Security Nation, Episode 7

How MITRE and the Department of Homeland Security Collaborate to Validate Vulns

September 27, 2019

 

Security Nation returns this week with a new episode that's all about collaboration. We are joined by Katie Trimble of the Department of Homeland Security and Chris Coffin of MITRE for a discussion about their contribution to the CVE Project. The two talk how they got their start in their respective organizations, why the CVE Project is so important for security professionals, challenges they've faced to get this project off the ground and optimize their operations, and how others can pitch in as a CVE Numbering Authority (CNA). 

You'll also hear from Tod in our Rapid Rundown, where he compares and contrasts the the InfoSec world's response to the vBulletin and Internet Explorer zero-days this past week, and (as usual) brings you the latest in our BlueKeep Watch.

If you like what you hear, please subscribe below! We release episodes every two weeks, each featuring a new guest who is doing something positive to help advance security. Our next episode will be released Friday, Oct. 11. 

Appears on This Episode:

Jen Ellis
Jen Ellis
Vice President, Community and Public Affairs

Jen Ellis is the vice president of community and public affairs at Rapid7. Jen’s primary focus is on creating positive social change to advance security for all. She believes that it is critical to build productive collaboration between those in the security community and those operating outside it, and to this end, she works extensively with security researchers, technology providers, operators, and influencers, and various government entities to help them understand and address cybersecurity challenges. She believes effective collaboration is our only path forward to reducing cyber attacks and protecting consumers and businesses. She has testified before Congress and spoken at a number of security industry events including SXSW, RSA, Derbycon, Shmoocon, SOURCE, UNITED, and various BSides.

Tod Beardsley
Tod Beardsley
Research Director, Rapid7

Tod Beardsley is the director of research at Rapid7. He has over 20 years of hands-on security experience, stretching from in-band telephony switching to modern IoT implementations. He has held IT Ops and IT Security positions in large organizations such as 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Today, Tod directs the myriad security research programs and initiatives at Rapid7. He can be uniquely identified at https://keybase.io/todb.

Katie Trimble
Katie Trimble
Deputy Branch Chief, Vulnerability Management Coordination and Disclosures Branch of DHS CISA

Katie Trimble currently serves as the Deputy Branch Chief of the Vulnerability Management and Coordination section of the Cyber Threat and Risk Analysis (CTRA) branch of the NCCIC of DHS, where she leads the department's primary operations arm for coordination of the responsible disclosure and mitigation of identified cyber-vulnerabilities in control systems and enterprise hardware and software used in the 16 critical infrastructure sectors and all levels of U.S. government organizations. 

Chris Coffin
Chris Coffin
Senior Analyst and Technical SME, MITRE CVE

Chris Coffin is a senior analyst and technical SME on the MITRE CVE team. He is primarily responsible for making sure the CVE list is up-to-date by handling CVE content submissions. He also acts as the moderator for the CVE Board and helps to co-chair multiple CVE Working Groups.

About the Security Nation Podcast

Security Nation is a podcast dedicated to celebrating the champions in the cybersecurity community who are advancing security in their own ways. We also cover the biggest events in security that you should know about. In each episode, host Jen Ellis (@infosecjen) sits down with a guest so they can share their stories, what worked, what didn’t, and what you can learn from their initiative so maybe we can inspire you to do something new, while Tod Beardsley breaks down the biggest security headlines of the week. 


View all Security Nation episodes

Podcast Transcript

Jen Ellis: Hi, and welcome to this week's episode of Security Nation, the podcast where we interview cool people doing cool things to advance security, and they tell us all about it. This week we have two very cool people. It's all about the coolness this week, perhaps because my voice sounds so uncool. I'm a little bit scratchy. So this week we've got coming up Kate Trimble from DHS and Chris Coffin from MITRE. They're going to be talking to us about the CVE project. But before we get into that, my cohost, the amazing Tod Beardsley. Hello Tod.

Show more Show less

Tod Beardsley: Hello, hello, hello.

Jen Ellis: He's going to take us through the Rapid Rundown. So what have you got for us this week? What's going on in the world of cybersecurity?

Tod Beardsley: I will tell you. So there were two events that I think we can use to compare and contrast that happened this week that I want to talk about. We'll go most recent first. One of them was the zero-day on vBulletin.

Jen Ellis: Ooh, zero-day.

Tod Beardsley: Exactly. So this is exactly the response that it generated as anyone could have predicted.

Jen Ellis: Right. Does it have a name? That makes it even sexier.

Tod Beardsley:  Does not have a name. Does have a number. It has a CVE number that's long and you'll never remember. So vBulletin is a PHP-based, web forum software. I'm sure it's wonderful. It's a server-side component. People use it to log in and post forum posts about things and stuff. So it's basically bulletin board software. And somebody had dropped zero-day on it on the full disclosure mailing list, partying like it's 2005.

Tod Beardsley: And what this vulnerability allows you to do is, basically it's remote code execution. You get to take control of the vBulletin process. You can run code and all that. So pretty classic, pretty classic vulnerability. Also it's web-based. Also the PoC was pretty fully functional, so people could just pick it up and run with it, which many people did.

Tod Beardsley: So, what happened was that. And it got InfoSec Twitter all up in a tizzy, some security companies really put a lot of stock into it and reported out on it. But when we looked, we saw that, while vBulletin, again, I'm sure is lovely software, it seems to be only exposed on the internet to the tune of maybe between 10,000 and 20,000 servers, which is thousands, but it's not big. It's not like Apache, it's not Nginx, it's not IIS. And honestly, it's not usually core server software for enterprises, businesses, things like that. I would consider this like, oh, well, that's neat, it's RCE in some PHP thing. Also it's Tuesday. Like this comes up pretty often. vBulletin since has patched. So great, they have a patch available.

Tod Beardsley: The vBulletin bug got some churn in the InfoSec gossip corners that it tends to. Almost at the same time, a day before, this prior Monday, there was an out-of-band patch released for Microsoft Explorer, which is probably a little more familiar to people than vBulletin. Now don't get me wrong, so IE, Internet Explorer, is a web browser. It's one of the less popular ones these days. It only has about 8% desktop market share, which translate to only about a quarter of a billion people that use it on Earth. So, it has this footprint of about 250 million users, and there is a patch for it that is not part of the auto-update. You will not get this auto-updated until October, when it gets rolled into the normal Patch Tuesday thing, which is kind of weird and baffling.

Jen Ellis: What could possibly go wrong for those mere quarter of a billion people?

Tod Beardsley: I know, right?

Jen Ellis: Just to be clear, that was billion, with a B?

Tod Beardsley: Yeah, billion with a B, so about 250 million estimated users, give or take 10 or 20 million. And it didn't get a ton of churn among InfoSec folks, which is weird. I only noticed it because CERT/CC in Pittsburgh, who I follow religiously, mentions like, "Oh, hey, there's a thing here, and it's not going to auto-update, so good luck, everyone," pretty much the sentiment. And it's a bug that's being actively used according to Microsoft. It was found by a researcher at Google, so hooray for you. And they're doing all the right things. But I feel like there are cases where there are bugs that warrant a lot of hue and cry, and like, "Oh, drop it you're doing, and patch it, and pay attention to this at least." And then there are bugs that aren't. And I feel like a bug in a PHP web forum is not the same thing as a bug in a somewhat popular web browser. You know?

Jen Ellis: I don't know what you mean. That sounds like crazy talk. They're totally the same thing. We know which one's cooler, right? Cool is the theme this week.

Tod Beardsley: I guess, right? Because like ... And one of the differences is, is that for the IE patch, this is going to take work. Someone has to go and reverse it, and tease out what the vulnerability actually is, and then do a bunch of work on that. And hey, Metasploit developers, take a look. But for the vBulletin bug, it came on a silver platter. It was, here is something that has code already. So, I don't know, obviously the vBulletin thing is easier. It is server-side, so I don't need user interaction. I already have code, and I can pick it up and run with it like criminal groups have done now. We see it across ... Everybody who pays attention to things happening on the internet has noticed that like, oh, and people are trying to use this vBulletin bug today.

Tod Beardsley: But the IE thing is definitely being used by somebody. And usually when you have a patch like this ... Well, not usually, but a lot of times criminal organizations will see the patches, like, "Well, I'm burned now," so release the PoC, usually anonymously so it foils ongoing investigations and stuff. So basically law enforcement has nothing but leads when someone releases a privately held exploit to the public.

Jen Ellis: Oh, so crafty. Wow. Those criminals are sneaky.

Tod Beardsley: Yeah. I mean, I'm not in a position to predict that right now. I'm not a threat Intel guy, but I wouldn't be surprised if we saw an exploit for this IE thing in the next couple of days just kind of dropped in the similar way, and it's going to catch a lot of people by surprise. So, if you are one of those places that for some reason is still using Internet Explorer, not to be confused with Microsoft Edge, which is the browser that Microsoft actually wants you to use, patch your stuff. And it's a lot of manual downloading and installing the CAB files, so ... Or I guess cross your fingers until October.

Jen Ellis: Yeah. So that was cheery. That was a cheery note. And I always feel like the rapid rundown ends on a really cheery note of like, "We're all doomed." But on the other hand, this was the perfect rundown to lead into a conversation around vulnerability tracking and rating. So, hooray. Right.

Tod Beardsley: And disclosure practices, and CVEs, and all that.

Jen Ellis: So yeah. So is there anything else that you wanted to share with us in the rundown before we move on to that exact topic?

Tod Beardsley: Oh, well, you know, this podcast is subtitled BlueKeep Watch.

Jen Ellis: Woo!

Tod Beardsley: So, BlueKeep Watch, the only news I have on that is the Metasploit module. It was a pull request a couple of weeks ago. It has now landed in the Metasploit master dev branch. So, people who track that now have access to it. You don't have to go through a bunch of rigamarole to integrate it with your existing source code checkout. So it's still like only real Metasploit superfans will notice this. But it's there, and people are continuing to test it in lab environments to try to help out the stability and the targeting systems. So, still going on.

Jen Ellis: Okay. Well, thank you. That's more great news. And for those listening, if you haven't patched, then you probably should.

Tod Beardsley: If you have RDP in your environment, which is the Remote Desktop Protocol, which is the thing you use to pretend that you're sitting at a computer, patch that thing.

Jen Ellis: Sometimes people use it even when they are sitting at a computer.

Tod Beardsley: Well, yes. When you pretend that you're sitting at a different computer.

Jen Ellis: Ah. Yeah, so anyway, if you have that, patch it. That's a thing. That's totally a thing. That's what I have learned today. All right, cool. Thank you for taking us through all of this stuff.

Tod Beardsley: Yup.

Jen Ellis: That's amazing. Oh, can I throw something in?

Tod Beardsley: Sure.

Jen Ellis: This is a shameless plug, but you know. So yesterday, there was an announcement of the formation of a cybersecurity NGO called the CyberPeace Institute headquartered in Geneva. Basically the idea is to try and sort of democratize cybersecurity for ordinary citizens, so to provide assistance around cybersecurity issues, to advocate for the adoption of better cybersecurity practices, and to help people understand what's happening when there are large-scale attacks, and who's responsible, and what it means for them. So CyberPeace Institute, check it out. I am on the Board of Advisors, so I'm contractually obliged to bring it up in every conversation I have from now on. No, I'm excited about it. I think it hopefully will do some good. So, yay. All right. So that was my piece. Let's move on to our guests.

Jen Ellis: So for our special guests this week, we have some people who are associated with the CVE Project, and our very own Tod Beardsley is also associated with this project and it is a big topic for him. So he is going to be leading the charge today, and I am going to be getting edumacated. Hooray! It's about time somebody educated me. So, Katie, why don't you tell us a little bit about yourself?

Katie Trimble: So, I'm Katie Trimble. I work for the Department of Homeland Security. I'm the deputy branch chief of the vulnerability management coordination disclosures branch within CISA, the Cyber and Infrastructure Security Agency. So I'm primarily the person responsible for the vulnerability coordination and disclosure efforts that go on within the department. So I have about four primary portfolios that I am the program manager of. The first one is the Common Vulnerabilities and Exposures Program, which is operated by MITRE. I sit on the CVE board of directors and I'm the government sponsor of that program. I also, though, sponsor the NIST NVD program, National Vulnerability Database, as well as the Carnegie Mellon Software Engineering Institute CERT Coordination Center, which is a mouthful.

Jen Ellis: Wow, that's a lot of words.

Katie Trimble: Yeah, yeah, yeah. And the CISA Industrial Control System Vulnerability Program. So those are the primary portfolios that I manage within the Department of Homeland Security.

Jen Ellis: That sounds like a lot of good stuff. So thank you. Thank you for everything that you do in those areas. And I can say, we have partnered with Katie's team on vulnerability disclosures and they have been absolutely phenomenal partners. So two thumbs-up, would disclose with them again. Highly recommended. If you are a researcher listening to this and are looking for how to disclose, reaching out to Katie's team is a great idea. And Chris, tell us about yourself, Chris.

Chris Coffin: Hello, I'm, Chris Coffin, I'm with the MITRE Corporation. So I work on the CVE team as a senior analyst and technical subject matter expert. So my primary responsibility is working on the CVE lift itself. And so when things come from our CVE numbering authorities, when they submit new CVEs to us or when they're ready to make those public, I help them get those to the list and make sure it stays up-to-date. So that's my primary responsibility. I also do a number of other things. I've had a number of roles on the team, but some of the big stuff, too, is, I'm sort of one of the voices of the team. I act as the moderator for the board and have done so for the past few years. And I also co-chair a number of the CVE working groups. So anybody that works with the program at all has probably worked with me before, even if my name wasn't specifically there, because you're either sending content to me or I'm talking to you on one of the working groups or one of the other ways you can participate in the program. So, that is what I do.

Jen Ellis: Cool. Awesome. So, my first question before we get into everything, I want to throw it out to you, I want to know, what is CVE?

Katie Trimble: Okay, so CVE is the Common Vulnerability and Exposures Program. So what, what is a CVE? So a CVE is an identification and it's a unique identifier of a vulnerability. So what a CVE tag or identifier or does is it allows us to have a conversation about a vulnerability within a cybersecurity hardware, software, whatever you like. But what it does is it allows us to know that we were talking about the same vulnerability. So it's an identifier and a definition of the vulnerability. It's not a patch, it's not a severity. All it is is a common language so that the community can know that we're all talking about the same thing.

Jen Ellis: And can you just tell us a couple of words about MITRE? I feel like everybody knows what the Department of Homeland Security is for Katie, but I feel like MITRE is a little bit less known perhaps, or a little bit less understood within security circles.

Chris Coffin: Yeah, it is. So MITRE is a not-for-profit organization that does has multiple, what we call FFRDCs, or Federally Funded Research and Development Centers. So we do lots of work and have lots of programs in many different spaces with a lot of different government applications. So one of those happens to be cybersecurity, and that's where Katie and I are obviously very involved.

Jen Ellis: Yeah, love it. Thank you. I think you guys do very important work and we appreciate it at all sides. All right. And so now that I've had my moment of telling you guys how awesome I think you are, I'm going to hand over to Tod, who is also awesome!

Tod Beardsley: Not nearly as awesome as Katie and Chris, though. I'm only on one working group on the CVE Project. Chris and Kate are on several.

Jen Ellis: Yes, but you have to put up with me a lot more, so...

Chris Coffin: Tod, you have to put up with all the CVE numbering authorities, so that's a job in itself.

Tod Beardsley: I do, yeah. As way of explanation, I help run the CVE Numbering Authority Coordination Working Group. So it's the CNACWG, and that's how you pronounce it. And it is intended to help the CNAs figure out what the heck they're doing. So it's a ton of fun. I got involved with that about a year and change ago, but more importantly, when did you two get involved? And I guess I'll start with Chris and then go to Katie.

Chris Coffin: So, I don't know if we want to step back and say that the program itself started in 1999, so before my time, but I started working on the program in 2012, late 2012, so I've been around for quite a bit of it, but obviously missed the a major first part of it. But I, I've been on the good part of the program because it's been all, you know, fun in the sunshine since I joined. Yeah, exactly.

Tod Beardsley: And you were hired specifically for the CVE program, right, Chris?

Chris Coffin: I was specifically hired to work on the CVE program

Tod Beardsley: Whereas Katie has about a thousand jobs, CVE being one of them.

Katie Trimble: That sounds like the lead-in for me to say when I became part of this program. So, I'll take a hint. So I've been with DHS for many, many years now. And I was in another part of DHS before, not the cybersecurity background. I was brought on in October 2017 and at that point, what was US-CERT and ICS-CERT merged together and became what was just known as the NCCIC, the National Cybersecurity and Communications Integration Center under a different umbrella within DHS, under DHS headquarters. So we've undergone some reorganizations. So at that time in October, 2017, I was asked to come over to lead a program called the Vulnerabilities Equities Process, which is a White House-led program that weighs national security interests against intelligence collections. And as part of that, they said, you know, it's weird, we have all of these vulnerability portfolios and they seem to be in all these weird disparate places. There's one guy out in Idaho doing the ICS side. There was another person here and the comms directorate doing the CVE work and another person somewhere else. And they said, we need to put all of these under one place. And so I was asked to come and take all five of the portfolios. And so that's when I really came on board to help advocate for and be the sponsor of the CVE program.

Tod Beardsley: Great. Yeah, a fine job you've been doing so far. So I'm curious then, I guess like, the most interesting to me question here is, is what is a challenge that the CVE program has faced since you've started here, Katie, and how was that addressed?

Katie Trimble: So I think there's a couple of them that I think we've done a really good job at. And part of the reason that we're actually on this, this podcast. So one of the challenges that we're still working on is there's this idea that CVEs come from what I referred to as the "CVE Fairy." All the scanning and pen testing tools rely on CVE. It's kind of the foundation to the house. So you really can't get a good idea of your, you know, risk profile without understanding the vulnerabilities in your networks. An d that's asset management and priority. So without CVE, you can't do that well. Scanning tools, automated software just doesn't function. You have no way to correlate vulnerabilities. But there's this idea that CVEs just come from the ether, they just exist. And so that's been a challenge that we're working really hard to kind of to promote the program and to talk about where, you know, actually CVEs come from somewhere.

Katie Trimble: There's a lot of work that goes into developing CVEs, populating, publishing CVEs, and it's for the community good. DHS sponsors the program. But this is a de facto standard globally. And so anybody and everybody around the world can use CVEs. So to me, that's been one of the big challenges that we've been working on addressing. I have a whole host of challenges if you want to talk about them, but I think that we've done an amazing job at, at trying to modernize the program and you know, do all of those CVEs faster and those kinds of goals that are necessary and the evolution of any kind of big program. But to me, it's really important that people understand that CVEs come from somewhere and that they're so important within the infosec community. Without them, we can't have a conversation. And that's pivotal.

Jen Ellis: I just want to make sure that you also understand that from now on, Tod is going to be the CVE Fairy.

Katie Trimble: I love that idea. I actually have a training that I give to individuals that has one of the program managers over at MITRE. It has his head on the body of a stork.

Tod Beardsley: Well, and CVE fairy has been pretty busy. You know, I look at the CVE stats, you know, over the years, and in 2017 when you started, Katie, we saw about a 2X increase. We went from averaging 5,000 to 6,000ish a year. Now since 2017 it's been like 14,000 in 2017 about 16,500 in 2018 and, and right now in 2019 we're at about 10,000 and change.

Jen Ellis: And is that just Katie? She's just putting them in constantly? That's it?

Tod Beardsley: Yeah. Yeah. Katie does half of them.

Katie Trimble: Well, yeah, we're, we're actually on track this year to hit about 20,000 we might, we might get more, we usually get a lot more in the last quarter of the year because people are closing out for the holidays. So there we're at currently at 16,287 vulnerabilities disclosed for public consumption.

Tod Beardsley: Yeah. And that's a whole bunch of numbers. And you know, like you say, it's a common good that like basically everyone uses it, Rapid7 uses it. So for-profit companies use, it not-for-profits use it, you know, in in that vein, like if MITRE is doing such a great job at issuing all these CVEs, Chris, why would anyone want to become a CVE numbering authority?

Chris Coffin: Yeah. So why would, why would someone want to partner with the program and be a CNA? So I think the main thing for becoming a CV numbering authority or a CNA as we call it, is to allow say, a vendor or a maintainer of software to be involved more involved in the process of the vulnerability disclosure and the handling of the CVE that eventually gets populated to the master CDE list. So, you know, traditionally the way that CVEs have been created or might get created for an organization would be that, you know, a researcher finds an issue in a vendor product. They come to MITRE as the root CNA and you know, we handle that for them. We recommend and we definitely want them to reach out to the vendor but, but MITRE is not a coordinator and we wouldn't take that route.

Chris Coffin: So we definitely want the researcher to handle that. But, MITRE's not going to reach out to that vendor and work with them and make sure that the language, you know, is a certain way and the CVE and that the references are appropriate or that there's even a fix involved.

Tod Beardsley: Because you have thousands to deal with, right?

Chris Coffin: Yeah. We're in the business of identifying and populating the CVE list with public security vulnerabilities. Now, the researcher does have to make sure that they give us something to point to publicly that talks about the details of the vulnerability. So that can either be their own blog or they can be pointing to the vendor website that you know, talks about the vulnerability, maybe in a patch that they've released or, or some kind of security advisory. And, but that does have to exist. There needs to be a public reference.

Chris Coffin: Now if the vendor chooses to, and if it's important to them, they can become a CNA. And the difference there is that when a researcher comes to MITRE and says, “Hey, I found a vulnerability in this vendor, a product,” instead of MITRE handling that, we let Vendor A handle that. So we tell the researcher, well, you know, there's a CNA for this, go to Vendor A and they will handle the process for you. And you know, obviously if there's any questions or any problems in that communication, then they can always come back to MITRE and ask us for guidance. But, but in general, the CNA will pick that up. They'll handle the assignment of the CVE and they will handle publication of that CVE to the master list when they're ready to go public. So they control or they have more control over the process. They have the ability to describe the vulnerability in a way that makes sense to them because to be honest, the ones who are most in the know of the details of the vulnerability are the vendor or the maintainer themselves. So they're going to be the ones that can describe it in the best way. And that's going to make the CVE list and the CVE IDs that they provide that much better.

Tod Beardsley: Yeah, for sure. And, and I know that we all use the word “vendor” kind of casually, but it doesn't have to be commercial software. Right? Like there are a few open source projects that are also CNAs. I mean for me, it's always tricky to disclose vulnerabilities to open source projects. Just kind of as a side note, because open source projects tend to fix real fast. So I often find myself trying to disclose privately and do a little coordinated disclosure, and then I'll see a fix show up within a day or something like that. But anyway, besides that kind of wrinkle when it comes to coordinated disclosure, basically anyone who produces software can be a CNA, right?

Chris Coffin: That's right. And I'll say vendor or maintainer because you want to make sure you kind of cover both camps in, in that respect.

Tod Beardsley: And there are about a hundred and what is it right now? Like 102 CNAs?

Chris Coffin: 102 I believe is our current number.

Tod Beardsley: Over 20 years? I mean, honestly that seems a little low. So is there currently a push to get more CNAs?

Katie Trimble: Yes. So it's funny that you mentioned that it's 20 years of a program and that it is a little bit low on that number and there's a very solid reason why. So up until 2016, so CNAs have always existed within the program. However, they weren't able to actually populate their entries. They could reserve and they could assign, but they couldn't populate. All of that had to go through the MITRE, the MITRE portfolio, and it had to be approved actually I think at one point by the board itself. So imagine, you know, it's fine. In a world of 1999 where we published 321 vulnerabilities, but in the world of 2016/17/18 as you said, where we're finding vulnerabilities at a scale that is just unbelievable. And so in order to make sure that we could keep up and scale with the demand, the MITRE CVE program underlined a very significant change.

Katie Trimble: And that's, we moved from a hub and spoke kind of governance system to a federated model. And I love to refer to this whenever I'm talking about funding and how wonderful the CVE program is that it's crowdsourced. It's lovely because what it does is it allows independent, trusted entities, the CNAs, to contribute to the program and have the ability to do that for themselves completely. So in 2016, the program was officially federated and that allowed CNAs to publish their own CVEs. So what we've done is we've tried to encourage a program that's scalable—you know, we're not finding four or five vulnerabilities a week anymore, we're finding 20,000 in a day. And so we really needed to remove people from that process. And that's one of the things that we are working very hard to do in modernizing the infrastructure and modernizing the actual program.

Katie Trimble: That's why we say we need more CNAs because as you said, people didn't necessarily even know that they were a software vendor before. And I can imagine that sounds bizarre, because how could you not know? But there are a lot of companies that don't actually realize they're software vendors. They create a thing—particularly I'm talking about Internet of Things thing—and all of a sudden, they are a software vendor. And so who do you go to whenever there's a bug in that system? So that's why there is a marked increase in vulnerabilities being disclosed. There was a bottleneck and we fully acknowledged that there was a bottleneck. There were people in the process and people can only process so much. So we've moved to a model that's much more community-based. But with that we need to be able to encourage, and I see recruits, CNAs as we really need people who are motivated to be able to do this work and who really, really care about the security ecosystem.

Tod Beardsley: What advice would you have for people who are looking to start something new and different and specifically like new public projects? Because as you said at the top of the interview, you run quite a few public projects. I imagine you might have some good advice for like what to do in that first day, first week, that kind of thing.

Katie Trimble: Yeah, so that's a challenging question for me. I appreciate you asking it. So when, when I look at, you know, what advice to give to somebody who's actually starting a program like this, I can look back at lessons learned and see where the key failures were and the programs that I have run. And the biggest thing that I see is that in the infosec community, we are changing and evolving so fast. I know that sounds sort of a cliché. People say that all the time by the time you buy something new, something that is on the market, but it kind of, it's true in this world. And so I would say that we built a very human-esque program in 1999 with the CVE program. And it got very, very bad for a little while. There were a lot of hiccups along the way.

Katie Trimble: And so when you're trying to start something new, I would say make sure that you're organized, you have a well-thought-out plan and build some room for change into it. Because what we can do today is nowhere near what we're going to be able to do in 20 years. And so having that flexibility means that you don't have to completely dismantle a project, which is essentially what we had to do. We're on a really good track, I think, at least I hope that we are within the community for the CVE program, but we had some lessons learned to get here and I would say, you know, plan for the future and leave some wiggle room in there so that you can make adjustments and adjust for things that work and remove things that don't work and then just never be afraid of feedback. I always say like the opposite of love is not hate. It's indifference. And so when people stop talking to you, that's when you know that they don't care anymore. And when people don't care, that's when there's really a problem. So don't be afraid of feedback. Solicit community involvement. There's always multiple solutions to a problem and make sure you build some wiggle room into your project

Tod Beardsley: Yeah, for sure. Like this is the reason why I don't mind that people continue to bag on CVE every once in a while. I'm happy to defend CVE, but I'm also more happy to just have the conversation, right, when people stop talking about CVE, that's when CVE is in real trouble. Right. Chris, any, any advice for folks who want to take on a new public project for the public good? Specifically in security I guess, but, or anything.

Chris Coffin: Katie touched on the basic stuff I was thinking about when you first asked the question. So, you know, make sure you're communicating with your stakeholders and getting the appropriate feedback, automate where possible. And that's what we're at the, at the point of doing. And you know, I would say, you know, another important thing is don't build in complexity just to make it complex, try to remove complexity wherever is possible. Another thing that we've run into is, you know, I think this goes back to our CNA conversation, the CVE program and how we did things back, you know, 2000s and, and when the program began was it was just too complex for CNAs to come on board and, and participate. And what we've done is we've really spent a lot of time trying to make the CVE program. And, and how we function in our processes, less complex so that we can have much more participation from the community, and you know, from the CNAs.

Tod Beardsley: Yep. And I would say like, especially in 1999 like I think people who are like in software and software engineering tended to over-design things a little. Yeah, there's a, there's an aphorism now of, of YAGNI, of you ain't going to need it. And it is the, the notion of, of just building something bare minimum and, and just kind of just to get it off the ground and out the door. So it sounds like that would be a good way to go for, for any kind of new project of, of kind of scope out what is the minimum and have lots of room for change and then it'll be great and everyone will love your project and then by transition you. Cool, well I think that wraps it up for us. Talking about CVE. I like CVE. I'm, I'm a big fan. I mean it's kind of like I find myself getting involved with CVE cause I get involved a lot in coordinated vulnerability disclosure. CVD, which is one less than CVE.

Jen Ellis: And we also like CVD very much. Yes.

Tod Beardsley: And so like that's, that's the path that I took to get to CVE. But yeah, if you're out there and listening and want to get involved with CVE, I think if you just hit mitre.org, if you just Google CVE, you will find out who to talk to. You will probably end up talking to Chris. So that's it for Security Nation. I'm not sure how the outro ever goes, because I never do this. Jen's usually on this end.

Jen Ellis: I can help you out. And I do feel like I'm I've learned a lot, but what I really want to know, my last question is, Tod, you say that you love CVE and you're committed to it. Do you have a CVE tattoo?

Tod Beardsley: Oh, not yet, but I guess today. Yeah.

Jen Ellis: The day is still young for you right now, huh?

Katie Trimble: Would it be CVE-07-08?

Tod Beardsley: You know what, that is my favorite CVE. CVE-2019-07-08.

Jen Ellis: Let's ask why that's his favorite CVE, though.

Tod Beardsley: That is the BlueKeep vulnerability, and it is the only CVE I know off the top of my head. Because I don't know. 07-08 is pretty easy to remember. It's a sequence and BlueKeep is a big deal. And so thank you Katie, for bringing us back to our core mission here at Security Nation, and that is talking about BlueKeep.

Jen Ellis: We've gone full circle. Fantastic. All right. Right. So yes. Thank you, Katie. Thank you, Chris, very much. And thank you Tod, for basically giving me the day off. It was delightful and as usual, huge thanks to our producer, Bri, who makes all the magic happen and somehow manages to make us sound more like we know things. I feel like I got educated today. It's great, but please tell me there will not be a quiz. All right, thanks everyone. Check out the next episode, where we'll be speaking to more awesome people. Hooray!