Bye bye CVE?

Some of the best security solutions come from people who have a passion for security and want to make the Internet a better/safer place. We started SecuriTeam as a place for people like us, who want to read security information that was collected, processed and edited. The OSVDB team wanted to answer the need for a standard, open catalog of information. Nmap, nessus, snort and many many other useful tools and projects were all passions that turned into something millions of security professionals use regularly.

And then there’s the money. Most of these projects need money to keep on going. The people behind them need to pay the bills. Sometimes just a little ad or sponsorship is enough, and other times the writers want to be compensated for their hard work and make a living (or get rich) from the project they gave so much time and energy to.
This is where the lines get blurry: Fyodor insists on keeping nmap open source and non-commercial. Tenable closed nessus in a very controversial move and SourceFire is able to carefully do the open-source/commercial tango with snort. In Beyond Security, we have a constant struggle on how to keep the commercial products and the community services separate, but in synergy. I don’t even know if we’re doing it right (but god knows we’re trying).

But other times the line isn’t blurry at all. Like watching a train wreck in slow motion, we are regularly seeing how a good project morphs into a twisted corporate disaster. PCI-DSS is probably the best example.
PCI-DSS started with the good idea of forcing web sites to check themselves for security holes on regular basis, a notion initiated by the credit card companies in an honest attempt to improve the security of web sites (since they had the most to lose; credit card fraud hurts the issuer no matter who ultimately pays for it). But this good idea went to bad and then to worse as the PCI-DSS went completely commercial – on one hand the organization wanted as many vendors to sign up for their PCI-DSS certification services so that they can make their money and on the other hand the web site operators were paying money to get the PCI certification without really caring what that meant as long as someone was willing to give it to them for some dough. Russ has a good writeup on where PCI-DSS is going. I agree with everything he’s saying.

And now there’s CVE – one of my favorite projects of all time. I know the project well, and we even got the “CVE Certification” a while back. True, not something that will help you get laid, but on the other hand getting the certification was one of the most pleasant experiences we had in that area. Nobody likes to be judged and thus nobody likes to be ‘certified’ by others – but the CVE certification process really wasn’t about ‘judging’ us. At least that’s not what it felt like.

This morning I asked the guys in Beyond Security who were involved in the certification process what made the good feeling that remained. Their answer was that people we talked to at Mitre weren’t sales people (CVE certification is free, they don’t even charge for the picture frames) but rather technical people from the CVE team that actually wanted CVE to be “good”. Talking to someone who both has a clue and cares enough to show it is the difference between Mastercard’s SDP and the new PCI-DSS.

So why am I worried about CVE which is still alive, kicking and putting some sanity in the dozens of weekly security hole announcements? Because just last week we got this:

Date: Wed, 7 May 2008 10:40:49
Cc:”Doe, Jane”
Subject: CVE

SAIC received confirmation from NIST that SCAP CVE and OVAL testing will be operational by the end of May 2008. By the end of this week, NIST will issue the updated requirements document that will add more requirements for CVE testing.

When SCAP first went operational CVE and OVAL were deferred because the test requirements in those areas were not complete. Historically, MITRE conducted CVE testing. CVE testing has now transitioned over to SCAP laboratories.

If you desire further SCAP information or about CVE and OVAL testing, or a cost proposal, please contact me.

John Doe,
SAIC AT&E Laboratories Communications Director

I’ve got to admit I had to read it a few times just to understand what they actually want (although I’m still not sure). Let me make a few wild speculations:

1. NIST will release an updated requirements to make sure all existing CVE certified products are no longer certified. It will not be exactly clear from the new requirements, so they will change the name to MVP just to make sure.

2. The new CVE will be a set of incomprehensible requirements for anyone without a law degree and will make the PCI requirements document look like a children’s book.

2. SAIC will suddenly realize they are not a not-for-profit organization and charge $10,000 for a CVE certification and a $7,500 renewal fee to cover the cost of the “SCAP” lab.

3. CVE certification will be open to everybody: Consultants will hurry to get “CVE certified” and while nobody will really know what that means, as soon as the check clears the certification plaque will be FedEx’d to them. Linkedin recruitment messages will read “need CVE expert to help pass a CVE certification test”.

4. John Doe from the email will call, mail and snail-mail to sign us up at “special terms” and “before the cost goes up”

5. Sponsorships to the annual CVE conference in San Francisco will sell like hotcakes. The MITRE team will not be invited, but the Director of Lab Services in SAIC will be the keynote speaker.

Of course, I’m probably wrong. Too much fiber for breakfast and not enough red meat for lunch makes me cranky and negative.
Here’s the more likely scenario: CVE certification will remain free and open and the SAIC guys doing the testing will be excellent security professionals who are regular bugtraq contributors. The PCI council will release the re-re-reclarification of section 6.6 of the PCI 1.1 and that re-re-reclarification will be a one-liner with no references to other requirements. The Ozone layer will heal and electric cars will roam the streets. Real soon now.

  • Repeating Story

    This has been happening since the dawn of the Internet:
    1) Great idea
    2) Buildup a community
    3) Author starts thinking he is getting used – people offer him help so that he will feel less “abused” – people offer him jobs, money, etc
    4) Author rejects these as he believes this is their way of making more money from him by “silencing him”
    5) Author closes down project – i.e. commercializes it
    6) Project loses steam and community – usually also credibility
    7) Repeat 1

  • SAIC AT&E Laboratories Communications Director

    Speculation is fun, but to be taken seriously you should actually know what you are talking about. Of course, you are wrong. Everyone knows too much fiber for breakfast and not enough red meat for lunch makes one cranky. SAIC’s email is based on a NIST SCAP announcement and was passed on (for information purposes only) to organizations that had claimed CVE capability at RSA 2008.

    Further, all products that have received MITRE CVE and OVAL testing will be grandfathered into the SCAP program for one year, and will be listed on the SCAP website as having been CVE and OVAL tested. However, their posting will go away at their annual anniversary if they have not received direct CVE and OVAL testing from an accredited SCAP program commercial laboratory.

    The ad hoc MITRE CVE and OVAL program was no cost. However, SCAP laboratory CVE and OVAL testing is not. That is because SCAP CVE and OVAL tests are written to be repeatable and consistent tests for all vendors.

    If you want the truth, please feel free to contact me.