Wiz has been authorized by the Common Vulnerability and Exposures (CVE®) Program as a CVE Numbering Authority (CNA). This milestone is thrilling and humbling. Not only are we excited to deepen our support for the global security community by being able to assign CVEs to vulnerabilities – and rapidly share disclosed cybersecurity vulnerabilities with the public – but it also prompts us to reflect on how far things have come in the past few years since Wiz Research team members first advocated for change.
The CVE Program has been a hallmark of transparency in information security for 25 years. Its work identifying, defining, and cataloging publicly disclosed cybersecurity vulnerabilities has helped give rise to discussions about risk as it relates to the digital services we all rely upon.
Wiz was founded on the idea that we can make the cloud more secure without hindering its capacity for innovation. Transparency and collaboration are fundamental to that journey. In November 2021 Wiz first issued a call to action on this front, writing a blog post in which we observed how responsibilities had evolved since the pre-cloud era. We suggested the security industry needed to build a cloud vulnerability database and rethink its approach to addressing cloud vulnerabilities A few months later, Wiz kickstarted a coalition of contributors that built one.
(Sidenote: Clicking that link takes you to the Open Cloud Vulnerability & Security Issue Database. For more on the story behind this effort, including how Wiz initiated it and the weaknesses of the cloud that the central database unveils, we highly recommend watching the recording of this fwd:cloudsec presentation from 2022: “We built a community cloud vulnerability database, now what?”)
The collective understanding of cloud risk has changed significantly in the last few years, and today we hope all cloud service providers join us in our effort to make the disclosure and submittal of cloud-based vulnerabilities to the CVE Program an industry norm and standard expectation.
Why cloud-based vulnerabilities matter to everyone CVEs have been the norm for on-premises software and devices. However, there is no expectation that cloud service providers share data about vulnerabilities they identify and repair—or how their updates and remediations might influence customer security. This year has marked a watershed on this issue. A massive shift towards disclosure of cloud vulnerabilities has taken place in a few short months:
In March, the U.S. Department of Homeland Security Cyber Safety Review Board (CSRB) highlighted this issue in their review of the Summer 2023 Microsoft Exchange Online intrusion, recommending that cloud service providers work with the CVE Program to develop norms for the rapid release of these vulnerabilities.
Not long thereafter, the CVE Program approved changes to its rules, allowing CNAs to assign CVEs to significant vulnerabilities, regardless of whether customers needed to take action. This is a watershed change that should allow for CVE assignments for cloud vulnerabilities to become commonplace—as long as we all embrace it.
This summer, Microsoft announced it will issue CVEs for critical cloud service vulnerabilities, regardless of whether customers need to install a patch or to take other actions to protect themselves.
We support these developments, and hope the industry joins us in making disclosure of all cloud vulnerabilities through the CVE process an expectation. This is driven by the continued identification by our research team of vulnerabilities that do not fit neatly into the cloud shared responsibility model on one side of the fence or the other. Rather, they require unique remediation processes with responsibilities from both CSPs and customers.
ChaosDB is one example of this dynamic: in August 2021, we discovered an unprecedented service-level vulnerability in Azure Cosmos DB. Customers’ access keys were leaked, with access permissions to Cosmos DB databases of other cloud users. Due to auto-enabled features, many customers were exposed without their knowledge. Users needed to manually rotate their keys for each instance of Cosmos DB. The timeframe of the vulnerability exposure was not made clear, making it difficult for users to understand the potential risk to their systems.
This is just one example of what will be a necessary relationship in the shared responsibility model. As we stated in 2021:
Unlike other vulnerabilities that require user intervention like software vulnerabilities where we have CVEs, these cloud vulnerabilities have no identifier or enumeration, no standard format, no severity scoring and no proper notification channel. The response actions are a mix of efforts from the CSP and the user. A lack of clarity and understanding around this handoff for cloud vulnerabilities is leading to missed opportunities and decreased security.
It is encouraging to see the industry taking steps towards greater transparency. For Wiz, we’ve reached a milestone in becoming an authorized CNA; it is effectively a full circle moment, given our earlier stance that “there has to be a better way.” The Wiz Research team has a singular commitment to discovering new risks in cloud and AI environments. Continuing to support this community through our role as a CNA goes hand-in-hand with our belief that collaboration, innovation, and transparency are key to making the digital world a safer place.