On this week’s episode of Security Nation, we had the pleasure of speaking with Katie Trimble of the Department of Homeland Security and Chris Coffin from MITRE. Katie is the deputy branch chief of the Vulnerability Management Coordination Disclosures Branch within the Cyber and Infrastructure Security Agency (CISA)—say that five times fast!—and Chris is the senior analyst on the CVE team at MITRE Corporation, a not-for-profit organization that runs federally funded research and development centers (FFRDCs).

Our podcast highlights guests who have taken on a challenge that has advanced security in some way, and Katie and Chris’s work with the CVE Project is a perfect example of this. You can listen to the full episode here, or read our recap below!

Vulnerabilities, CVEs, and NIST: Katie’s portfolio

As Katie explained in the podcast, she is responsible for the coordination of vulnerability disclosures within the department. She manages four portfolios, one of which is the Common Vulnerability and Exposures program operated by MITRE. She sits on the CVE Board of Directors and is the government sponsor of that program. She also sponsors the NIST National Vulnerability Database (NVD) program, as well as the Carnegie Mellon Software Engineering Institute CERT Coordination Center. To say she keeps busy is an understatement!

Katie joined the CISA in October 2017 to centralize all of its disparate portfolios. At the time, the organization had one person out in Idaho managing ICS, another in her office doing CVE work, and so on. Katie is now an advocate for the sponsor for the CVE program at the organization.

CVE management at MITRE: Chris’ key role

MITRE has many programs in multiple industries, one of which is cybersecurity. Chris’s primary responsibility at MITRE is working on the CVE program itself, meaning when a CVE numbering authority submits new CVEs or is ready to make them public, he helps them get on the list to keep it up-to-date.

When he’s not busy with lists of CVEs, he acts as a moderator for the CVE board and is a co-chair to a number of CVE working groups. Essentially, anyone who has worked with MITRE’s CVE program has likely worked with Chris before, whether directly or indirectly.

What are Common Vulnerabilities and Exposures (CVEs)?

Before we get too far in, let’s clarify what a CVE is. As Katie explained in the podcast, a CVE is a unique identifier of a vulnerability that provides security professionals with a common language so we all know we’re talking about the same thing. A CVE is not a severity level or a patch. Both for-profit and not-for-profit organizations use CVEs, including Rapid7. Tod pointed out that this year, there are over 10,000 CVEs (twice as many as the 5,000 that were discovered in 2017), and Katie predicted that by the end of the year, we’ll hit 20,000.

CVE Numbering Authorities (CNAs)

In the podcast, we asked Chris about the process of becoming a CVE Numbering Authority (CNA). He explained that it allows a vendor or maintainer of software to be more involved in the process of vulnerability disclosure and the handling of the CVE. When researchers find an issue in a vendor product, they will typically come to MITRE as the root CNA. MITRE doesn’t handle coordinating with the vendor, as they have thousands of CVEs to deal with, but they are there to identify and populate the CVE list with public security vulnerabilities so the list is always accurate and updated.

At this point, the vendor can become a CNA if they choose. This means that when a researcher finds a vulnerability within the vendor’s product, MITRE can tell the researcher to go to that vendor to take care of it. CNAs describe the vulnerability, which is important because they are the ones who know the most about it. This in turn makes the CVE list and IDs more useful.
There are currently only 102 CNAs, despite the program being 20 years old. While CNAs have always existed within the program, they couldn’t actually populate their own entries until 2016. All of that had to go through an approval process with the MITRE board. That was fine back in 1999 when there were only a few hundred vulnerabilities reported per year, but these days, vulnerabilities are being found at an unbelievable scale, which meant the organization had to undergo a very significant change.

Katie explained that the CVE program evolved from a hub and spoke governance system to a federated, crowdsourced model. This allowed independent, trusted entities (the CNAS) contribute to the program by publishing their own CVEs, which has created a fully scalable program.

No, the CVE Fairy does not exist

There’s this idea that CVEs come from the ether and just exist from what Katie describes as the “CVE Fairy.” Part of Katie’s job is promoting the CVE program and talking about where CVEs actually come from. In the podcast, she explains just how much work goes into developing, populating, and publishing CVEs for the good of the community. Without CVEs, we can’t have a conversation about vulnerabilities, and scanning and automation software can’t function to help organizations get an idea of their risk profile. Though Katie thinks she and her team have done a great job of bringing this topic to light, she does say they still have a ways to go.

Advice for starting a new public security project

As we wrapped up this week’s podcast, we asked Katie and Chris what advice they had for someone interested in starting a new program similar to theirs. Katie’s advice was to start with a well-thought-out plan that has room built in for future change. What can be done today will be far different from what can be done 20 years from now, and flexibility enables a project to adapt over time.

She also stressed the importance of being open to feedback. When people stop talking to you, it’s a sign they don’t care about the project anymore, and when they stop caring, there is a problem. Being open to feedback and soliciting community involvement can prevent this from happening, and acknowledge there can be multiple solutions to a problem.

Chris’s advice was to communicate with your stakeholders to get regular feedback. He also stressed the importance of automating where possible and not building in complexity just to make something complex. When they built the CVE program in the 2000s, it was too complex for CNAs to participate, so they spent a lot of time making it easier to interact with. This has allowed for much more participating from the CNAs, which progresses the impact of the entire program.

That’s a wrap!

We’d like to thank Katie and Chris for bringing to light the work that goes into CVE identification and publishing, and for taking on such a mammoth security challenges that play an important role in the industry and the world.

To hear their interview in full, be sure to check out our latest episode of Security Nation, and if you like what you hear, please subscribe! We release episodes every other Friday, each featuring someone who is advancing security in their own way.