Skip to content

This repository contains information related to the Root Cause Mapping Working Group and its activities. CVE Numbering Authority (CNA) representatives are invited to join and contribute to the working group's efforts.

Notifications You must be signed in to change notification settings

Root-Cause-Mapping-Working-Group/RCM-WG

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

37 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Root Cause Mapping Working Group

What is root cause mapping?

Root cause mapping is the identification of the underlying cause of a vulnerability. This is best done by correlating CVE Records with CWE entries. Root cause mapping is not done accurately at scale by the vulnerability management ecosystem.

Why is root cause mapping important?

Root cause mapping is valuable because it directly illuminates where investments, policy, and practices can address the root causes responsible for vulnerabilities so that they can be eliminated. This applies to both industry and government decision makers. Additionally, it enables:

  • Driving the removal of classes of vulnerabilities: Root cause mapping saves vendors money through encouraging a valuable feedback loop into an SDLC or architecture design planning (i.e., the more weaknesses avoided in product development, the less vulnerabilities to manage after deployment)
  • Trend analysis (e.g., how big of a problem is memory safety compared to other problems like injection)
  • Further insight to potential “exploitability” based on root cause (e.g., command injection vulnerabilities will tend to see increased adversary attention, be targeted by certain actors)
  • Facilitate industry competition on security; organizations can demonstrate transparency to customers how they are targeting and tackling problems in their products

How is the RCM WG seeking to improve accurate root cause mapping at scale?

The Root Cause Mapping Working Group (RCM WG) was established by CVE® and CWE™ community stakeholders (e.g., Intel, Microsoft, Red Hat, Rapid 7, CISA, HSSEDI) with the purpose of determining how to improve and scale accurate root cause mapping. Specifically, the working group is exploring the feasibility of an effective decentralized root cause mapping ecosystem.

This would mean instead of an intermediary being responsible (e.g., NIST's National Vulnerability Database [NVD] team, the CWE team), root cause mapping is taken on by those that know the vulnerabilities and products best. The initial targets are CVE Numbering Authorities (CNAs) because they:

  • Participate in both the CVE and CWE programs
  • Demonstrate responsible disclosure of vulnerability information
  • Provide a basis of measurement for CVE-to-CWE correlation accuracy
  • Are a proxy for the broader vulnerability management ecosystem

If CNAs can’t do root cause mapping accurately, there should be no expectation that it can be done at scale.

What are the working group’s initial priorities?

The working group is initially focused on identifying the capabilities, processes, and information needed to improve and scale accurate root cause mapping by:

  • Identifying and describing the current challenges in performing and reporting accurate root cause mapping
  • Defining how the CWE hierarchy and content must improve to facilitate better root cause mapping which will have the effect of better achieving CWE program adoption and coverage goals
  • Developing new capabilities to simplify the root cause mapping process

What has the group accomplished so far?

The RCM WG established the following goals for the working group:

  1. Define the business case for doing accurate root cause mapping
  • (Objective 1) Socialize and confirm with the broader community
  1. Determine the feasibility of accurate, decentralized root cause mapping
  • (Objective 1) Identify the capabilities, processes, and information needed to make root cause mapping easier

The RCM has also established communication channels, began recruiting additional members, and is close to finalizing a charter. Initial members have begun sharing what they are currently doing to fill gaps in the existing CWE structure to make it more adoptable.

How can I get involved?

The RCM WG is accepting new members. If you are interested in participating, please email us at cwe@mitre.org

About

This repository contains information related to the Root Cause Mapping Working Group and its activities. CVE Numbering Authority (CNA) representatives are invited to join and contribute to the working group's efforts.

Topics

Resources

Stars

Watchers

Forks