Mitre Corporation will introduce a new pilot program for classifying Common Vulnerabilities and Exposures (CVE) in the coming weeks. The move is in response to a backlash in the security community where some critics contend Mitre is failing to keep pace with a massive influx in the number of reported vulnerabilities to the organization.
The pilot program, called Federated CVE-ID Assignment Process, enlists an unspecified number of Mitre partners. Mitre says its editorial board, which includes Cisco, Microsoft, Red Hat and Oracle, will determine how many federated groups will be a part of the pilot. Under the program Mitre gives up central control over receiving reported threats, vetting them and assigning them CVE numbers. Instead, Mitre would share CVE duties with federated partners and act as the administrator of the program.
“We are working with a number of partners to federate that assignment process to better scale the CVE capabilities to meet the needs of the community,” said Chris Levendis, standards and technology project lead, at Mitre.
Mitre has faced increased scrutiny in the way it handles software flaws reported to the agency and the time it takes to vet and assign CVE numbers to them. Critics have blasted the US government-funded CVE-handler, Mitre, claiming vulnerabilities are going unreported leaving companies that rely on CVE data at risk to those unreported vulnerabilities.
Chris Folk, director of the National Protection and Resilience Division, at Mitre said criticism has not fallen on deaf ears.
“We hear the critics loud and clear and we have been listening the whole time. We are working extremely hard to scale the capabilities of the CVE and we are very excited about the federated system we are rolling out in the coming weeks.”
The pilot Federated CVE-ID Assignment Process will allow partners to assign CVE numbers to vulnerabilities. Those CVE numbers assigned under the pilot program would be given a special designation to identify them as part of the test program. Folk said if all goes well the federated system would become official.
“What we are trying to do is encourage broader responsibility across the industry,” Folk said. “We are doing this in such a way the program will have the same level of integrity that the CVE has always had and built a reputation around.”
Industry experts estimate about 90 percent of companies rely exclusively on CVE data to identify threats. Mitre is considered the most mature, scalable, consistent, reliable and standardized way of identifying and alerting the industry to security threats.
For its part, Mitre says it’s working hard to keep pace with a doubling in the number of reported vulnerabilities it has received over the past year. According to Mitre, the agency received 20,000 reported vulnerabilities in 2015 compared to just under 10,000 in 2014.
Mitre attributes the uptick in the number of reported vulnerabilities to the overall increased reliance by the IT industry on software. “The threat landscape has been expanding exponentially over the past few years thanks to the proliferation of more devices and systems coming online,” Levendis said.
Internet of Things devices such as smart thermostats and smart cars, the boom in business-critical mobile devices and the proliferation of back-end corporate IT systems such as software defined networking and storage are generating an astronomical number of new reported vulnerabilities.
“Add the fact that companies are more vigilant than ever about reporting security flaws and what you have is a system that needs to be overhauled,” Folk said. The CVE system, he said, was originally designed 16 years ago to handle under 1,000 vulnerabilities a year. “This year the number of reported vulnerabilities is already on pace to eclipse 2015,” he added.
“Today’s industry reporting status quo isn’t good enough and can’t keep pace with the uptick in vulnerabilities we are seeing,” said Jake Kouns, chief information security officer for Risk Based Security. “The U.S. National Vulnerability Database and CVE lists don’t reflect the full spectrum of risks,” Kouns said.
Risk Based Security is like many private companies that maintain their own vulnerability lists. Kouns said there is a widening gulf between the number of vulnerabilities found by companies like his and what Mitre is able to report. That has pushed some to create alternative numbering systems.
One alternative system recently launched is the Distributed Weakness Filing (DWF) System that was created help address a huge backlog of ignored software flaws, according to program organizers.
Others within the private sector, such as financial institutions and the defense industry, have specialized Information Sharing and Analysis Center (ISAC) groups for tracking latest threats. Kouns himself oversees the Open Source Vulnerability Database (OSVDB), another third-party database and reporting agency.
Folk said that as a not-for-profit organization it fulfills a unique role in managing CVE.
“We are able to serve as an objective third-party between the private sector and government in assigning CVEs to software,” Folk said. He added that Mitre fills an important role protecting potentially sensitive information given to the organization by researchers and organizations until vulnerability information has been verified and publicly disclosed.
“This federated system is an attempt to not just meet the challenges of today, but it’s a way of meeting the challenges of tomorrow,” Folk said. “The board is in agreement. We see a problem that is looming and we have to protect our critical systems and we can only do it as a community of willing participants,” he said.
