Written by Jakub Balhar, Chair of the Zowe Technical Steering Committee and Product Marketing Manager at Broadcom
The Zowe Community is pleased to announce that Zowe has been authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA). CVE’s are a list of publicly disclosed computer security flaws. Throughout the software industry, when a CVE is referenced it means a known security flaw has been assigned a CVE ID number. So what does this mean for Zowe and more importantly how might it impact your use of the software? Whether realized or not, we all depend on the outcomes of the CVE Program when trying to understand our software supply chain and what security risks reside within it.
The Zowe Community is devoted to ensuring Zowe’s security policies and procedures follow the highest standards. Through collaboration and by leveraging the work of the OpenSSF, a cross-industry organization that brings together the industry’s most important open-source security initiatives, the Zowe Project strives to advance open-source security for all. The Open SSF recommendations serve as our foundation. But we felt compelled to do more when we realized we could communicate vulnerabilities faster while simplifying the Zowe Security Team’s work. Becoming a CNA allows us to do both!
What should you know about the program?
The mission of the Common Vulnerabilities and Exposures (CVE®) Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog. The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program. Partners publish CVE Records to communicate consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities.
What is CVE?
CVE is an international, community-based effort and relies on the wider software community to discover vulnerabilities. The vulnerabilities are discovered then assigned and published to the CVE List.
The CVE Records published in the catalog enable program stakeholders to rapidly discover and correlate vulnerability information used to protect systems against attacks.
The CVE List is built by CVE Numbering Authorities (CNAs). Every CVE Record added to the list is assigned by a CNA. Examples of CNAs include Linux Foundation, GitHub, Apache Software Foundation, and now Zowe!
The CVE List feeds the U.S. National Vulnerability Database (NVD).
CVE enables two or more people or tools to refer to a vulnerability and know they are talking about the same thing, resulting in significant time and cost savings.
CVE is Community Driven
The CVE Program relies on the community to discover vulnerabilities. The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program.
Partners publish CVE Records to communicate consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities. A great example of this is the widely known Apache Log4j vulnerability.
The CVE Board, which drives the direction of the CVE Program, consists of industry, academic, and government representatives from around the world.
What are CNAs (CVE Numbering Authorities)
CNAs are organizations responsible for the regular assignment of CVE IDs to vulnerabilities, and for creating and publishing information about the vulnerability in the associated CVE Record. Each CNA has a specific scope of responsibility for vulnerability identification and publishing.
Learn more about CVE:
What is Zowe’s Scope?
Zowe is responsible for all security issues found within the Zowe code, regardless of who finds the issue. As a CNA, if we find the issue then we will directly request the new CVE to be published as soon as possible. If someone else alleges an issue in the source code, we will be consulted to verify the assertion and we will have the ability to provide additional information.
Becoming a CNA is a big step for Zowe, but it is just one of the many steps the Zowe Community has planned to ensure Zowe is known for achieving the highest standards in Open-Source Security practices.
For more Zowe, check out the Medium blog here or the Zowe community website at Zowe.org. You can also ask a question and join the conversation on the Open Mainframe Project Slack Channel #Zowe-dev, #Zowe-user or #Zowe-onboarding. If this is your first time using the Open Mainframe Project Slack, register here.