Jay Jacobs

jay@empiricalsecurity.com

​

Art Manion

zmanion@protonmail.com

Towards a Minimum Viable Vulnerability Enumeration (MVVE)

[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.

Hey Jay wait up…

2

Jay

Problem

What information do we need in a vulnerability record to uniquely identify a vulnerability?

No really, the absolute minimum?

Necessary, but perhaps not sufficient for vulnerability management

A note on vulnerability management:

• Risk management, scoped to vulnerabilities
• “Zero vulnerabilities” is an illusion

3

Problem

The starting question:

“What information do we need in a CVE record to uniquely identify a vulnerability?”

​

Vulnerability management is complicated

It’s management, risk management, not “zero risk” or “zero vulnerabilities”

4

Framing

5

Information elements

6

Information elements

7

Information elements

8

9

MVVE defined

• Must contain a unique and public identifier for each record.
• Must contain enough information to initiate the vulnerability management process for the product consumer.
• Must contain enough information to disambiguate each vulnerability from other vulnerabilities.
• Removal of any one information element from the record negates the value.
• All information is represented once and only once.

10

Framing

11

Stakeholder roles

Phases

Information elements

Vulnerability management

Phases

Risk-minimizing, defensive CVD and idealized vulnerability management

12

Phases

Or, EITW

13

Phases

14

Phases

15

Vulnerability Management Providers

16

Stakeholder roles

Producer, Product Producer - the individual or organization that created or maintains the Product

Consumer, Product Consumer - the individual or organization that is primarily responsible for deploying a patch and/or other remediation actions.

Vulnerability Manager - A sub-role, traditionally existing within the product consumers, that prioritizes/executes the remediation/treatment of known vulnerabilities.

Vulnerability Management Provider - provides a capability, service or other supporting role.

17

Information elements

Vulnerability identifier

Product identifier

Remediation

• Update, workaround, mitigation, detection

Attributes, characteristics of a vulnerability (e.g., CVSS vectors)

Classification (e.g., CWE)

References

Zeitgeist (“spirit of the times”)

Requires/Provides (attack graph)

18

MVVE: Minimum Viable Vulnerability Enumeration

Vulnerability identifier

Product identifier

​

Notably missing from this list: CVSS, SSVC, EPSS, CWE, CAPEC, zeitgeist…

19

AVE: Adequate

Vulnerability

Enumeration

Vulnerability identifier (MVVE)

Product identifier (MVVE)

Remediation (AVE)

• Update, workaround, mitigation, detection

References

Attributes, characteristics of a vulnerability (e.g., CVSS vectors)

Classification (e.g., CWE)

Zeitgeist (“spirit of the times”)

Requires/Provides (attack graph)

20

Enumeration or Exposure?

Are we…

• Enumerating technical cybersecurity vulnerabilities?
• Cataloging technical cybersecurity “exposures?”

Depending on the answer, does MVVE change?

• Still need identifiers
• What is needed for “exposure” management?

21

A look forward

​

​

​

​

​

​

​

Minimum Viable Vulnerability Enumeration

• Paper coming “real soon now”
• In depth analysis of vulnerability phases/tasks
• High level introduction of roles
• Discussion of Information Elements and their applicability to roles and phases

​

https://tinyurl.com/3tdux5z2

22