Insecurities and Vulnerabilities
Keeping the NVD Current by Properly Reporting CVE's.
Created by Rob Tompkins (chtompki)
Presentation Address: https://chtompki.github.io/ato2019-insecurities-and-vulnerabilities
Who is this guy?
- chtompki@apache.org
- Apache Member
- Apache Commons PMC
- Software Developer (Java, Python, AWS, DevSecOps)
- WestCreek Finance (Fintech Startup in RVA)
- Mathematician/Logician (?, sure why not).
Introduction
Definitions
- Def'n. NVD - The national vunlerability database.
- Def'n. CVE's - Common vulnerability and exposures.
- Def'n. CNA - CVE numbering authority.
Why are we here?
- The documentation process isn't straight forward
- To all the Mitre folks in the room: sorry....
- You're generally interested in security
- You own an open source project and don't know how to log security defects.
CVE and NVD Relationship
CVE and NVD are separate programs.
- CVE list - a list maintained by MITRE
- Identification number
- Description
- At least one public reference of a known cybersecurity vulnerability
CVE and NVD Relationship
CVE and NVD are separate programs.
- NVD - A vulnerability database maintained by the National Institute of Standards and Technology
- Fed by CVE list
- More advanced searching features (e.g. filtering by OS, vendor name product name, version, type, severit, etc.)
CVE and NVD Relationship
CVE and NVD are separate programs.
- Owners:
- U.S. Department of Homeland Security
- Cybersecurity and Infrastructure Security Agency
- Available to the public and free to use.
Ok...ok, so how do I log a CVE for my project?
Open and Non-disclosed project communications
HAVE A PRIVATE SECURITY ALERT EMAIL!!!!!!!
- Standard project site.
- On the site - clearly defined communications forum.
- Put your security list here adjacent the open communications forum.
Are you a part of a numbering authority?
CVE Numbering Authority Examples
- The Apache Software Foundation
- Apple Inc.
- Kubernetes
- Snyk
- Red Hat, Inc.
- Huawei Technologies
- Larry Cashdollar
- MITRE Corporation
- ...
You can use Mitre as your Numbering Authority
You can use Mitre as your Numbering Authority
You'll end up with just a number
Fix your defect!
quietly....
- Huh, wouldn't I just want to fix it and get a release out immeadiately?
- Community & committers considerations...
- Accommodating for discussions with your reporter.
- Multiple RC's??
Release and make a public announcement of the defect/CVE Number
- Release the fix ensure that the CVE is documented in the Release Notes somewhere.
- Make a public announcement of the fix so that your community knows they need to upversion.
Sumitting your announcement to Mitre
Notify CVE about a Publication
Notify CVE about a Publication Description Formatting
-
No evidence of hard requirements on description, but format MATTERS!
- e.g. I've personally made sumissions here 3 & 4 times for a distinct CVE
- There are 3 defined formats that will result in successful submissions
- JSON - schema on github
- Flat file
- CSV (??? no docs on this???)
JSON schema
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-YYYY-NNNNNN",
"ASSIGNER": "Example email address"
},
..... (way more)
}Flat file schema
[CVEID]: ...CVE-YYYY-####...
[PRODUCT]: ...your OSS projet's name...
[VERSION]: ...the versions of your product effected...
[PROBLEMTYPE]:Information Disclosure
[REFERENCES]: ...A direct link to your release (auditable)...
[DESCRIPTION]: ...a description of your choice...Next??
Email from CVE-Request@mitre.org:
Example CVE (CVE-2019-10086)
NVD Entry Example.
What have we learned here?
- It's extremely important to document CVEs and the NVD
- The process for doing it isn't unmanageable
- Anyone should be able log a CVE for their project
- Keep things quiet until announcement time
What have we learned here
For your project's dependencies:
- Make sure you're subscribed to their announcement lists so that you learn about their security vulnerabilities, and
- Keep the versions upon which you depend up to the latest released version, despite the pain