Saturday, 26 March 2016

CVE, a key cybersecurity resource, is at risk inside and out

To know a threat, you have to name it. And before bugs got sexy brands like Heartbleed and Shellshock, a little-known but vital database tracked them by number.

Now, the Common Vulnerabilities and Exposures list, a 17-year-old database backed by the Department of Homeland Security and maintained by nonprofit government contractor Mitre, faces a flood of new bugs it has admitted it can’t handle. A proposal to update its operations is stalled amid infighting among experts.

Hundreds of software programs that guard against cyberthreats use the list’s nomenclature, and security researchers view getting a CVE number as a credential of sorts — a sign of legitimacy for their efforts to poke holes in software so they can be fixed before hackers exploit them.

Larry Cashdollar, a senior engineer at Akamai Technologies, still remembers when an odd flaw he found in a music-synthesizer program became CVE-1999-0765.

He was 23 when he discovered that ripping through the on-screen piano keys gave him administrative access to a Silicon Graphics workstation computer. He didn’t even have to contact CVE administrators to get his bug listed; he just sent a message about it to a popular bug-tracking email list, and someone picked it up from there. For the full article click here 



from cyber security caucus http://ift.tt/1q7FQFB
via IFTTT

No comments:

Post a Comment