Word Notes 8.31.21
Ep 65 | 8.31.21

common vulnerabilities and exposures (CVE) (noun)


Rick Howard: The word is: common vulnerabilities and exposures list. 

Rick Howard: Spelled: C for common, V for vulnerabilities, and E for exposures. 

Rick Howard: Definition: A public list sponsored by the US government and designed to uniquely identify, without the need to manually cross- reference, all the known software vulnerabilities in the world. 

Rick Howard: Example sentence: The very first CVE list, published in 1999, contained 321 vulnerabilities, chosen after careful deliberation and consideration of duplicates. 

Rick Howard: Origin and context: Hold onto your butts, typical for any government or pseudo-government organization like MITRE, there are more acronyms involved in this story then you can throw a stick at. 

Rick Howard: Let's start with CVE. MITRE's David Mann and Steven Christey wrote the original white paper in January, 1999, entitled "Towards a Common Enumeration of Vulnerabilities." 

Rick Howard: According to the Tripwire website in 2020, back then, every software vendor had their own way of tracking vulnerabilities and their own products. Security professionals had no way to know if vendor A's vulnerability was the same as vendor B's or if they were two separate issues, because there was no common language. In the paper, Mann and Christey proposed creating a unified vulnerability and exposure reference list that the entire community could use. The idea quickly gained traction. 

Rick Howard: By 2002, the CVE list contained over 2,000 software vulnerabilities and the National Institute of Standards and Technology, or NIST, recommended that the US government only use software that you CVE identifiers.  

Rick Howard: Somewhere between then and now, the Cybersecurity and Infrastructure Agency, or CISA, within the Department of Homeland Security, DHS, became the official sponsor of the program, but CISA, doesn't manage the program day-to-day. That is done by a cadre of international volunteers that form CVE Numbering Authorities, or CNAs, and are authorized to assign CVE IDs, to vulnerabilities affecting products within their scope and can include submissions from researchers, vulnerability disclosers, and information technology vendors.  

Rick Howard: By 2005, CISA also built the National Vulnerability Database, or NVD, designed to enrich the CVE list with the risk and impact scoring using the Common Vulnerability Scoring System, or CVSS, and provided other references like patch information, affected products, and Security Content Automation Protocol mappings, or SCAP. A SCAP scanner compares a target computer or applications configuration and/or patch level against the SCAP content baselines.  

Rick Howard: Both CISA and NIST sponsor the NVD. And I think at the end of this, with all the acronyms in this story, we came pretty close to covering all the letters in the English alphabet.  

Rick Howard: Nerd Reference: In the debut podcast of “We Speak CVE,” in January 2021, Tod Beardsley of Rapid7, Tom Millar of CISA, Chris Levendis of the CVE Program, and Dave Waltermire of NIST’s NVD discussed how their organizations and the community all work together to advance the CVE Program's mission to identify, define, and catalog publicly disclosed, cybersecurity vulnerabilities. Here's Chris explaining the origin of the CVE list.  

Chris Levendis: The program mission for CVE is to identify and define publicly disclosed vulnerabilities. And so why is that? It used to be the case, and in fact, in some cases still is the case, that you'd get two or more people talking about a cybersecurity vulnerability or two or two or more tools articulating scanning results, for example, from a network. And there was no way to know without doing a lot of manual work whether or not you were talking about the same vulnerability or different vulnerabilities. Back in 1999, MITRE operationally was struggling with this problem and they invented the concept of CVE. And the government liked that idea and asked us if we would be willing to share that with the world. And, the program just took off from there.  

Chris Levendis: Back then we were producing maybe a hundred and fifty two hundred, three hundred vulnerabilities a year. And now we're getting closer to the 18 to 20,000 mark. And not that number will continue to grow because cyber security vulnerabilities are proliferating.  

Rick Howard: Word Notes is written by Nyla Gennaoui. Executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by their ridiculously talented Elliott Peltzman. Thanks for listening.