Cisco Opens Up Vulnerability Disclosure With OpenVuln API

Cisco's Product Security Incident Response Team pushes a new approach that makes security advisories easier to consume and act upon.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors


IT professionals are inundated on a daily basis with security advisories, but making sense of it all and understanding the impact is a challenge—a challenge that Cisco's Product Security Incident Response Team is aiming to help solve with the official launch Dec. 14 of the openVuln API.

The new API builds on Cisco PSIRT efforts to improve security disclosure information that were first announced in October.

"We're creating a programmatic approach to how organizations can consume vulnerability information and accelerate the vulnerability management process," Omar Santos, principal engineer of Cisco PSIRT Security Research and Operations, told eWEEK.

Cisco's goal with the openVuln API is to help push the IT industry as a whole toward the broader use of security automation standards, including Open Vulnerability and Assessment Language (OVAL) and the Common Vulnerability Reporting Framework (CVRF), which power the new Cisco API, according to Santos.

"CVRF is an XML-based language, and Cisco is a major contributor to the development of the language and it was incubated at the nonprofit Industry Consortium for Advancement of Security on the Internet [ICASI]," he said. "OVAL on the other hand was created by Mitre and is part of the Security Content Automation Protocol [SCAP] that helps security administrators with configuration best practices."

The openVuln API is a representational state transfer (REST) API, enabling it to be consumed and integrated into many types of existing IT management systems. OpenVuln API-based information is machine-readable content, said Santos, noting that the information provided by Cisco includes details about vulnerabilities as well as the associated risks. Of particular importance is the fact that there is also information included about all the specific versions and configurations of a given piece of software impacted by a vulnerability.

In the open-source world, the OpenSCAP tool that is included in Red Hat Enterprise Linux is a widely deployed technology for consuming OVAL information. Santos noted that OpenSCAP users can benefit from the Cisco openVuln API, as well as organizations that build their own tools.

Other security vendors can also use the openVuln API to improve security overall. For example, the API can be used by network security scanner technologies, such as Tenable's Nessus or Qualys' network scanning platform.

"So they can leverage the openVuln API information to make their scanners better," Santos said.

Cisco already has multiple ways that it provides users with security vulnerability information, including Web pages with advisories, email lists and RSS feeds, according to Santos. The openVuln API goes a step further to help automate what an organization can do with Cisco security information. For example, a large service provider could have a million Cisco devices deployed, with a need to be able to rapidly identify when and where firmware should be updated for a security vulnerability. With the openVuln API, the service provider can now rapidly determine impact and then create its own advisory in a network operations center (NOC) to facilitate and accelerate the patch management process, he said.

"So the moment Cisco publishes an advisory, the service provider can take whatever relevant information that they want and can display it for the specific teams that need to know about it," Santos said.

Going a step further, Cisco is building a new community on its DevNet to help organizations build tools, sample code and best practices for consuming openVuln API information.

Looking forward, Santos said more still can and will be done to help improve and automate security disclosure.

"We want there to be more security disclosure automation across the industry," he said. "The next step is to get more vendors to adopt security automation standards so we can automatically exchange vulnerability information."

Part of the increased adoption is likely to come through continued collaboration at ICASI, where Cisco is active. Santos noted that Cisco rival Juniper is also active at ICASI, as is VMware, Oracle, A10 Networks, Microsoft and IBM.

"The next step that I see is taking the vulnerability disclosure part and marrying it with things like threat intelligence and indicators of compromise," he said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.