cncf
[Proposal] Global Security Vulnerability Summit
Description: Propose a two day virtual/hybrid/in-person summit to hack at the backlog and disconnect of CVEs, misconfigurations, software/hardware/cloud/services. Recommended minimums for representation: MITRE, GitHub, GitLab, OpenSSF, CSA, Security TAG, Linux Foundation, CISA. Requested attendee potentials: Security Researchers and Defenders
Impact: There is a very large backlog of CVEs and some CVEs are lacking actionable information. CVEs also do not encompass the vast amount of vulnerabilities and issues that exist in todays modern technical environments where hardware, software, and services are invisible to end users. SBoM is doing some good in this area by providing transparency but we still have lots of gaps and room for improvement.
Scope: Bring together recommended parties to meet and discuss the existing problem space, explore both researcher and defender workflow to identify existing gaps and improvements/optimizations, ascertain useful information in remediating vulnerabilities and applying fixes, and begin exploration of a global security database that ingests various non-pay sources of vuln information.
CC: @achetal01 @lumjjb @johnyeoh
TO DO
-
[X] Security TAG Leadership Representative: @lumjjb
-
[X] Project leader(s): @lumjjb , @TheFoxAtWork
-
[ ] Project Members:
-
[ ] Fill in addition TODO items here so the project team and community can see progress!
-
[x] Project Schedule: see Summit site
-
[ ] Slack Channel (as needed)
-
[x] Meeting Time & Day:
-
[x] Meeting Notes (link)
-
[x] Meeting Details (zoom or hangouts link)
-
[ ] Retrospective
I think folks from my end would like to attend. This is a big problem we're running into particularly in two spots:
- How can we parse vulnerability information in an automated way to trigger automation or provide easier to understand insight, e.g. this vuln is interactive/non-interactive, uses this attack vector, etc.
- How do we apply this to the supply chain such that we can build a graph of understanding. For example, a lot of things use log4j but as a dependency and it can often be embedded really deep. Is there a good way in making this vuln information available such that someone can easily associate log4j with the record of its vulnerability. Not to get too deep, but it's an issue because depending on where you get log4j from the hash of it could be different.
Some prior art that has proven useful to us in our own work on the topic: https://osv.dev/ -- Google open source project around a database of vulnerabilities in OpenSSF vulnerability format.
I'm going to circulate this within Gitlab to identify the most relevant people which should attend
Would love to attend from the Google Open Source Security team side (and OSV project in general, + @oliverchang)
Isaac from the GitLab Vulnerability Research Team here (handling CNA work), we would definitely be interested in attending this.
CSA checking in, we'll definitely be attending.
A good example of this problem and the kind of data we need is https://github.com/cloudsecurityalliance/gsd-database/blob/main/2021/1002xxx/GSD-2021-1002352.json aka cve-2021-44228 The GSD (GlobalSecurityDatabase) is our attempt to solve part of this problem (the security identifier/discoverability/publishing issue). As you can see from he GSD entry Twitter is by far the best source for real time vuln data now (detections, fixes, workarounds, etc. Tons of community work on this CVE is flying around, but none of it is mentioned in the CVE, and likely never will be). I'd like to have more structured data around workarounds/detection/exploitation (especially of services).
I think one major aspect is the ability to update information quickly, and update it in the format(s) needed by various organizations. To which GSD is supporting namespacing and multiple formats within our data (you want to use OSV? CVE? CSAF? custom JSON? XML? Sure. that's fine by us.).
As part of the VMware Secure Supply Chain Team, I'd love to attend and I am sure some of my teammates would join too.
Goals:
- Explore how to improve the SBOMs to help during the remediation.
- Develop certain tools to validate or provide more insights about the reports and the vulnerabilities.
- Understand the impact of using VEX (https://ntia.gov/files/ntia/publications/vex_one-page_summary.pdf).
- How to react when affected by vulnerabilites on running environments at a large scale
Wanted to provide everyone with a quick update. We will be pulling together a group to work thru logistics and planning around the middle of January to get this going. If there are specific goals and asks you want to get out of this please be sure you have them in your comment so they can be discussed as part of the planning for this event.
interested in this, great idea, also actionable and standardize way for vuln db and exploitation
Hey, great idea. The GitHub Security Lab is definitely interested! We are in charge of
- GitHub AdvisoryDB curation and CNA
- Security research
And our Incident Response team is also interested.
I will also circulate this within OpenSSF
Reference: https://github.com/oasis-tcs/csaf/blob/master/csaf_2.0/prose/csaf-v2-editor-draft.md per @fkautz as possible discussion point during this.
@TheFoxAtWork: I'm happy to help here; just let me know what you need from me.
Since not everyone may be aware of what VEX is, I wrote about "Profile 5: VEX" at https://zt.dev/posts/what-is-vex/
There are also some efforts at NTIA and CISA on SBOMs, which include VEX in scope:
- https://ntia.gov/sbom (I believe future work is transitioning to CISA)
- https://cisa.gov/sbom
- One-Page Summary from NTIA: https://ntia.gov/files/ntia/publications/vex_one-page_summary.pdf
- Healthcare PoC outlined at https://www.ntia.gov/files/ntia/publications/healthcare_sbom_proof_of_concept_-_phase_ii_summary.pdf
I am happy to discuss or facilitate these topics or how SBOMs and VEX integrate them into a Zero Trust environment.
Hi, Fatih, from IBM T.J. Watson Research Center. I am interested in attending this.
Hi, this is Yu from IBM T.J. Watson Research Center. I am interested in attending this.
Another post about this problem space: https://blog.wiz.io/security-industry-call-to-action-we-need-a-cloud-vulnerability-database/
Folks - wanted to provide a quick update here. Over the next two weeks we are giving everyone time to catch up after the holiday break. After which Jan 24th @lumjjb is going to begin running point. Some initial first steps already discussed:
- Identify additional co-chairs for this project
- Identify program committee members (some of these are already selected due to their area of responsibility for the topic at hand)
- Coordinate an official event sponsor to assist in the logistics for the virtual event.
- Plan solicitation of proposals, discussion, panels, etc.
- Define non-conflicting dates for CFP and event (cannot be the week before, of, or after KCCN EU)
I am interested in attending. What is the proper way to make sure I don't miss it? Will following this issue be sufficient?
If you are interested in this #835 summit, then you may also be interested in CISA #SBOM Cloud and online applications work-stream: https://www.linkedin.com/posts/allanafriedman_sbom-activity-6886338388639653888-TAXw