Got Vulnerability? Cloud Security Alliance Wants to Identify It
I wanted to take some time to tell you about a new CSA working group in formation that I am taking a personal interest in. I am sure you have all heard the expression, “when you have a hammer, all problems look like nails.” This is very relatable to our industry as we have to be careful that we don’t misapply our own competencies or favorite solutions to solving security problems that they are not well suited for. This expression should probably be juxtaposed against another – “don’t reinvent the wheel” to make sure we don’t create a security solution that is redundant to something that is available and working well. Navigating between these polar opposites helps us balance the value of vetted solutions against necessary innovation. This has been a part of CSA research since the beginning. Below is information about the working group. We expect to make rapid progress and will have a deep dive session at our SECtember conference Sept 13-17.
The new working group is focused on a subset of the technology vulnerability problem and is called the CSA Universal Vulnerability Identifier Working Group. What we see is a need to figure out how to create identifiers for vulnerabilities in software, services and other IT infrastructure that is proportionate to the amount of technology in existence. Dan Geer was famous for saying that the birth of the modern information security industry can be traced to the introduction of a TCP/IP stack in Windows 95. The quantity of connected computing systems has grown by several orders of magnitude since that day and it does not appear that the number of reported vulnerabilities has kept pace. I hear many leaders talk about the need to have automation, scale and agility in cybersecurity, and I think these capabilities are not present in vulnerability identifier systems. Cloud computing has made the term “on demand” ubiquitous and I suppose the problem statement we want to solve for is this: How can we assign identifiers to technology vulnerabilities “on demand” in a way that maximizes its usefulness to the industry?
The scope of this project is to identify and understand the problems around vulnerability discovery, reporting, publication, tracking, and classification. Using the same style of open source collaborative techniques that have worked to create the software ecosystem that we have today, the CSA is creating a community focused working group meant to replicate this success in the vulnerability identifier problem space. The project is not limited to vulnerabilities in cloud as we are seeing the same problems and increase in attacks across all forms of IT infrastructure. The common design goal is for vulnerability identifiers to be easily discovered, fast to assign, updatable, and publicly available.
We know there are a lot of tremendous experts who have lived through the pain points we are planning to address. We have put online a temporary project website and encourage anyone interested in participating in this new working group to check it out here:
Project website: https://universalvulnerabilityidentifier.org/
SECtember conference: https://sectember.com/