Josh and Kurt talk to Daniel Stenberg about curl. Daniel is the creator of curl, we chat with him about the security of curl. Daniel tells us how curl is kept secure, we learn about some of the historical reasons curl works the way it does. We hear the story about the curl CVE situation firsthand. We also touch on the importance of curating the community of a popular open source project. ...
Josh and Kurt talk about why CVE is making the news lately. Things are not well in the CVE program, and it’s not looking like anything will get fixed anytime soon. Josh and Kurt have a unique set of knowledge around CVE. There’s a lot of confusion and difficulty in understanding how CVE works. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_392_Curl_and_the_calamity_of_CVE.mp3 Show Notes Curl blog post Now it’s PostgreSQL’s turn to have a bogus CVE GitHub Advisory Database Josh’s “CVE tried to get me fired” story
Josh and Kurt talk about the Global Security Database (GSD) project. This is a Cloud Security Alliance (CSA) effort to build community around vulnerability identifiers. https://traffic.libsyn.com/secure/forcedn/opensourcesecuritypodcast/Episode_307_Got_vulnerabilities_Introducing_GSD.mp3 Show Notes We rate dogs Racoons that heal your sadness Global Security Database Episode 261 – DWF is back! Welcome to community powered CVE GSD mailing list GSD Circle group GSD Database GSD Project Plan
The late, great, John Lewis is well known for a quote about getting into trouble. Never, ever be afraid to make some noise and get in good trouble, necessary trouble. It’s time to start some good trouble. Anyone who knows me, reads this blog, or follows me on Twitter, is well aware I have been a proponent of CVE Identifiers for a very long time. I once assigned CVE IDs to most open source security vulnerabilities. I’ve helped more than one company and project adopt CVE IDs for their advisories. I encourage anyone who will listen to adopt CVE IDs. I’ve even talked about it on the podcast many times. ...
Josh and Kurt talk about DWF. It’s back and the intention is to have real community driven security identifiers! https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_261_DWF_is_back_Welcome_to_community_powered_CVE.mp3 Show Notes Committee vs Community dwflist repo dwf-request tooling repo dwf-workflow policy repo CVE plateua graph iwantacve.org
Josh and Kurt have a chat with Larry Cashdollar. The three of us go way back. Larry has done some amazing things and he tells us all about it! https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_219_Chat_with_Larry_Cashdollar.mp3 Show Notes Akamai Larry’s website Larry’s First CVE
A few days ago I ran across this report from MITRE. It’s titled “2020 CWE Top 25 Most Dangerous Software Weaknesses”. I found the report lacking the sort of details I was hoping for, so I’m going rogue and adding those details myself because it’s a topic I care about and I like seeing conclusions. Think of this as a sort of modern graffiti. Firstly, all of my data and graphs come from the NVD CVE json data. You can find my project to put this data into Elasticsearch then doing interesting things with it on GitHub here. All graphs are screenshots from Kibana. ...
Josh and Kurt talk about CVSSv3 and how it’s broken. We started with a blog post to explain why the NVD CVSS scores are so wrong, and we ended up researching CVSSv3 and found out it’s far more broken than any of us expected in ways we didn’t expect. NVD isn’t broken, CVSSv3 is. How did we get here? Are there any options that work today? Where should we go next? ...