"Firms Push for CVE-Like Cloud Bug System"

Security firms are pushing for improved cloud vulnerability and risk management. Significant gaps exist in the Common Vulnerability and Exposures (CVE) system as dangerous flaws contained by cloud services are not addressed. Oftentimes, cloud providers expose customers to risk by not sharing details about bugs found on their platform. Therefore, many firms are calling for a CVE-like approach to cloud bug management to help customers weigh exposure and impact as well as mitigate risk. A growing number of security firms argue that the current model is broken because CVE identification rules only assign CVE tracking numbers to vulnerabilities that end-users and network administrators can directly manage. MITRE, the non-profit organization behind the CVE system, does not assign CVE IDs for security issues considered cloud providers' responsibility. The assumption is that cloud providers own the problem, and assigning CVEs not controlled by customers or patched by administrators is outside the CVE system's scope of concern. Scott Piper, a cloud-security researcher with Summit Route, says it is a false assumption that all issues can be resolved by the cloud provider and do not need a tracking number. Even if the cloud provider can solve an issue, researchers still believe it warrants having a record. According to Alon Schindel and Shir Tamari, researchers with the cloud security firm Wiz, as new types of vulnerabilities are discovered, more issues are found not fitting the current MITRE CVE reporting model. Therefore, the security industry is urging the creation of a centralized cloud vulnerability database. Although cloud service providers do respond quickly to cloud bugs and work fast to mitigate issues, the process of identifying, tracking, and helping impacted users needs to be streamlined. Shared industry goals behind the cloud bug CVE approach include standardized notification channels for all cloud service providers, standardized bug or issue tracking, severity scoring to help prioritize mitigation efforts, and transparency into vulnerabilities and their detection. This article continues to discuss the need for a CVE-like cloud bug system.

Threatpost reports "Firms Push for CVE-Like Cloud Bug System"