On this week’s episode of Security Nation, Art Manion of the CERT Coordination Center gets us up to speed on the latest in vulnerability analysis and management. Learn about the new VINCE rollout, delve into network topology trade-offs, and discover why PGP is quickly becoming obsolete.
The fast-changing world of vulnerability reporting
Housed in the Software Engineering Institute at Carnegie Mellon University, CERT/CC is not your average software development shop. As lore would have it, CERT/CC started fixing internet-facing vulnerabilities like the Morris worm, which exploited unpatched software, back when the lone part-time employee could connect with everyone who ran the internet (almost). Thirty years later, the mission of their work remains unchanged.
Art serves as the Vulnerability Analysis Technical Manager at CERT/CC, where he focuses on vulnerability management and reporting. His work includes developing and launching the custom web portal VINCE (or Vulnerability INformation and Coordination Environment) to replace its predecessor—which is now pushing 20 years old, and uses dated Perl code.
When it comes to vulnerability reporting, the name of the game is adaptability. As we move away from humans reading emails to machines reading APIs, the challenge becomes custom-building to facilitate coordinated disclosure and addressing problems with interoperability at scale.
Basically, the goal is getting machines to talk to machines in such a way that everyone else works better together. VINCE isn’t positioning itself as an end-all software solution so much as a big step toward a truly common API, coordinating players with differing goals in the vulnerability management ecosystem.
