RE: CVE AWG Meeting 10/20/20: Agenda Proposal

On the board call we discussed a number of things that should be done from a security perspective. Unfortunately, the notes from the board meeting did not capture the breath of the discussion.

Here are some things we discussed:

  1. Penetration Testing – It would be good if we could get companies in the CVE community to help penetration test the CVE services. When to perform these tests depends on the degree of changes since the last pen test vs. how much risk we consider taking on without doing one. An initial pen test would help us have greater confidence in the security of the services.
  2. Secure configurations – How do we have assurance that the AWS environment and the services are hardened to provide a necessary level of security?
  3. Code review – Has all new code been reviewed with an eye toward the security of the services? We should look into static analysis capabilities that can be built into a continuous integration / continuous deployment (CI/CD) system. We should also solicit volunteers from the AWG and CVE community to do code review on an ongoing basis.
  4. Vulnerability management – How are we managing vulnerabilities in software components used in the services, and how do 3 rd parties report vulnerabilities in the services. We have a disclosure policy, but its not easy for a 3 rd party to find this information.

I am sure I am missing some things, but this is a start. I am CCing the CVE Board list to see if any board members have anything to add.

Regards,

Dave

AWG members,

Find attached a proposed agenda for the AWG meeting on 10/20/20.

Also find attached:

AWSUtilizedServiceFor IDRv1.1.docx: This is an explanation provided by the Secretariat in response to Requirement #4: Measure to ensure availability of the system. Please review it and be prepared to discuss it on Tuesday.

AWGIDRScorecardReport20201013.pptx: This is the score card that I sent to the CVE Board. Please note that it is a bit different than what you saw on Tuesday when we discussed it. I felt that, although the Secretariat had asserted a few more "Greens" we really did not, as a group, determine that they were green.. so I turned them pink and changed the definition of pink to include failure AND the fact that evidence had not been considered.

Other notes:

The Board has requested that a new Requirement be added to the Deployment Requirements: Security. There was not much discussion of what that actually meant (i.e., what was the list of things that comprise Security). The AWG will need to discuss this at the 10/20 meeting: Specifically the question will be asked:

  1. Do you believe that a new requirement (i.e., Security) should be added to the Deployment Requirements (bringing the total to 9)
  2. If so, what should be the artifacts/deliverables that should comprise the components of this new Requirement. Feel free to offer your thoughts on the "list" before the meeting on Tuesday.
  3. My apologies for not getting the Summit brief out to you this week. I finish it this weekend and send it out on Sunday evening. If you would like to provide feedback before the brief on Monday afternoon (Eastern time) that will be welcome. Again ... sorry I didn't get it out in time for a really thorough review before now.

If you volunteered to be a Community Tester, please provide (as detailed as possible) update on where you are in testing in an email prior to the meeting so that we don't have to take much time up for that topic.

Regards,

Kris

Kris Britton

Chair, CVE Program AWG Chair



Previous Email: CVE Board Agenda for Wednesday, 14 October 2020@9:00AM (EDT)

Next Email: CVE Board Meeting summary - 14 Oct 2020

October 2020 Email Index