We Speak CVE

EXPLORE

Society & Culture

© 2024 PodJoint

https://is1-ssl.mzstatic.com/image/thumb/Podcasts211/v4/75/32/ee/7532ee9b-8b7d-2e1a-9cd1-50efa5564c26/mza_8473176126630074079.jpg/600x600bb.jpg

We Speak CVE

CVE Program

22 episodes

3 weeks ago

“We Speak CVE” podcast host Shannon Sabens chats with CVE Consumer Working Group (CWG) co-chairs, Jay Jacobs and Bob Lord, and CVE™ Project Lead Alec Summers, about how the CWG was created to address the needs and perspectives of those who use CVE data — ranging from enterprise security teams to tool developers and managed security service providers — recognizing that their requirements and pain points often differ from those of upstream data providers. Topics include the CWG’s goals to syst...

Show more...

All content for We Speak CVE is the property of CVE Program and is served directly from their servers with no modification, redirects, or rehosting. The podcast is not affiliated with or endorsed by Podjoint in any way.

“We Speak CVE” podcast host Shannon Sabens chats with CVE Consumer Working Group (CWG) co-chairs, Jay Jacobs and Bob Lord, and CVE™ Project Lead Alec Summers, about how the CWG was created to address the needs and perspectives of those who use CVE data — ranging from enterprise security teams to tool developers and managed security service providers — recognizing that their requirements and pain points often differ from those of upstream data providers. Topics include the CWG’s goals to syst...

Show more...

Episodes (20/22)

We Speak CVE

The CVE Consumer Working Group (CWG)

“We Speak CVE” podcast host Shannon Sabens chats with CVE Consumer Working Group (CWG) co-chairs, Jay Jacobs and Bob Lord, and CVE™ Project Lead Alec Summers, about how the CWG was created to address the needs and perspectives of those who use CVE data — ranging from enterprise security teams to tool developers and managed security service providers — recognizing that their requirements and pain points often differ from those of upstream data providers. Topics include the CWG’s goals to syst...

3 weeks ago

20 minutes

We Speak CVE

Mapping the Root Causes of CVEs

“We Speak CVE” podcast host Shannon Sabens chats with CVE™/CWE™ Project Lead Alec Summers and CWE Top 25 task lead/CWE Root Causes Mapping Working Group lead Connor Mullaly about the importance of mapping CVE Records (vulnerabilities) to their technical root causes using Common Weakness Enumeration (CWE). Additional topics include the benefits of RCM for CVE Numbering Authorities (CNAs) and consumers of CVE data, Common Vulnerability Scoring System (CVSS) and other vulnerability metadat...

3 months ago

23 minutes

We Speak CVE

25 Years of CVE and What’s Next

Host Shannon Sabens speaks with fellow CVE Board members Kent Landfield and Madison Oliver and CVE Program Lead Alec Summers about the 25th anniversary of the CVE Program. Topics include the history of the program, the program today, and what’s next.

9 months ago

47 minutes

We Speak CVE

CNA Onboarding Process Myths Versus Facts

Shannon Sabens of CrowdStrike chats with Dave Morse, program coordination lead for the CVE Program, about the myths and facts of the CVE Numbering Authority (CNA) partner onboarding process. Truth and facts about the following topics are discussed: duration and complexity of the onboarding process; the fact that there is no fee to participate; ease of incorporating assigning CVE Identifiers (CVE IDs) and publishing CVE Records into an organization’s existing coordinated vulnerability disclosu...

1 year ago

24 minutes

We Speak CVE

Expected Impact of the CNA Rules 4.0

Host Shannon Sabens speaks with Art Manion and Kent Landfield, all three of whom are CVE Board members and CVE Working Group (WG) chairs, about the all-new “CVE® Numbering Authority (CNA) Operational Rules Version 4.0.” Topics discussed include the new fundamental concept embedded throughout the rules called the “right of refusal”; how CVE assignment is technology neutral (i.e., cloud, artificial intelligence, etc.); end-of-life assignments; the dispute process; how CNAs can add addition...

1 year ago

37 minutes

We Speak CVE

Swimming in Vulns (or, Fun with CVE Data Analysis)

Host Shannon Sabens of CrowdStrike chats with Benjamin Edwards and Sander Vinberg, both of Bitsight, about analyzing vulnerability data in the CVE List. This is a follow-on to their “CVE Is The Worst Vulnerability Framework (Except For All The Others)” talk at CVE/FIRST VulnCon 2024.Topics discussed include the types of vulnerabilities and vulnerability intelligence they reviewed and the different ways they approached the data; how CVE is a really good framework for compiling information abou...

1 year ago

43 minutes

We Speak CVE

Meet the 3 New CVE Board Members

In this episode — recorded live at “CVE/FIRST VulnCon 2024” — CVE Board member and CVE podcast host Shannon Sabens of CrowdStrike chats with the three newest CVE Board members: Madison Oliver of GitHub Security Lab, Tod Beardsley of Austin Hackers Anonymous (AHA!), and MegaZone of F5 who joins as the new CVE Numbering Authority (CNA) Liaison to the Board.Topics include how and why each new member joined the board, the impact that participating in CVE Working Groups had on their decisions to b...

1 year ago

25 minutes

We Speak CVE

CVE Records States and Tags

Host Shannon Sabens speaks with Art Manion and Kent Landfield, all three of whom are CVE Board members and CVE Working Group (WG) chairs, about CVE Records. Discussion topics include the CVE Record Lifecycle, the three “states” of CVE Records (RESERVED, PUBLISHED, and REJECTED), the current “tags” in use with CVE Records (EXCLUSIVELY-HOSTED-SERVICE; UNSUPPORTED-WHEN-ASSIGNED; and DISPUTED), the difference between the REJECTED state and the DISPUTED tag, how a DISPUTED tag can be tempora...

1 year ago

33 minutes

We Speak CVE

The Council of Roots

Learn how CVE Numbering Authority (CNA) partners—ranging from large to small organizations, proprietary and open-source products or projects, disparate business sectors, and different geographic locations—are overseen and supported within the CVE Program by “Top-Level Roots” and “Roots.” Topics include the roles and responsibilities of the two different types of Roots; how their work benefits the CNAs under their care; how they recruit new CNA partners, including suggestions for addressing up...

1 year ago

48 minutes

We Speak CVE

How the New CVE Record Format Will Benefit Consumers

Shannon Sabens of CrowdStrike and Kent Landfield of Trellix, both of whom are CVE Board members and CVE Working Group chairs, speak about how the new CVE Record format — with its new structured data format and optional information fields — will benefit and provide enhanced value to consumers of CVE content moving forward. Specific topics discussed include how the new CVE Record format will enable more complete vulnerability information to be captured early on in the advisory process and ...

2 years ago

25 minutes

We Speak CVE

Becoming A CNA—Myths versus Facts

Host Shannon Sabens of CrowdStrike chats with Julia Turkevich of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) about the myths and facts of partnering with the CVE Program as a CVE Numbering Authority (CNA).Truth and facts about the following myths are discussed:Myth #1: Only a specific category of software vendors can become CNAs.Myth #2: Organizations cannot leverage their existing vulnerability management and disclosure processes when they become a CNA.Myth #...

2 years ago

22 minutes

We Speak CVE

Microsoft’s Journey Adopting CVE Services & CVE JSON 5.0

Kris Britton of the CVE Program speaks with Lisa Olson of Microsoft about Microsoft’s journey adopting the new CVE Services and CVE JSON 5.0 into their vulnerability management infrastructure and how they used them for the first time as part of Microsoft’s February 2023 Patch Tuesday.Discussion topics include the CVE JSON 5.0 schema mind map and other schema resources on GitHub; reviewing CVE JSON 5.0 records on the CVE.ORG website; using Vulnogram, or one of the other CVE Services clients, f...

2 years ago

30 minutes

We Speak CVE

Coordinated Vulnerability Disclosure

Shannon Sabens of CrowdStrike chats with Madison Oliver of GitHub Security Lab about the recent release of OpenSSF’s “Guidance for Security Researchers to Coordinate Vulnerability Disclosures with Open Source Software Projects” document and the important step of obtaining a CVE ID in the coordinated vulnerability disclosure process for open-source vulnerabilities.OpenSSF is a “cross-industry organization that brings together the industry’s most important open source security initiatives and t...

2 years ago

23 minutes

We Speak CVE

An Insider’s View of the CVE Program

Shannon Sabens of CrowdStrike and Tod Beardsley of Rapid7, both of whom are CVE Board members and CVE Working Group chairs, chat about the CVE Program from their insider’s perspectives.Topics include the value of a federated program of CVE Numbering Authorities (CNAs) from around the world for increased assignment of CVE Records; the upside and minimal requirements to becoming a CNA; the types of organizations that are CNAs; how CNAs are a community with a mentoring program; how CNAs assignin...

3 years ago

23 minutes

We Speak CVE

The Value of Assigning CVEs

Shannon Sabens of CrowdStrike chats with Madison Oliver of GitHub Security Lab about how and why CVEs are assigned, the value of CVEs in vulnerability management, responsible coordination of vulnerability disclosures, the importance of comprehensiveness in security advisories, and why there is no stigma in a CVE. CVE Numbering Authority (CNA) scopes, disclosure policies, turnaround times, and more are discussed in general, as are GitHub’s specific CNA processes and how it helps open-source pr...

3 years ago

19 minutes

We Speak CVE

Researchers and PSIRTs Working Well Together

Shannon Sabens of CrowdStrike and Milind Kulkarni of a NVIDIA discuss what security researchers should expect when reporting vulnerabilities to a Product Security Incident Response Team (PSIRT); how to best to collaborate with them; how to interpret responses from the PSIRT; how to get the best outcome when making a report; supported versus end-of-life (EOL) products; CVE Numbering Authority (CNA) scopes; timing of a patch versus the publication of a CVE Record; and more.

3 years ago

26 minutes

We Speak CVE

Enhancing CVE Records as an Authorized Data Publisher

Kent Landfield of McAfee and Art Manion of CERT/CC discuss how the CVE Program’s upcoming release of JSON 5.0 will allow for additional and related information to be added to CVE Records after they have been published by CVE Numbering Authorities (CNAs). These additions — such as risk scores, affected product lists, versions, references, translations, etc. — will be made by “Authorized Data Publishers (ADPs),” which will be organizations authorized within the CVE Program to enrich the records...

3 years ago

27 minutes

We Speak CVE

How Red Hat's Active Participation Helps Improve the CVE Program

Shannon Sabens of CrowdStrike chats with Peter Allor, Fábio Olivé, and Martin Prpic of Red Hat, which is a long-time CVE Numbering Authority (CNA). The benefits of actively participating as a member of the CVE community are discussed, especially in the CVE Working Groups, which allows Red Hat to directly contribute to enhancing CVE automation and quality, as well as strategic planning for future improvements.Specific topics include Red Hat being a resource for other CNAs, particularly for ope...

3 years ago

24 minutes

We Speak CVE

CVE Myths versus Facts

Episode 9 – Three CVE Board members provide the truth and facts about the following myths about the CVE Program: Myth #1: The CVE Program is run entirely by the MITRE Corporation Myth #2: The CVE Program is controlled by software vendors Myth #3: The CVE Program doesn’t cover enough types of vulnerabilities Myth #4: The CVE Program is responsible for assigning vulnerability severity scores CVE Program – https://www.cve.org CVE Board – http...

4 years ago

27 minutes

We Speak CVE

CVE Working Groups, What They Are and How They Improve CVE

Our eighth episode is all about how community members actively engage in the six CVE Working Groups (WGs) to help improve quality, automation, processes, and other aspects of the CVE Program as it continues to grow and expand. The chairs and co-chairs of each WG, each of whom is an active member of the CVE community, chat about their WG’s overall mission, current work, and future plans. Discussion begins with the Transition (TWG), a temporary WG focused on managing the numerous modernization,...

4 years ago

26 minutes