Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Cisco Opens Up Vulnerability Disclosure With OpenVuln API

    By
    Sean Michael Kerner
    -
    December 15, 2015
    Share
    Facebook
    Twitter
    Linkedin
      Cisco

      IT professionals are inundated on a daily basis with security advisories, but making sense of it all and understanding the impact is a challenge—a challenge that Cisco’s Product Security Incident Response Team is aiming to help solve with the official launch Dec. 14 of the openVuln API.

      The new API builds on Cisco PSIRT efforts to improve security disclosure information that were first announced in October.

      “We’re creating a programmatic approach to how organizations can consume vulnerability information and accelerate the vulnerability management process,” Omar Santos, principal engineer of Cisco PSIRT Security Research and Operations, told eWEEK.

      Cisco’s goal with the openVuln API is to help push the IT industry as a whole toward the broader use of security automation standards, including Open Vulnerability and Assessment Language (OVAL) and the Common Vulnerability Reporting Framework (CVRF), which power the new Cisco API, according to Santos.

      “CVRF is an XML-based language, and Cisco is a major contributor to the development of the language and it was incubated at the nonprofit Industry Consortium for Advancement of Security on the Internet [ICASI],” he said. “OVAL on the other hand was created by Mitre and is part of the Security Content Automation Protocol [SCAP] that helps security administrators with configuration best practices.”

      The openVuln API is a representational state transfer (REST) API, enabling it to be consumed and integrated into many types of existing IT management systems. OpenVuln API-based information is machine-readable content, said Santos, noting that the information provided by Cisco includes details about vulnerabilities as well as the associated risks. Of particular importance is the fact that there is also information included about all the specific versions and configurations of a given piece of software impacted by a vulnerability.

      In the open-source world, the OpenSCAP tool that is included in Red Hat Enterprise Linux is a widely deployed technology for consuming OVAL information. Santos noted that OpenSCAP users can benefit from the Cisco openVuln API, as well as organizations that build their own tools.

      Other security vendors can also use the openVuln API to improve security overall. For example, the API can be used by network security scanner technologies, such as Tenable’s Nessus or Qualys’ network scanning platform.

      “So they can leverage the openVuln API information to make their scanners better,” Santos said.

      Cisco already has multiple ways that it provides users with security vulnerability information, including Web pages with advisories, email lists and RSS feeds, according to Santos. The openVuln API goes a step further to help automate what an organization can do with Cisco security information. For example, a large service provider could have a million Cisco devices deployed, with a need to be able to rapidly identify when and where firmware should be updated for a security vulnerability. With the openVuln API, the service provider can now rapidly determine impact and then create its own advisory in a network operations center (NOC) to facilitate and accelerate the patch management process, he said.

      “So the moment Cisco publishes an advisory, the service provider can take whatever relevant information that they want and can display it for the specific teams that need to know about it,” Santos said.

      Going a step further, Cisco is building a new community on its DevNet to help organizations build tools, sample code and best practices for consuming openVuln API information.

      Looking forward, Santos said more still can and will be done to help improve and automate security disclosure.

      “We want there to be more security disclosure automation across the industry,” he said. “The next step is to get more vendors to adopt security automation standards so we can automatically exchange vulnerability information.”

      Part of the increased adoption is likely to come through continued collaboration at ICASI, where Cisco is active. Santos noted that Cisco rival Juniper is also active at ICASI, as is VMware, Oracle, A10 Networks, Microsoft and IBM.

      “The next step that I see is taking the vulnerability disclosure part and marrying it with things like threat intelligence and indicators of compromise,” he said.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×