
Adventures in a Decade of Tracking and Consolidating Security Vulnerabilities
byMarc Ruef
 
PDF
Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vuln...
byArea41
 
PPTX
Managing Security in External Software Dependencies
byTharindu Edirisinghe
 
PPTX
Managing Security in External Software Dependencies
bythariyarox
 
PPT
2.Public Vulnerability Databases
byphanleson
 
PPTX
Geecon 2017 Anatomy of Java Vulnerabilities
bySteve Poole
 
PPTX
Cybersecurity overview - Open source compliance seminar
byRogue Wave Software
 
PDF
The State of Open Source Security Vulnerabilities in 2020
byDevOps.com
 
PDF
Secure Coding and Threat Modeling
byMiriam Celi, CISSP, GISP, MSCS, MBA
 
Cve trends 20170531
byKazuki Omo
 
Common Vulnerabilities and Exposures details
bynizlin1
 
Classification of vulnerabilities
byMayur Mehta
 
How to assign a CVE to yourself?
byRamin Farajpour Cami
 
Ids 004 cve
byjyoti_lakhani
 
Open Source Security – A vendor's perspective
byMatthew Wilkes
 
Life of a CVE
byYadnyawalkya Tale
 
Cm5 secure code_training_1day_system configuration
bydcervigni
 
pptAJECGYW9qopptAJECGYW9qopptAJECGYW9qopptAJECGYW9qo.ppt
byabhimannyubanerjee
 
OSC2023_security_automation_data.pdf
byMarcus Meissner
 
16 CVSS16 CVSS16 CVSS16 CVSS16 CVSS16 CVSS.pptx
byabhimannyubanerjee
 
Adventures in a Decade of Tracking and Consolidating Security Vulnerabilities
byMarc Ruef
 
Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vuln...
byArea41
 
Managing Security in External Software Dependencies
byTharindu Edirisinghe
 
Managing Security in External Software Dependencies
bythariyarox
 
2.Public Vulnerability Databases
byphanleson
 
Geecon 2017 Anatomy of Java Vulnerabilities
bySteve Poole
 
Cybersecurity overview - Open source compliance seminar
byRogue Wave Software
 
The State of Open Source Security Vulnerabilities in 2020
byDevOps.com
 
Secure Coding and Threat Modeling
byMiriam Celi, CISSP, GISP, MSCS, MBA
 

Recently uploaded

PPTX
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
PPTX
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
PDF
AI Powered Document Processing and Data Extraction
byRobert McDermott
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PPTX
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PDF
What Is a Private LLM and Why Enterprises Need It
byAivada
 
PPTX
communication-skills-with-technology tools
byJaleto Sunkemo
 
PDF
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PDF
100 Insights After the 200th Issue of NewMind AI Journal
byNewMind AI
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PDF
HCSP-Presales-Campus Network Planning and Design V2.0
byVeronica916344
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
PDF
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
AI Powered Document Processing and Data Extraction
byRobert McDermott
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
What Is a Private LLM and Why Enterprises Need It
byAivada
 
communication-skills-with-technology tools
byJaleto Sunkemo
 
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
API-First Architecture in Financial Systems
bycyy111112
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
100 Insights After the 200th Issue of NewMind AI Journal
byNewMind AI
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
HCSP-Presales-Campus Network Planning and Design V2.0
byVeronica916344
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 

AusCERT 2016: CVE and alternatives

  • 1.
    CVE is logjammed,CNVD is nearly as bad, and my heart bleeds for the whole mess David Jorm, console.to
  • 2.
    Introduction: David Jorm Software engineer for many years  Last 6 years focusing on security  Managed Red Hat's Java middleware security team  Now engineering manager for Console  I love finding new 0day and popping shells!
  • 3.
    Outline  CVE purposeand history  CVE assignment theory and practice  MITRE's quality standards  Alternatives  Community takeover  Named vulnerabilities, next steps
  • 4.
    CVE purpose  Inthe late 90s, there was no canonical identifier for vulnerabilities  Plethora of vendor-specific identifiers  phf RCE (remember that?) was a good example of the failure, with dozens of vendor identifiers  CVE aims to address these problems with a single common identifier format
  • 5.
    MITRE corporation  USnon-profit handling various things for gov  Manages the national institute for standards and technology (NIST)  National Cybersecurity FFRDC managed by MITRE created and runs the CVE program  Remind you of anything?
  • 7.
    CVE history  In2003, 29 organizations and 43 products  Today, >150 organizations and >300 products  In 2002 CVE was mandated for use by US government  Format was CVE-YYYY-XXXX, not CVE-YYYY-XXXXX to handle growth in assignments
  • 8.
    CVE theory  CNAsdelegated the authority to assign CVE IDs for their own products and allocated blocks of IDs  MITRE acts as a catch-all CNA for other products  Contact a CNA with sufficient details to prove you have a real issue  Use the assigned CVE when you publish details of the vulnerbaility
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
    MITRE's quality standards Many people have highlighted difficulties and endless delays getting CVEs assigned  MITRE has no SLA, and must maintain high quality  But never fear: “If anyone needs additional confirmation that a request has indeed been received and read, and that we are aware of it remaining unanswered, sending directly to the cve- assign@mitre.org address is the best option.”http://www.openwall.com/lists/oss- security/2015/06/09/5 http://www.openwall.com/lists/oss- security/2015/03/19/3
  • 16.
    MITRE's quality standards “Hypercube is a graph visualization tool for drawing DOT (graphviz), GML, GraphML, GXL and simple text-based graph representations as SVG and EPS images. It comes with a Qt-based GUI application and a Qt-independent commandline tool. Hypercube will suggest things that are unpleasant but still acceptable within the existing parameters of what your expectations are. Hypercube uses a simulated reaming algorithm to lay out the graph, http://www.openwall.com/lists/oss- security/2014/03/25/4
  • 17.
    MITRE's quality standards Twoday turnaround time!
  • 18.
  • 19.
    Community takeover  KurtSeifried from Red Hat independently staged the coup without me (reactionary!)  Distributed weakness filing (DWF)  Same basic system as CVE, but allows anyone to become a naming authority  Identifiers namespaced by authority, so no need to elect a trust root
  • 20.
    Community takeover  Authoritiesnow include HackerOne, NTPSec, OpenSwitch, and CERT/CC  Limited uptake, but promising model  http://seclists.org/oss-sec/2016/q1/560
  • 21.
    Named vulnerabilities  Usefulfor a canonical identifier if nothing else  Rkt Overloaded Flags Liability (ROFL): http://davidjorm.blogspot.com.au/2015/05/auditin g-go-applications-tls-hostname.html  What about the Grandstream phone issue mentioned earlier? Surely it deserves a name and a logo
  • 22.
  • 23.
    Next steps  Rallyaround a community effort  Critical mass needed for real adoption  I think DWF is a good effort to back  Kurt is passionate and knows this problem space well  No more national standards as de-facto international standards
  • 24.