Top Banner
ICASI | CONFIDENTIAL © ICASI 2010 The Common Vulnerability Reporting Framework (CVRF) Presented by Jim Duncan, Juniper SIRT FIRST Conference 2010, Miami FL USA 2010 June 15
16

The Common Vulnerability Reporting Framework (CVRF)• CVRF = the Common Vulnerability Reporting Framework • XML-based language • Provides a standard format for the dissemination

Jun 19, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: The Common Vulnerability Reporting Framework (CVRF)• CVRF = the Common Vulnerability Reporting Framework • XML-based language • Provides a standard format for the dissemination

ICASI | CONFIDENTIAL© ICASI 2010

The Common Vulnerability Reporting Framework(CVRF)

Presented by Jim Duncan, Juniper SIRT

FIRST Conference 2010, Miami FL USA

2010 June 15

Page 2: The Common Vulnerability Reporting Framework (CVRF)• CVRF = the Common Vulnerability Reporting Framework • XML-based language • Provides a standard format for the dissemination

Agenda

• What is CVRF?

• Why CVRF?

• Who built CVRF and how?

• What’s the value of CVRF?

• What’s the timeline?

• Which member companies will adopt CVRF?

• Q&A

2ICASI | CONFIDENTIAL© ICASI 2010

Page 3: The Common Vulnerability Reporting Framework (CVRF)• CVRF = the Common Vulnerability Reporting Framework • XML-based language • Provides a standard format for the dissemination

What is CVRF?

• CVRF = the Common Vulnerability Reporting Framework

• XML-based language

• Provides a standard format for the dissemination of security-relatedinformation

• 48 Discrete Elements

• XML machine readable easier production and consumption

3ICASI | CONFIDENTIAL© ICASI 2010

Page 4: The Common Vulnerability Reporting Framework (CVRF)• CVRF = the Common Vulnerability Reporting Framework • XML-based language • Provides a standard format for the dissemination

CVRF Roles

4ICASI | CONFIDENTIAL© ICASI 2010

Page 5: The Common Vulnerability Reporting Framework (CVRF)• CVRF = the Common Vulnerability Reporting Framework • XML-based language • Provides a standard format for the dissemination

CVRF Roles: Document Producer

5ICASI | CONFIDENTIAL© ICASI 2010

Page 6: The Common Vulnerability Reporting Framework (CVRF)• CVRF = the Common Vulnerability Reporting Framework • XML-based language • Provides a standard format for the dissemination

CVRF Roles: Document Consumer

6ICASI | CONFIDENTIAL© ICASI 2010

Page 7: The Common Vulnerability Reporting Framework (CVRF)• CVRF = the Common Vulnerability Reporting Framework • XML-based language • Provides a standard format for the dissemination

7ICASI | CONFIDENTIAL© ICASI 2010

Page 8: The Common Vulnerability Reporting Framework (CVRF)• CVRF = the Common Vulnerability Reporting Framework • XML-based language • Provides a standard format for the dissemination

Why CVRF?

• No existing standard in this unique vulnerability reporting space

• Others are ad hoc, producer-specific

8ICASI | CONFIDENTIAL© ICASI 2010

Page 9: The Common Vulnerability Reporting Framework (CVRF)• CVRF = the Common Vulnerability Reporting Framework • XML-based language • Provides a standard format for the dissemination

Document Producer Reports at a Glance

9ICASI | CONFIDENTIAL© ICASI 2010

CiscoSummary Text blobAffected Products ContainerVulnerable Products List of text blobsProducts Confirmed Not Vulnerable Bulleted listDetails Text blobVulnerability Scoring Details Text blobImpact Text blobSoftware Versions and Fixes TableWorkarounds Text blobObtaining Fixed Software Text blobExploitation and Public Announcements Text blobStatus of this Notice Text blobDistribution Text blobRevision History TableCisco Security Procedures Text blob

MicrosoftGeneral Information ContainerExecutive Summary Text blobAffected and Non-Affected Software ContainerAffected Software TableNon-Affected Software TableFAQ Text blobVulnerability Information ContainerSeverity Ratings and Vulnerability Identifiers Table0 or more vulnerabilities sorted by CVE ContainerVulnerability Description Text blobUpdate Information ContainerDetection and Deployment Tools Guidance Text blobSecurity Update Deployment Text blobOther Information ContainerAcknowledgements Text blobMicrosoft Active Protections Program Text blobSupport Text blobDisclaimer Text blobRevisions Bulleted list

Page 10: The Common Vulnerability Reporting Framework (CVRF)• CVRF = the Common Vulnerability Reporting Framework • XML-based language • Provides a standard format for the dissemination

Document Producer Reports at a Glance, cont’d

10ICASI | CONFIDENTIAL© ICASI 2010

CERTTarget Bulleted listAccess Vector Bulleted listImpact Bulleted listRemediation Bulleted listDetails Text blogImpact Text blogSeverity Text blogVulnerability Coordination Information Text blogVendor Information Bulleted listRemediation Text blogReferences Bulleted listContact Information Text blogRevision History Bulleted list

SecuniaSecunia Advisory StringRelease Date DateLast Update DatePopularity IntegerComments Text blobCriticality Level EnumImpact EnumWhere EnumAuthentication Level Text blobReport Reliability Text blobSolution Status Text blobSystems Affected Text blobApprove Distribution Text blobAutomated Scanning Text blobOperating System Bulleted listSecunia CVSS Score Text blobCVE References Bulleted listDescription Text blobSolution Text blobProvided and/or Discovered by Text blobChangelog Text blobOriginal Advisory Text blobOther References Text blobAlternate/Detailed Remediation Text blobDeep links Text blob

Page 11: The Common Vulnerability Reporting Framework (CVRF)• CVRF = the Common Vulnerability Reporting Framework • XML-based language • Provides a standard format for the dissemination

Who’s involved?

• Internet Consortium for Advancement of Security on the Internet(ICASI)

• Formed in 2008 to address international, multi-product securitychallenges

• Non-profit, vendor agnostic

• ICASI members include Cisco, IBM, Intel, Juniper, Microsoft, and Nokia

• Non-ICASI member contributors include Oracle and Red Hat

11ICASI | CONFIDENTIAL© ICASI 2010

Page 12: The Common Vulnerability Reporting Framework (CVRF)• CVRF = the Common Vulnerability Reporting Framework • XML-based language • Provides a standard format for the dissemination

12ICASI | CONFIDENTIAL© ICASI 2010

How was CVRFbuilt?

Page 13: The Common Vulnerability Reporting Framework (CVRF)• CVRF = the Common Vulnerability Reporting Framework • XML-based language • Provides a standard format for the dissemination

What is the Value of CVRF?

• CVRF is a response by industry to customer demand

• Customers are looking for a simple automated way to absorb security-related information

• Vendors are looking for an easily produced capacity to enable machinereadable generation of security documentation using current methodology

• CVRF is delivering the capacity to enable the assimilation of disparatesecurity-related data-sets via a standard format

13ICASI | CONFIDENTIAL© ICASI 2010

Page 14: The Common Vulnerability Reporting Framework (CVRF)• CVRF = the Common Vulnerability Reporting Framework • XML-based language • Provides a standard format for the dissemination

Timeline

• 2008 • Issue proposed as a goal for ICASI• CVRF work group formed

• 2009• Investigation and gap analysis• Gathered reports from vendors and CERTs• Comparison with surveys• Draft problem statement and use cases• Design common Framework

• 2010• Define standard• Develop dictionary, schema and sample style sheets• Test internal to working group• Conduct Peer review• Incorporate peer review comments

• Late 2011 • Implementation

14ICASI | CONFIDENTIAL© ICASI 2010

Page 15: The Common Vulnerability Reporting Framework (CVRF)• CVRF = the Common Vulnerability Reporting Framework • XML-based language • Provides a standard format for the dissemination

Company Adoption

15ICASI | CONFIDENTIAL© ICASI 2010

Company Plans Role Timeline

Cisco evaluating producer 2011

IBM limited support producer/consumer 2011/12

Intel limited support producer/consumer 2011

Juniper limited support producer/consumer 2011/12

Microsoft support producer 2011

Nokia evaluating producer 2011

Oracle evaluating producer/consumer 2011/12

Red Hat support producer 2010

Page 16: The Common Vulnerability Reporting Framework (CVRF)• CVRF = the Common Vulnerability Reporting Framework • XML-based language • Provides a standard format for the dissemination

The “ask”:

• Well qualified organizations for Peer review

• Would your organization use an industry proposed framework to accomplish the purpose outlined here?

• Please email [email protected] to request participation

• Other comments or questions?

16ICASI | CONFIDENTIAL© ICASI 2010