With Mark Cox, the security response team director for Red Hat (www.redhat.com). Red Hat recently entered an agreement with the National Institute of Standards and Technology on a more innovative way of advertising vulnerabilities.
Question: What is Red Hat doing in association with NIST?
Cox: We at Red Hat ship a lot of software that is open source. One of the benefits is anyone can distribute it as part of their product. When a vulnerability comes up in open source it tends to affect more than one person. As vendors, we are really good at having a customized a notification system. Red Hat knows what software is on each machine, it can provide a customized notification. What we are not very good at is telling when someone is not vulnerable to an issue. Over time [we are seeing] more and more cases of this. One of the main reasons is that Red Hat has innovated lots of security technologies designed to prevent people from exploiting security holes. We didn't have a particularly good way of telling customers of issues that didn't affect them. The second part of the problem is that there are a lot of vulnerability databases out there. Very few of them provide any value. They provide links to vendors and that's all they do. They do not analyze vulnerabilities for themselves. The Exception is CERT CC. They take statements from the vendors -- but they only cover a subset of vulnerabilities. We approached NIST and asked them if they would be interested in helping with a solution. The solution that was proposed is to allow vendors such as Red Hat to give the National Vulnerability Database statements on how vulnerabilities will affect or not affect them. And that was what they implemented. Now as a vendor we can make real time updates to the National Vulnerability Database.
Question: Is this Red Hat only, or can any company participate?
Cox: It was designed for all vendors to take part. We went to all competitors in a similar situation and let them know about the service and let them sign up. Right now we have over 100 statements in the database. I know Mandriva has statements on the database. We asked vendors to get in touch with the National Vulnerability Database. We didn't want to be in that loop. So the benefit to Red Hat customers is that they can go directly to the National Vulnerability Database. Every vulnerability that has a CVE -- common vulnerabilities exposure -- designation has an entry in the National Vulnerability Database.
Question: Will the system evolve in the future?
Cox: It's one of those things in which you invent the service and let go of it and hope people make use of it. And you find they make use of it in exciting ways. One of the things we haven't don't yet but are thinking we might do is when a vulnerability comes out without prior warning -- a zero-day vulnerability -- we can post a statement along the lines of "We just heard about this vulnerability. Here's what we know about it." We can keep it updated as long as the lifetime of the vulnerability progresses. It builds on whole transparency theme with open source. Not only software and processes. At Red Hat, we are quite happy to be transparent and be accountable for our software. It's unique. This is the first time vendors are allowed to comment on vulnerabilities. There are a lot of databases out there, but this is the first that allows vendors to comment. The exception is CERT Coordination Center. They do allow vendors to comment, but it's by no means an instant thing. You have to do it in email and wait for them to put it on their Web site. There is only a subset of issues that Cert CC cares about.
This 3 Questions originally appeared in a weekly report from IT Business Edge.
