[ISN] NIST creates forum to comment on software vulnerabilities

From: InfoSec News (alerts@private)
Date: Mon Sep 11 2006 - 01:23:24 PDT


http://www.gcn.com/online/vol1_no1/41907-1.html

By William Jackson
GCN Staff
09/07/06

The National Institute of Standards and Technology today launched a 
service within its National Vulnerability Database that will allow 
vendors to discuss the impact of vulnerabilities on their products.

"The service is designed to be a public forum for vendors to comment on 
the vulnerabilities, and to have those comments embedded in databases 
and discussions," said NVD program manager Peter Mell.

The National Vulnerability Database is an outgrowth of the Common 
Vulnerabilities and Exposures dictionary, developed and maintained by 
Mitre Corp., which establishes a standard naming scheme for software 
vulnerabilities. NIST established NVD as a central source for 
information on vulnerabilities, using the CVE. The database, at 
http://nvd.nist.gov, receives 25 million hits a year and an Extensible 
Markup Language feed updates the information for subscribers every two 
hours.

The database contains information from researchers about vulnerabilities 
they have found, but typically not from vendors who develop and sell the 
software products that might be affected.

"There hasn't been a public forum for software vendors where they can 
say, here's some more information," Mell said.

The impetus for the program came from Mark J. Cox, security response 
director for Red Hat Inc. of Raleigh, N.C., which sells open-source 
software including Red Hat Linux and SELinux.

"We've been putting a lot of security into Red Hat and SELinux, and 
often the reported vulnerabilities to not appear in our software," Cox 
said. But there had been no good way to disseminate that information 
except through its own announcements.

"He came to me and said, 'We need this kind of service; can you provide 
it?'" Mell said. And it turned out NIST could. "It technically was very 
easy."

NIST provides a Web portal for vendors with accounts that lets them post 
official statements about vulnerabilities. These can include information 
on what versions and products are affected or not affected, guidance on 
configuration and remediation, analysis, explanations and disputes. The 
statements appear on the same page as the vulnerability being described.

NIST verifies designated vendor officials who receive the accounts on 
the service and authenticates users accessing the service to make posts.

The service went through an eight-week pilot with Red Hat as the first 
company posting comments. Since then, Mandriva of San Diego, another 
Linux developer, also has set up an account and begun posting comments. 
The service now is live.

"It's my hope that the industry at large will want to participate,"  
Mell said.

Cox said Red Hat will evangelize the service, which he expects will be 
particularly helpful to the open-source community.

"This is really useful for software that is shipped by multiple 
vendors," he said. "But the service is going to be open for everyone."


_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Mon Sep 11 2006 - 01:36:59 PDT