Re: [Suit] Ripple20

Eliot Lear <lear@cisco.com> Tue, 16 June 2020 17:30 UTC

Return-Path: <lear@cisco.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B0133A0766 for <suit@ietfa.amsl.com>; Tue, 16 Jun 2020 10:30:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Level:
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jMgoclHp8SvH for <suit@ietfa.amsl.com>; Tue, 16 Jun 2020 10:30:05 -0700 (PDT)
Received: from aer-iport-3.cisco.com (aer-iport-3.cisco.com [173.38.203.53]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73A4B3A0789 for <suit@ietf.org>; Tue, 16 Jun 2020 10:30:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=18486; q=dns/txt; s=iport; t=1592328604; x=1593538204; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=fAX99khwxRABYi+wNlzbuF/YdXPJmagiTJYt2OreIXo=; b=DqgxIUh5RbGr/4wxIukYmwP8ayylX/g0nWQfTu4HPMsn/77MfzM7rXNH Kv55rA+RWwqOyi5WsEHAQ93oDsJz4CtIS+Znit1mnwmshKY5vDPDHxI8Q 24R1fu0UHuNO125cV2aIG0RfWuDDIfRFoL2Q4c7eZoLzN+fv9GuRSEtn7 k=;
X-IPAS-Result: =?us-ascii?q?A0C4AAAtAele/xbLJq1jAxoBAQEBAQEBAQEBAwEBAQESA?= =?us-ascii?q?QEBAQICAQEBAYIKAoEhUgYvb1QBIBIshCSJAYdjJYEBmBp5gWgLAQEBDAEBG?= =?us-ascii?q?AEHDwQBAYFQgnUCghglOBMCAwEBAQMCAwEBAQEFAQEBAgEGBG2FWwxCARABh?= =?us-ascii?q?R4BAQEBAgEBASFLCwULCwcKBAEBAScDAgInHwkIBhMagwwBglwgD7VAdoEyh?= =?us-ascii?q?DoBgRaFE4E4AYYihlKCAIERJwwQghg1PoJcAQECFAOBCAkBEgFCFRGCTTOCL?= =?us-ascii?q?QSPMg+lAYJkgwGFPoYhij8DHZ5omyqPfFyDTgIEBgUCFYFqIkMjcDMaCBsVO?= =?us-ascii?q?yoBgj4JNRIZDY9DAQKCSYUUhUQ/AzACAQEBCAkhAgYBBwEBAwmGMYpkAQE?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos; i="5.73,518,1583193600"; d="scan'208,217"; a="24740308"
Received: from aer-iport-nat.cisco.com (HELO aer-core-3.cisco.com) ([173.38.203.22]) by aer-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 16 Jun 2020 17:30:00 +0000
Received: from dhcp-10-61-101-14.cisco.com (dhcp-10-61-101-14.cisco.com [10.61.101.14]) by aer-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 05GHTxbH009888 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 16 Jun 2020 17:29:59 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <A3E64275-F85F-4706-A69B-2A4C4C9AD02A@cisco.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_077CAD33-67C5-4493-B4ED-534F50CB37C0"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Tue, 16 Jun 2020 19:29:58 +0200
In-Reply-To: <44c701d64401$415e3f40$c41abdc0$@reliableenergyanalytics.com>
Cc: Eliot Lear <lear=40cisco.com@dmarc.ietf.org>, Russ Housley <housley@vigilsec.com>, suit <suit@ietf.org>
To: Dick Brooks <dick@reliableenergyanalytics.com>
References: <F6BDED6E-B812-4CE8-9CDF-FC0CC2D4DB38@vigilsec.com> <9D9F401F-3DD8-48F7-92F5-9B5AAEF1D8E0@cisco.com> <44c701d64401$415e3f40$c41abdc0$@reliableenergyanalytics.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
X-Outbound-SMTP-Client: 10.61.101.14, dhcp-10-61-101-14.cisco.com
X-Outbound-Node: aer-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/lKt2Eu_x_XI42Cqmwq_PxFmAYzo>
Subject: Re: [Suit] Ripple20
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jun 2020 17:30:07 -0000

Hi Dick

> On 16 Jun 2020, at 19:12, Dick Brooks <dick@reliableenergyanalytics.com> wrote:
> 
> Eliot,
>  
>                 I want to thank you for pointing me to the NTIA SBOM work. I spoke with Allan Friedman of NTIA this morning. I explained the importance of having SBOM metadata aligned with CVE database vendors to enable automated CVE searches that should produce a better signal/noise ratio as part of  a risk assessment supporting NERC CIP-010-3 R1, Part 1.6 (software verification). Today’s CVE search results produce a significant number of false positives, rendering them nearly useless.

Right.  Until someone does an evaluation, there’s almost no point.  How this would work with the NTIA model is that those products that publish SBOMs would immediately be considered potentially vulnerable, and then VEX would provide the opportunity to refine that to “not vulnerable” to “vulnerable with workaround” to “vulnerable with fix”, etc.

I do have a question for the chairs/AD.  I realize that this is a bit out of scope for SUIT.  Is there a more appropriate list we should be vectored to?  Thanks for the group’s indulgence to this point.

Eliot

>  
> FYI:  I’ve offered to assist NTIA within the energy industry, hopefully starting with a communication to DOE regarding the 5/1 emergency Executive Order on cybersecurity and the potential benefits of an SBOM.
>  
>  
> Thanks,
>  
> Dick Brooks
> <image001.jpg>
> Never trust software, always verify and report! <https://reliableenergyanalytics.com/products> ™
> http://www.reliableenergyanalytics.com <http://www.reliableenergyanalytics.com/>
> Email: dick@reliableenergyanalytics.com <mailto:dick@reliableenergyanalytics.com>
> Tel: +1 978-696-1788
>  
> From: Suit <suit-bounces@ietf.org> On Behalf Of Eliot Lear
> Sent: Tuesday, June 16, 2020 12:39 PM
> To: Russ Housley <housley@vigilsec.com>
> Cc: suit <suit@ietf.org>
> Subject: Re: [Suit] Ripple20
>  
> Thanks for passing that along, Russ.  This is also an interesting test case for the discussion that we just had re SBOM.  The focus of that work has largely been on OSS.  Well.
>  
> Eliot
> 
> 
>> On 16 Jun 2020, at 18:22, Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>> wrote:
>>  
>> Just in case anyone forgot why SUIT is so important to the IoT ecosystem...
>>  
>> https://thehackernews.com/2020/06/new-critical-flaws-put-billions-of.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Cyber+Security+Blog%29&_m=3n.009a.2250.sd0ao0e9al.1eue <https://thehackernews.com/2020/06/new-critical-flaws-put-billions-of.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+TheHackersNews+(The+Hackers+News+-+Cyber+Security+Blog)&_m=3n..009a.2250.sd0ao0e9al.1eue>
>>  
>>  
>> _______________________________________________
>> Suit mailing list
>> Suit@ietf.org <mailto:Suit@ietf.org>
>> https://www.ietf.org/mailman/listinfo/suit <https://www.ietf.org/mailman/listinfo/suit>
>  
> _______________________________________________
> Suit mailing list
> Suit@ietf.org
> https://www.ietf.org/mailman/listinfo/suit