Welcome to a special issue of the CVE-Announce e-newsletter. Common Vulnerabilities and Exposures (CVE) is the standard for cyber security vulnerability names. CVE content is approved by the CVE Editorial Board, which is comprised of leading representatives from the information security community. CVE Numbering Authorities (CNAs) are major OS vendors, security researchers, and research organizations that assign CVE Identifiers to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE Identifiers in the first public disclosure of the vulnerabilities. Details on subscribing (and unsubscribing) to the email newsletter are at the end. Please feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter /November 16, 2015
-------------------------------------------------------
Contents:
1. After 16+ Years, CVE Co-Founder Steve Christey Coley Departs the CVE Project
2. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
After 16+ Years, CVE Co-Founder Steve Christey Coley Departs the CVE Project
Steve Christey Coley, the co-founder of CVE who served as the project's technical lead, CVE Editorial Board moderator, and Editor of the CVE List since the project was launched publicly in 1999, resigned from the CVE project on October 26th.
Steve, who will be staying at MITRE, will now focus primarily on being the technical lead for the Common Weakness Enumeration (CWE) project and addressing the vulnerability management needs of the healthcare industry, while also keeping the CVE concept in mind. As Steve mentions in his departure message to the CVE Editorial Board: "My current work in CWE and healthcare … is likely to expand into other industry verticals with emerging cybersecurity challenges. I also plan to investigate what "CVE" would mean in other industry verticals and emerging technical domains, and/or in other global regions. I'll even be drawing from my experience in my old AI days of the early 90's."
Steve also intends to stay very involved in the vulnerability world by continuing to "advocate for and support the development of the next generation of vulnerability researchers; to build that ever-elusive theoretical framework for precisely understanding vulnerabilities, weaknesses, and their root causes; and to help "InfoSec" mature as an industry, including embracing people with non-traditional or non-technical roles that are critical to the industry's maturation. I will also seek to encourage diversity (in all its forms) within this industry; I believe that InfoSec has great potential for positive change, because we've all been outsiders in one way or another."
ORIGIN STORY
It all started back in 1998 when a MITRE Lead Information Security Engineer named Steve Christey Coley was trying to choose a commercial vulnerability assessment tool to help protect MITRE's own networks, and was dealing first-hand with the problem of multiple vulnerabilities that were the same issue but had different names, were described in different ways, and that tested at different levels of abstraction. In an attempt to decipher this confusion, Steve did a labor-intensive mapping across the commercial tools that he was considering at that time and learned that there were many discrepancies in coverage claims; some tools provided less coverage than claimed, while others provided more.
At the same time, MITRE's David Mann was trying to develop a database of system characteristics for the corporation that could be used to answer questions about how vulnerable MITRE was to problems described by security advisories.
Steve and Dave combined their efforts and developed a proposal for a simple common naming scheme that could be used by the community to correlate vulnerability information. They presented their approach, "Towards a Common Enumeration of Vulnerabilities," at a Purdue University vulnerability database workshop in January of 1999. That approach eventually grew into the CVE we know today 16+ years later.
A SPECIAL THANK YOU TO THE TEAM AND COMMUNITY FROM STEVE
In his departure message, Steve emphasized that CVE has always very much been a collaborative effort, and gave special thanks to fellow CVE co-founder David Mann for his "passion, principles, and far-forward, out-of-the-box thinking" and to Margie Zuk, "the third member of the original CVE triad, whose contributions to CVE have gone woefully unrecognized; whose unique combination of unmitigated optimism, realistic pessimism, and patience kept the project moving forward through some tough times … and whose original admonition to "keep the faith" back in spring 1999 has served me countless ways over the years."
Steve also thanked the entire CVE community: "On a broader scale, my humblest thanks and appreciation go to the hundreds of people in the entire CVE community, with whom I've had the pleasure of working: the ever-changing members of the CVE content team, each of whom has brought their own perspective and skills, and left their own mark; numerous MITRE employees, from senior management who supported the idea and took a risk in CVE's founding years, to the specialists from other disciplines who contributed their expertise to improve our processes, to the admin support who helped everything run smoothly; the members of the CVE Editorial Board, who taught me to think more comprehensively about the many different perspectives surrounding vulnerability management, and whose endorsement of CVE gave it the legitimacy to effect positive change in the industry; independent and hobbyist researchers, whose contributions to the industry's body of knowledge and my own intellectual growth have been consistently underestimated; and countless other people I've talked to by email, at conferences, or on social media."
WISHING STEVE WELL
Current CVE Project Lead Steve Boyle posted a "Very Special Thank You to Steve Christey Coley" message to the CVE Editorial Board email discussion list on October 28th, saying: "Steve has been a mentor and teacher to many people, both inside and outside of MITRE. He is, and has been for many years, a highly engaged, respected and respectful member of the community. We extend our deepest thanks to Steve and wish him all the best in his new endeavors. Congratulations, people who are about to begin working with Steve, you do not yet know how lucky you are."
We echo that sentiment here: Thank you Steve for all you have done and best of luck in your new endeavors!
LINKS:
Steve Christey Coley's Goodbye Message -
https://cve.mitre.org/data/board/archives/2015-10/msg00022.html
CWE -
https://cwe.mitre.org/
CVE -
https://cve.mitre.org/
CVE Editorial Board –
https://cve.mitre.org/community/board/index.html
"Towards a Common Enumeration of Vulnerabilities" white paper -
https://cve.mitre.org/docs/docs-2000/cerias.html
Steve Boyle's Thank You Message about Steve -
http://common-vulnerabilities-and-exposures-cve-editorial-board.1128451.n5.nabble.com/A-special-quot-Thank-You-quot-to-Steve-Christey-Coley-td11.html
News page article with photos -
https://cve.mitre.org/news/index.html#november122015_After_16+_Years_CVE_Co_Founder_Steve_Christey_Coley_Departs_the_CVE_Project
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Steve Boyle, Cyber Security Technical Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical guidance to the CVE Editorial Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the message to: listserv@lists.mitre.org. To subscribe, send an email message to listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE CVE-Announce-List".
Copyright 2015, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications) at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE Web site at https://cve.mitre.org or send an email to cve@mitre.org.
No comments:
Post a Comment