Advancements in Vulnerability Reporting in the Post-PGP Era: A Conversation with Art Manion

On this week’s episode of Security Nation, Art Manion of the CERT Coordination Center gets us up to speed on the latest in vulnerability analysis and management. Learn about the new VINCE rollout, delve into network topology trade-offs, and discover why PGP is quickly becoming obsolete.

The fast-changing world of vulnerability reporting

Housed in the Software Engineering Institute at Carnegie Mellon University, CERT/CC is not your average software development shop. As lore would have it, CERT/CC started fixing internet-facing vulnerabilities like the Morris worm, which exploited unpatched software, back when the lone part-time employee could connect with everyone who ran the internet (almost). Thirty years later, the mission of their work remains unchanged.

Art serves as the Vulnerability Analysis Technical Manager at CERT/CC, where he focuses on vulnerability management and reporting. His work includes developing and launching the custom web portal VINCE (or Vulnerability INformation and Coordination Environment) to replace its predecessor—which is now pushing 20 years old, and uses dated Perl code.

When it comes to vulnerability reporting, the name of the game is adaptability. As we move away from humans reading emails to machines reading APIs, the challenge becomes custom-building to facilitate coordinated disclosure and addressing problems with interoperability at scale.

Basically, the goal is getting machines to talk to machines in such a way that everyone else works better together. VINCE isn’t positioning itself as an end-all software solution so much as a big step toward a truly common API, coordinating players with differing goals in the vulnerability management ecosystem.

Transitioning from PGP to the dream of common API

Conducting vulnerability reporting through PGP email signatures relies on encryption keys specific to sender and user. It offers feedback such as timestamps, which are appreciated by many. Email reports also provide a built-in transaction log so you know who sent what and when, which prove ideal for data-mining facilitators. Keyboard cranks argue PGP email is hard, others find it easy, but one thing is clear: It’s on the way out. Art notes PGP’s successes, but acknowledges it doesn’t scale, so vulnerability reporting must evolve beyond it.

To address scaling, Art looks to the dream of common API, which he hopes VINCE will support. Viability becomes a concern, faced with the daunting prospect of attempting to scale custom web platforms for hundreds of vendors and researchers.

With respect to beta testing, the healthcare burdens and workflow interruptions due to COVID-19 present less immediate hurdles than the more mundane concerns, like the inevitable software bugs. But Art stresses that the ubiquity of bugs makes them forgivable. It’s not whether bugs exist but how you respond to them that counts. Using feedback gathered from the first round of beta testing, which began in February, prior to quarantine, he’s currently making alterations to VINCE in anticipation of a May launch.

From hub-and-spoke to bus: the evolution of disclosure topology

Unsurprisingly, privacy concerns arise in the transition away from hub-and-spoke, closely moderated topology to a more open bus topology.

The “hub” in hub-and-spoke topology receives communications and requests, then initiates separate exchanges with vendors or researchers as needed. So in effect, CERT/CC acts as a moderator for all email communications—extracting relevant information, fine-tuning messaging, and deleting what’s extraneous.

The upsides of moderation are obvious but, on the other hand, what if an analyst with 10 cases suddenly calls out? The accompanying downside is the risk of impeded workflow. Bus topology attempts to correct this issue, with a common case chat that permits all vendors and researchers real-time access to each other, without a middleman. While this diminishes slow-downs, it increases exposure to otherwise private communications. Vendors and researchers must demonstrate trustworthiness for common API to succeed.

To that end, instead of treating professional conduct as something that requires policing, VINCE operates under the expectation that all parties will behave appropriately, encouraging openness and mature collaboration on both sides. This is in line with something like the CERT/CC company ethos: Do a good job to make things better for everyone—and not just to improve your own product.

Listen to the full podcast

Rapid7 would like to thank Art for taking the time to give us the scoop on CERT/CC, VINCE, and clarify where vulnerability reporting is headed. Listen to the full podcast and be sure to subscribe to catch future episodes of Security Nation.