No Action Required: CVE for Software as a Service

Описание: Art Manion (ANALYGENCE Labs, US), Lisa Olson (Microsoft, US), Don Bailey (AWS, US), Michael Coté (Google , US)

Art Manion spends a lot of time working on various aspects of cybersecurity vulnerabilities including coordinated disclosure, measurement, response prioritization, and public policy. Art has led and contributed to vulnerability-related efforts the Forum of Incident Response and Security Teams (FIRST), the CVE Program, ISO/IEC JTC 1/SC 27, and the (US) National Telecommunications and Information Administration (NTIA). Art is the is the Deputy Director of ANALYGENCE Labs where he works closely with the (US) Cybersecurity and Infrastructure Security Agency (CISA). Art previously managed vulnerability analysis at the CERT Coordination Center (CERT/CC).

Lisa Olson is a Principal Security Program Manager at Microsoft, has a lot to do with patch Tuesdays, and a CVE Board member since 2018.

Don "Beetle" Bailey Senior Principal Security Engineer at AWS, previously MITRE, previously U.S. Army.

Michael Coté is a veteran with 82nd Airborne. Lead for Google Cloud VRP and Vulnerability Response which includes publishing CVEs for critical vulnerabilities within Cloud.
--
Fixing or otherwise mitigating a vulnerability requires action. By someone. For user- or customer-controlled software, this “someone” is the user or customer who performs actions such as update, upgrade, patch, make a change configuration, rebuild, or fetch new dependencies. For software as a service, this “someone” is the service provider, while the user or customer may not need to take any material action. A browser refresh, session timeout, or a new API call uses the fixed software. What does it mean to assign CVE IDs to no-user-action” vulnerabilities? What are the costs and benefits? Is there danger of decreasing the CVE signal-to-noise ratio? How do changes in the CNA Operational Rules apply? A panel of major cloud service CNAs will discuss these questions and more.