MITRE friends reminded me that we're approaching the 25th birthday of CVE this year! (For the less geeky reader, CVE is the standard naming/numbering scheme for software flaws).
Wow, the time has flown! The post below is from my NSA internal blog in 2010,
noting the 10th anniversary of the CVE Project. This post was previously approved for public release, but never published until today. For me, the chance to be part of CVE triggered a lot of ideas and action at NSA and across the entire industry.
What's In A Name? or Ten? (2010.03.13 - 12:09 pm)
Well, I recently returned from the RSA Conference, the biggest trade show in the business. As always, it's an exhausting week of talks, demos, side meetings, and all-around schmooze. SO much schmooze.
One thing that I really enjoyed was the reception celebrating ten years of CVE - Common Vulnerabilities and Exposures (cve.mitre.org). MITRE hosted an excellent event, and there was a chance to say nice things, catch up with friends and partners, and wonder where the years had gone. If you are not familiar with CVE, and you are in the IT security business, then, well, shame on you. It's a must-know sort of thing, a simple idea that has evolved into the nation's only hope for large-scale, commercial, standards-based movement and sharing of IT and security information.
But the really interesting part is not the tech-speak, it's the human stuff. CVE started at MITRE, and it really pioneered a lot of ideas and energy around consensus-building across government and industry ("public-private-partnership" in today's buzzwords). For me personally, I learned a great deal about how to get government Agencies to work together, how to find common ground with Industry, and how to leverage partnerships among buyers, policy-makers, vendors, and security wonks. From these simple ideas, we get things like the Federal Desktop Core Configurations and the Security Content Automation Protocols.
Here's what's clear to me - ten years later the entire IT security landscape is changing, and the humble beginnings of CVE at MITRE helped show the way. In the interests of full disclosure, I was a very early sponsor of CVE, a member of their Advisory Board, and an occasional chief cheerleader.
And, of course, I could not let such an event pass without a parody song, so it is included below. I performed this for the reception, and I am embarrassed to say that there's a video floating around somewhere, mistakes and all. Since I did not finish the song until the plane ride to San Francisco, Performance = Practice. So much for Information Assurance and Resilience. (I'll add chords later for the musically inclined, I think I sang it in "E"). My sincere apologies to real U2 fans. You deserve better.
Inside Jokes:
• Studies at the time (ten years ago) showed that a new flaw in a piece of software could have up to ten names, depending on where you looked (e.g., bugtraq, CERT Bulleting, Microsoft Advisory, vendor patch page....)
• Steve Christey of MITRE is the amazing one-man-knowledge-engine that drives CVE.
When The Flaw Has Ten Names (tune: Where The Streets Have No Name – U2)
VERSE 1:
I wanted to run, I broke down and cried
When I found out my web browser had died
My buffer explodes, my heap has been sprayed
But the flaw has no name
VERSE 2:
And so I look, I test and I scan
I run every tool, I read each bull-e-tin
But none of this helps, no two say the same
‘cause this flaw has ten names, oh
CHORUS:
This flaw has ten names
Yeah, this flaw has ten names
We’re still scanning and patching up holes, my problem just grows
And I never get done, I’ll never be through
It’s all I can do
VERSE 3:
My system’s a mess, another Blue Screen for me
I can’t begin to enumerate my vulnerability
I can’t ask for help, I can’t begin to explain
If the flaw has no name
VERSE 4:
No data, just noise, there’s too much to share
No way to prioritize, no way to compare
The bugs and the flaws all look just the same
If there’s no unique name
CHORUS 2:
So we’ll give it one name
What a concept! One name!
First we’ll drown Steve Chris-tey, and he exhales CVEs
Now our tools and reports all refer to the same
Since we’ve got just one name