#58: Tom Alrich Returns – Our Vulnerability Problem (Bonus Episode)
In this special bonus episode, we welcome back Tom Alrich, an expert in supply chain cybersecurity to discuss one of the most pressing issues in cybersecurity right now. Tom discusses the current issues with the National Vulnerability Database (NVD) and the challenges it presents for effective vulnerability management. We explore his proposed solutions and the future of software supply chain security, based on his extensive experience.
About Tom Alrich
Tom Alrich is a well-known independent consultant and blogger specializing in supply chain cybersecurity and NERC CIP compliance in the cloud. He leads the OWASP SBOM Forum and Vulnerability Database Working Group projects, and is currently most focused on vulnerability management and the serious problems now preventing effective vulnerability management programs. Tom has been consulting in cybersecurity since 2001, with previous experience at Honeywell and Deloitte. Since 2018, he has operated as an independent consultant, focusing particularly on software supply chain cybersecurity and software bills of materials (SBOMs). This year, he published his first book, “Introduction to SBOM and VEX”, which is available on Amazon. His widely-followed blog, “Tom Alrich’s Blog,” offers insights and updates on these critical topics. Tom resides in Evanston, Illinois, and holds a BA in Economics from the University of Chicago.If you’d like to reach out to Tom, his email address is [email protected]
Additional links mentioned during the episode or relevant to the discussion:
- The SBOM Forum’s 2022 white paper on fixing the CPE problem in the NVD
- Tom’s post from yesterday on the problem with vulnerability management
- The link to the SBOM Forum’s website, where donations can be made (please email Tom before donating)
-
An additional post he published on the day we recorded the episode which further highlights the NVD issue
- Tom’s book “Introduction to SBOM and VEX” which is out now
Tom also mentioned that he misspoke when he said at the end that the OWASP Vulnerability Database Working Group is meeting twice weekly. In reality, they are only meeting twice monthly, as he can’t afford to dedicate more time than that. They would love to meet at least weekly and also create documents, webinars, and more. Therefore, they are seeking some modest donations to support these efforts.
A Summary of Our Conversation with Tom Alrich
- Tom Alrich has been consulting in cybersecurity since 2001, with previous experience at Honeywell and Deloitte.
- Since 2018, he has operated as an independent consultant focusing on software supply chain cybersecurity and software bill of materials (SBOM).
- Leads the OWASP SBOM Forum and Vulnerability Database Working Group.
- Published his first book, “Introduction to SBOM and VEX,” available on Amazon.
- Runs the widely followed blog, “Tom Alrich’s Blog,” offering insights and updates on critical cybersecurity topics.
- Holds a BA in economics from the University of Chicago and resides in Evanston, Illinois.
- Tom discussed significant issues with the National Vulnerability Database (NVD), particularly its recent inability to keep up with enriching CVE reports.
- Highlighted the role of CVE reports, CVSS scores, CWEs, and CPE names in automated vulnerability management.
- Emphasized that the lack of CPE names for vulnerabilities reported after February 12th renders them invisible in NVD searches, posing a substantial risk.
- Detailed how the backlog of unenriched CVE reports affects automated processes for identifying vulnerabilities.
- Stressed the importance of CPE names in connecting vulnerabilities to specific products, comparing a CVE report without a CPE name to a car without a steering wheel.
- Explained that the NVD’s partial resumption of enriching CVE reports since May has not addressed the growing backlog of vulnerabilities.
- Introduced purl (Package URL) as a more reliable identifier for software products compared to CPE.
- Suggested extending purl to address proprietary software by integrating SWID tags, which Microsoft and other developers have previously used.
- Highlighted the importance of controlled namespaces to ensure consistency in product identification.
- Advised against premature regulation in the vulnerability management industry due to the current unresolved issues.
- Emphasized the importance of allowing the industry to mature before imposing regulations, drawing a parallel with well-established industries like AI and crypto.
- Encouraged regulators to focus on guidelines and support rather than strict regulations at this stage.
- Clarified a previous misstatement: the OWASP Vulnerability Database Working Group meets twice monthly, not twice weekly, due to time constraints.
- Expressed the desire to increase meeting frequency and produce valuable resources such as documents and webinars.
- Requested modest donations to support the group’s efforts, noting that OWASP is a 501(c)(3) nonprofit, and contributions may be tax-deductible.
- Encouraged listeners interested in supporting the group’s work to reach out for more information on making donations.
Discussion Points:
- Tom shared background information on how vulnerabilities are reported and the role of CVE numbering authorities (CNAs).
- Explored the challenges with automated vulnerability management due to inconsistent CPE naming conventions.
- Discussed potential solutions, including automated CPE generation and the use of alternative identifiers like purl.
- Addressed the broader implications for supply chain security and the importance of accurate vulnerability tracking.
Conclusion:
- Emphasized the critical need for effective vulnerability management solutions in the cybersecurity landscape.
- Highlighted the ongoing efforts of the OWASP Vulnerability Database Working Group to address these challenges.
- Encouraged the cybersecurity community to support these efforts through donations and participation in initiatives like the SBOM Forum.