Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Model for Exchanging Vulnerability Information draft-booth-sacm-vuln-model-01 David Waltermire.

Published byDennis Rogers Modified over 9 years ago

Similar presentations

Presentation on theme: "A Model for Exchanging Vulnerability Information draft-booth-sacm-vuln-model-01 David Waltermire."— Presentation transcript:

1 A Model for Exchanging Vulnerability Information draft-booth-sacm-vuln-model-01 http://datatracker.ietf.org/doc/draft-booth-sacm-vuln-model/ David Waltermire (david.waltermire@nist.gov) Presenting for: Harold Booth (harold.booth@nist.gov)

2 What is it? An XML-based data format that enables the exchange of structured information related to vulnerabilities A revision to the current Vulnerability Data Model v2.0 used by the National Vulnerability Database – Feeds downloaded by academia, security tool vendors, industry and other vulnerability databases

3 What information does it capture? Community and proprietary vulnerability identifiers (e.g. Common Vulnerability and Exposures (CVE), vendors ids, vulnerability database identifiers) – Captures relationships within the same identification system (e.g. supersession, deprecation) – Identifies aliases between different identification systems Uses the Common Platform Enumeration (CPE) to relate vulnerable product configurations – Application – Operating system – Application running on operating system Plugs-in Common Vulnerability Scoring System (CVSS) v2 scoring information – Allows other scoring systems to be used Relates a vulnerability to references: – Vulnerability advisories, alerts and bulletins describing the vulnerability in greater detail – Patch and work-around information – Assessment methods

4 How does it relate to the IETF? Security Automation and Continuous Monitoring (SACM) Use Case 1: System State Assessment (draft-waltermire- sacm-use-cases-02) Vulnerability Management Use Case (4.1.2.2) – Enumerates technical assessment methods Assessment Result Analysis (4.1.3) – Provides vulnerability scores enabling comparison/weighting of assessment results – Supports Risk-based decision making Content management (4.1.4) – Captures scoring models and vulnerability information – References additional vulnerability and patch information

5 How does it relate to the IETF? (Cont’d) Security Automation and Continuous Monitoring (SACM) Use Case 3: Security Control Verification and Monitoring (draft-waltermire-sacm-use-cases-02) Tasking and Scheduling (4.3.1) – Selection of assessment criteria – Defining in-scope assets (i.e. targeting) Data Aggregation and Reporting (4.3.2) – Enables correlation by vulnerability identifiers and other vulnerability attributes (e.g.. scores, product)

6 How does it relate to the IETF? (Cont’d) Managed Incident Lightweight Exchange (MILE WG) IODEF-extension to support structured cybersecurity information (draft-ietf-mile-sci-05) Section 4.3.3: Vulnerability – Enables inclusion of information for (candidate) vulnerabilities related to incidents or events – Possible candidate for inclusion in the IANA registry (Appendix II)

7 Possible work / How you can help? Greater consensus on use cases for vulnerability format – Collaboration/integration with other related efforts (e.g. Common Vulnerability Reporting Format (CVRF)) – Update model to reflect growing consensus Develop an IANA registry for pluggable components – Allow for additional product identification schemes (e.g. ISO/IEC 19770-2 Software ID Tags) – Support multiple scoring metrics/methods (e.g. CVSSv3) – Extensible reference types Should it be extended to hold patch information? – Product/version applicability – Patch location information – How to install (i.e. exact command-line or execution instructions) JSON vs. XML

Download ppt "A Model for Exchanging Vulnerability Information draft-booth-sacm-vuln-model-01 David Waltermire."

Similar presentations

ID-06 Building a User-Driven GEOSS Essential Components of User Management for GEO Tasks.

ID-06 Building a User-Driven GEOSS Essential Components of User Management for GEO Tasks.
Cyber Defence Data Exchange and Collaboration Infrastructure (CDXI)

Cyber Defence Data Exchange and Collaboration Infrastructure (CDXI)
Federal Desktop Core Configuration and the Security Content Automation Protocol Peter Mell, National Vulnerability Database National Institute of Standards.

Federal Desktop Core Configuration and the Security Content Automation Protocol Peter Mell, National Vulnerability Database National Institute of Standards.
MODELING THE TESTING PROCESS Formal Testing (1.0) Requirements Software Design Risk Data Approved, Debugged, Eng. Tested Code Automated Test Tools Tested.

MODELING THE TESTING PROCESS Formal Testing (1.0) Requirements Software Design Risk Data Approved, Debugged, Eng. Tested Code Automated Test Tools Tested.
Managed Incident Lightweight Exchange (MILE) Overview and Participation Kathleen Moriarty Global Lead Security Architect EMC Corporate CTO Office.

Managed Incident Lightweight Exchange (MILE) Overview and Participation Kathleen Moriarty Global Lead Security Architect EMC Corporate CTO Office.
PowerPoint Presentation by Charlie Cook Copyright © 2004 South-Western. All rights reserved. Chapter 14 The Business Reporting (BR) Process.

PowerPoint Presentation by Charlie Cook Copyright © 2004 South-Western. All rights reserved. Chapter 14 The Business Reporting (BR) Process.
Cyber Security: Past and Future John M. Gilligan CERT’s 20 th Anniversary Technical Symposium Pittsburgh, PA www.gilligangroupinc.com March 10, 2009.

Cyber Security: Past and Future John M. Gilligan CERT’s 20 th Anniversary Technical Symposium Pittsburgh, PA March 10, 2009.
SACM Terminology Nancy Cam-Winget, David Waltermire, March.

SACM Terminology Nancy Cam-Winget, David Waltermire, March.
SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC 11.13.2009 Ed Bellis VP, CISO Orbitz Worldwide

SCAP: Automating Our Way Out Of The Vulnerability Wheel Of Pain AppSec DC Ed Bellis VP, CISO Orbitz Worldwide
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
INCH Requirements IETF Interim meeting, Uppsala, Feb.2003.

INCH Requirements IETF Interim meeting, Uppsala, Feb.2003.
Software Configuration Management (SCM)

Software Configuration Management (SCM)
SECURITY SIG IN MTS 28 TH JANUARY 2015 PROGRESS REPORT Fraunhofer FOKUS.

SECURITY SIG IN MTS 28 TH JANUARY 2015 PROGRESS REPORT Fraunhofer FOKUS.
Business Intelligence Dr. Mahdi Esmaeili 1. Technical Infrastructure Evaluation Hardware Network Middleware Database Management Systems Tools and Standards.

Business Intelligence Dr. Mahdi Esmaeili 1. Technical Infrastructure Evaluation Hardware Network Middleware Database Management Systems Tools and Standards.
Vulnerability Assessments

Vulnerability Assessments
Configuration Management

Configuration Management
Software testing standards ISO/IEC and 33063

Software testing standards ISO/IEC and 33063
1 Introducing Reportnet Miruna Badescu. 2 A linear view of Reportnet process.

1 Introducing Reportnet Miruna Badescu. 2 A linear view of Reportnet process.
Talend 5.4 Architecture Adam Pemble Talend Professional Services.

Talend 5.4 Architecture Adam Pemble Talend Professional Services.
The Development of a Common Vulnerability Enumeration Vulnerabilities and Exposures List Steven M. Christey David W. Baker William H. Hill David E. Mann.

The Development of a Common Vulnerability Enumeration Vulnerabilities and Exposures List Steven M. Christey David W. Baker William H. Hill David E. Mann.

Similar presentations

Ads by Google