Kent Landfield, chief standards and technology policy strategist at McAfee and a founding member of the CVE board, agreed that MITRE had been overwhelmed by the “explosion” of vulnerabilities. He says things “came to a head in January 2016, with the community, the board and MITRE at odds.” Since then, “things have been moving in the right direction,” he says, adding that while in the past, “MITRE was all centralized and hesitant to get new CNAs, they’ve now created a federated model. It’s still an experiment in some respects, but it started in March 2016.”
The intent, he says, is to divide the CVE ID burden among “root” CNAs that are responsible for different categories of CVEs.
An example is the Distributed Weakness Filing (DWF) Project, which is responsible for finding and identifying vulnerabilities in open source software. Other CNAs – major companies like Microsoft, Apple and Google – identify and catalog vulnerabilities found in their own products.
The bottom line, Landfield says, is that, “it was very important that we put in place a mechanism that would scale – that would be sustainable. And that is what is happening.”
Kurt Seifried, director at the DWF Project, senior software engineer for Red Hat Product Security and also a CVE Board member, agreed. The way to close the gap in CVEs that are not part of the dictionary yet, he says, “is relatively simple: Add more CNAs to scale out CVE.
“This means having a governance model similar to DNS (Domain Name System) – MITRE is the root, DWF is the sub-root for all open source, Microsoft is a sub root for all Microsoft, and so on, with additional CNA hierarchies for countries/industry verticals. The operational model is much more peer-to-peer, with CNAs contacting each other as needed,” Seifried says.
He noted that, since the launch of the federated model, “we have doubled the number of CNAs, and in 2016 had more than 10,000 CVEs assigned. We’re also working on automation and other self-service-style aspects to continue scaling the process to meet demand.”
Lang added that when the “federated” model began, there were only 22 CNAs, and since then 40 have been added, “with new CNA candidates continually entering the queue.”
So, does that mean the problem, while it still exists, is well on the way to being solved? Art Manion, vulnerability analysis technical manager at CERT (Computer Emergency Response Team) Division, Carnegie Mellon University Software Engineering Institute, and another CVE Board member, is cautiously optimistic. Cautious because he believes some of Martin’s criticisms are valid – that while it is possible to quibble over the exact magnitude of the gap, it is “drastic” by any measure, and because it is indeed going to be impossible, with the current model, to keep up with the explosive increase in vulnerabilities because of the “IoT apocalypse.”
Sign up for CIO Asia eNewsletters.