Firms Push for CVE-Like Cloud Bug System

Researchers propose fresh approaches to cloud-security bugs and mitigating exposure, impact and risk.

Big gaps exist in the 22-year-old Common Vulnerability and Exposures (CVE) system that do not address dangerous flaws in cloud services that drive millions of apps and backend services. Too often, cloud providers needlessly expose customers to risk by not sharing the details of bugs discovered on their platform. A CVE-like approach to cloud bug management must exist to help customers weigh exposure, impact and mitigate risk.

That is the opinion of a growing number of security firms pushing for a better cloud vulnerability and risk management. They argue because of CVE identification rules, which only assign CVE tracking numbers to vulnerabilities that end-users and network admin can directly manage, the current model is broken.

MITRE, the non-profit organization behind the CVE system, does not designate CVE IDs for security issues deemed to be the responsibility of cloud providers. The assumption is that cloud providers own the problem, and that assigning CVEs that are not customer-controlled or patched by admins falls outside of the CVE system purview.

[Editor’s Note: This article was originally published in the free Threatpost eBook “Cloud Security: The Forecast for

Read More: https://threatpost.com/cve-cloud-bug-system/179394/