Comment The scaling up of the global system to identify and follow safety bugs in technological products began.
Earlier this week, the program of widely used vulnerabilities and current exhibitions (CVE) was confronted with Doom because the US government has interrupted the funding for Miter, the non -profit organization that operates the program. Uncle Sam has gone around at the very last minute and has still promised 11 months of money to maintain the program.
Meanwhile, the EU rolls.
The European Union Agency for Cybersecurity (EISA) has developed and maintains this alternative, known as the EUVD database or the vulnerability of the European Union. The EU forced its creation as part of the Directive on the Network and Information Security 2, and EISA announced it last June.
The EUVD is similar to the NVD of the American government, or to the national database of vulnerability, in that it organizes bugs disclosed by their unique identifier attributed by CVE, documents their impact and links to opinions and fixes.
Interestingly, the Euro database also uses its own EUVD IDs to follow the safety bugs as well as the identifiers managed by CVE and the ID GSD, the latter of the Global Security database (which seems now deceased) operated by the Cloud Security Alliance.
Although the EUVD has gestation for almost a year, uncertainty around the CVE program should repel the European effort under the spotlights in replacement, withdrawal or alternative for CVE. Enisa is, note us, a partner of CVE; More specifically, it is a CVE numbering authority.
The EUVD “, hopefully, will earn more traction so that Europe can also reach self-aid in this area,” Marcus Söderblom, an infosec consultant at the IT services giant, said this week.
Ben Radcliff, Senior Director of CYBER Operations at the Infosec Optiv service provider, said The register Thursday that the CVE financing fiasco revealed a serious defect: dependence on the generosity of a single and now volatile government.
“The dependence continues with regard to the funding of the CISA could exert pressure on the organization to act and operate with less impartiality and political agnosticism,” he added. “One of the main promises of the EUVD is that it will be sponsored by multiple sponsorships, apparently avoiding this trap.”
Or, he could present another trap: separate bug monitoring systems for the United States and Europe. As imperial against metric, worse.
“While it’s likely that there will be coordination between the us nvd and the euvd such that records available in one database mirror those in the other, i do Expect that regional regulatory governce will tend to favor one vulnerability database over Another,” Software Supply Chain Risk Strategy at App Security Firm Duck Duck, Told The register.
The moment of the emergence of the EU database “cannot be ignored as a coincidence,” said Brian Martin, analyst of Flashpoint vulnerability, on a webinar on Thursday. “For me, this reports a global lack of confidence in the US government’s commitment to ensure the continuity of the CVE.”
Meanwhile, another “global” system to identify and number security defects, the world CVE or GCVE allocation system, comes from almost CVE thugs. “But it is essentially like a person on a Github project,” said Martin.
In addition to these two, there is also the new CVE foundation, a non -profit organization formed to put the CVE program under its auspices and eliminate a “unique failure point in the vulnerability management ecosystem”.
And, of course, Miter will continue to exploit the CVE program as usual under his contract with the authorities – at least for the next 11 months.
“There is no understanding or guaranteed on what will happen after this point,” Kecia Hoyt said on the webinar, analyst of the vulnerability of Flashpoint. “Maybe we can enjoy our weekend at this stage, but I don’t want to be here having this conversation in a year, and nothing has changed.”
What is in a name?
Having a standardized system to identify vulnerabilities is extremely important and helps keep everyone – companies, vulnerability researchers, developers, governments – on the same wavelength. If someone says CVE-2017-5754, for example, there is no doubt that he is talking about the collapse of Intel, which has also appeared in a handful of Arm processor hearts.
This common language helps to avoid what we currently have with cybercriminal groups, where various government agencies and intel private sector companies have all their own names of name – is it comfortable bear, midnight Blizzard or Apt 29? And how loose the typhoon of salt, the famous sparrow and the Earth’s estries?
“I say Spider dispersed, you say Oktapus,” said Hoyt, referring to two names for the collective of what is suspected of being young American and British criminals known for their ransomware burglaries of Las Vegas casinos.
“There is a lot of different terminology launched, and are we talking about the same thing? Is this report equal to this report? This is really what CVE and have done for the vulnerability space,” she added.
So now, the question becomes: someone, a government or a group of the collective industry will intervene and will provide a more permanent universal system? Or the entire vulnerability management system will separate into a million documents with companies, governments and community organizations of names and monitoring of vulnerabilities independently of each other. What if so: Who to trust?
“Having an independent government solution for this vulnerability catalog, compared to a larger business or global organization, may seem like a good idea,” said Hoyt, but added that “the first creates this unique point of failure that we all live”.
However, putting a large company or even a coalition of technology giants in charge means “the possibility of bias and compromising neutrality,” she noted. ®
