Josh and Kurt talk about GitHub Copilot. What can we learn from a report claiming 40% of code generated by Copilot has security vulnerabilities? Is this the future or just some sort of strange new thing that will be gone as fast as it came?
Josh and Kurt talk about a Home Depot plan to put DRM on power tools. Anyone can add a computer to anything for a few dollars now. How secure is any of this. What does it mean when the things we buy start to acquire DRM? There are a lot of new questions we don’t have any real answers for.
Josh and Kurt talk about a very difficult disclosure problem. What happens when you have to report a vulnerability to an ethically questionable company? It’s less simple than it sounds, many of the choices could end up harming victims.
Josh and Kurt talk about a story from Microsoft declaring Rust the future of safe programming, replacing C and C++. We discuss how tooling affects progress and why this isn’t always obvious when you’re in the middle of progress.
Josh and Kurt talk about the news that the NSO Group is widely distributing spyware onto a large number of devices. This news should be a wake up call for anyone creating devices and systems that could be attacked, it’s time to segment services. There’s not a lot individuals can do at this point, but we have some ideas at the end of the episode.
TL;DR – The future of community identifier is going to be the Cloud Security Alliance. See this blog post for more details.
A few months ago the Distributed Weakness Filing project (DWF), announced it was coming back to work with some new ideas around how we work with vulnerability identifiers. The initial blog post defines some of the reasons, we won’t rehash them here.
It should surprise nobody that the DWF project did not grow to an enormous size in a few short months. Vulnerability identification is a complex and hard problem. We were looking to try out some new ideas and see which were effective and which were not effective. It was to start to build the structure to deal with a future community. Most importantly it was to help figure out what we don’t know we don’t know.
One group that has become interested in what we were doing was the CloudSecurityAlliance (CSA). The CSA is focused on, well, security and the cloud, as well as other new and emerging technologies and problems. Traditional vulnerability identifiers have been heavily focused on software as it existed in the past rather than current software and services. The CSA has an interest in helping to define the next generation of vulnerability classification. There are a huge number of potential vulnerabilities and weaknesses that are going untracked, which means they are largely unseen. If we expect the future to be more secure than the past, having a community driven vulnerability classification and freely available databases will be critical.
To make a long story short, the DWF is dissolving and is directing people and organizations interested in participating in this towards the CSA community where a new working group and other efforts are being started. The group is tentatively called the “Universal Vulnerability Identifier (UVI) working group”. This is a working group with open membership and an initial goal of helping define the future of vulnerability identification. The target audience is anyone looking to understand, use, and define vulnerability identifiers. Closed source, open source, services, security researchers, IoT developers, individuals, companies, projects; we want to work with everyone. For more information please see https://universalvulnerabilityidentifier.org/.
The DWF was founded on the idea of bringing community, openness, and transparency to vulnerability identifiers. These are also principals that the CSA values and has consistently exhibited for over a decade. There will be a few changes to the DWF and DWF data happening in the short term to support these long term goals:
- The UVI IDs will all start with the prefix “UVI”. All DWF IDs will have the prefix upgraded to UVI
- The iwantacve.org domain is being transferred to the MITRE Corporation. We do hope that the MITRE Corporation continues to run a service that makes acquiring a CVE Identifier quick and painless
- The DWF project is dissolved effective immediately
We are extremely excited for what the future holds. The CSA is a very forward thinking organization that understands and appreciates the past work of the DWF. We all expect this working group will have a great impact on the future of vulnerability identification and management.
Josh and Kurt talk about the events happening to the Audacity audio editor. What happens if a popular open source application is acquired by an unknown entity? Can this happen to other open source projects? What can we do about it?