Got Vulnerability? Cloud Security Alliance Wants to Identify It
Blog Article Published: 07/15/2021
I wanted to take some time to tell you about a new CSA working group in formation that I am taking a personal interest in. I am sure you have all heard the expression, “when you have a hammer, all problems look like nails.” This is very relatable to our industry, as we have to be careful that we don’t misapply our own competencies or favorite solutions to security problems that they’re not well suited for. This expression should probably be juxtaposed against another – “don’t reinvent the wheel” – to make sure we don’t create a security solution that is redundant to something that is available and working well. Navigating between these polar opposites helps us balance the value of vetted solutions against necessary innovation. This has been a part of CSA research since the beginning. Below is information about the working group. We expect to make rapid progress.
The new working group is focused on a subset of the technology vulnerability problem and is called the CSA Global Security Database Working Group. What we see is a need to figure out how to create identifiers for vulnerabilities in software, services and other IT infrastructure that is proportional to the amount of technology in existence. Dan Geer was famous for saying that the birth of the modern information security industry can be traced to the introduction of a TCP/IP stack in Windows 95. The quantity of connected computing systems has grown by several orders of magnitude since that day and it does not appear that the number of reported vulnerabilities has kept pace. I hear many leaders talk about the need to have automation, scale and agility in cybersecurity, and I think these capabilities are not present in vulnerability identifier systems. Cloud computing has made the term “on demand” ubiquitous and I suppose the problem statement we want to solve is: How can we assign identifiers to technology vulnerabilities “on demand” in a way that maximizes its usefulness to the industry?
The scope of this project is to identify and understand the problems around vulnerability discovery, reporting, publication, tracking, and classification. Using the same style of open source collaborative techniques that have worked to create the software ecosystem that we have today, CSA is creating a community focused working group meant to replicate this success in the vulnerability identifier problem space. The project is not limited to vulnerabilities in cloud, as we are seeing the same problems and increased attacks across all forms of IT infrastructure. The common design goal is for vulnerability identifiers to be easily discovered, fast to assign, updatable, and publicly available.
We know there are a lot of tremendous experts who have lived through the pain points we are planning to address. We encourage anyone interested in participating in this new working group to check it out here.
Trending This Week
#1 Cloud Network Virtualization Benefits of SDN over VLAN
#2 Simple but Effective Tactics to Protect Your Website Against DDoS Attacks in 2021
#3 Understanding the OWASP API Security Top 10
#4 How to Choose a Zero Trust Architecture: SDP or Reverse Proxy
#5 3 Big Amazon S3 Vulnerabilities You May be Missing
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.
Related Articles:
SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto
Published: 09/06/2023
GCP CloudSQL Vulnerability Leads to Internal Container Access and Data Exposure
Published: 09/01/2023
The Power of Audit Logs: Critical Lessons from the Recent Storm-0558 Threat
Published: 08/23/2023
Cloud Defense in Depth: Lessons from the Kinsing Malware
Published: 08/22/2023