A (12:32)

Get in the game with the college branded Venmo debit card. Rep your team with every tap and earn up to 5% cash back with Venmo Stash, a new rewards program from Venmo. No monthly fee, no minimum balance, just school pride and spending power. Get in the game and sign up for the Venmo debit card@venmo.com collegecard the Venmo MasterCard is issued by the Vanccorp Bank NA Select Schools available Venmo Stash terms and exclusions apply at Venmo me stash terms max $100 cash back per month.

C (13:07)

Jeff Williams is founder of OWASP and co founder and CTO of Contrast Security. He joins us to discuss how NIST is rethinking its role in analyzing software vulnerabilities.

D (13:21)

In the early 2000s, researchers were finding lots of vulnerabilities in products and we need a way to exchange those. Like the people that are using those products need to know about them so they can update their software and so on. And NIST established the CVE program, the Common Vulnerability Enumeration program, which would capture those vulnerabilities, assign them a number, and generate certain metadata about those vulnerabilities, like a score, for instance. You want to know which ones are a 10 and which ones are a 4.2. And they made a database that lots and lots of people came to rely on. In the early days, there weren't that Many vulnerabilities. But last year I think there were something like 45,000 vulnerabilities that ran through that program, which is a healthy number and it's predicted to almost double this year.

C (14:18)

So what's the issue then, that NIST is taking a look at this? I mean, is it merely just a matter that it's growing so fast it's hard to keep track of?

D (14:27)

Well, that's part of it, but the big problem happened last year when their funding got cut and that caused a lot of problems. They got way behind in vulnerabilities that they have to process through. So there's this giant backlog and that holds up people patching their software and being protected against that stuff. So it's actually kind of a dangerous situation. And when you zoom out, you realize most of the cybersecurity industry is built on top of this tiny little pedestal that is this program run by a few folks at mitre.

C (15:07)

Now, simultaneous to this, the EU is launching their own version of this. Is that an accurate way to describe it, the gcve?

D (15:17)

Yeah, it's got some differences, but yeah, they saw the struggles that we're experiencing here in the US running this program and they said, well, we don't want to be dependent on just that source for our vulnerabilities. So they created their own authority.

C (15:36)

Now, is this intended to be something that runs alongside of our own program or could it potentially replace it?

D (15:44)

It's intended to run alongside it. And that's some of the challenge here, is that instead of having one major vulnerability authority, now we're going to have a bunch. And that creates friction for people that want to use those services. Now imagine you're a company that just wants to make sure you do your updates. Where do you go for that information? Do you go to the old CVE program? Do you go to the new GNA driven program, the GCVE program in Europe? I said GNA because they have. Their system involves multiple numbering authorities, which is kind of another complication. It's a federated kind of approach, which, you know, has advantages and disadvantages, but if you have to check a whole bunch of different places, there might be duplicates and it creates friction.

C (16:43)

You'd think we would have learned our lesson just from trying to name threat actors, right? Like whether it's fancy bear or octopus, Panda or. Nobody can agree on that, that we wouldn't head down this path again.

D (16:58)

I'm glad that the CVE program came up with a very simple, unsexy naming approach. CVEs are just named like CVE 20250001 and the next one's named 0002. And just some of the vulnerabilities get colloquial names, but most of them don't.

C (17:22)

How do you suspect this is going to play out?

D (17:25)

I think it's anybody's guess. I think it's really unfortunate that the US Kind of fumbled the ball here. I think we had the potential to be the authority for CVEs for the entire world and really do something good for cybersecurity. But we've kind of bungled it now. We've broken a lot of trust. And so I think now other countries are going to start to build their own databases and it's going to make a mess of things for a while.

C (17:58)

What's your advice to the folks who rely on this? How do they approach this? Looking at the level of uncertainty that may be ahead of us, I think

D (18:09)

we just gotta get used to a world where there's multiple vulnerability authorities and you're gonna have a lot of duplicates. Hopefully they have the same numbers. But, you know, it's entirely conceivable that two researchers find a similar vulnerability, report it to their own vulnerability entity, they get different CVE numbers and they just live as duplicates within this world, which is then going to cause confusion. Like, did I patch it? Did I not patch it? Hey, oh, no, I already did this. How do I track it? This. Impossible to underestimate the importance of this service in the cybersecurity world. If you don't know where the vulnerabilities are, you can't have a patching program. You can't keep your software up to date. And so this is going to be a pain in the back of my head. I'm like, we really need another service that unifies all these.

C (19:05)

But then I realized, yeah, that was going to be my next question. It seems like we'll need a deconflicting service, but now you've got three, right?

D (19:14)

Exactly. There are some things I think they could do that would improve things, I think putting more work into analyzing these vulnerabilities and deconflicting things, making a great API that people can use at massive scale. These things get bombarded with requests. So until very recently, the CVE program didn't have good APIs, and they were constantly going up and down and stuff. So there are things we could do to make this system better and make the world a safer place. But right now it looks like there's. I'd say disorganization going on.

C (19:59)

Has there been any call for this task to be transferred to someone other than nist?

D (20:05)

Well, CISA got involved when MITRE lost funding. CISA came to the rescue, and so they funded the program for a while. And I think just in the current political environment in the U.S. i think it's difficult to imagine that this program's gonna get significantly expanded.

C (20:27)

Yeah, it's hard to be, I guess, overly optimistic about. Feels like folks have to kind of hang on and see what's coming next, see how this shakes out.

D (20:41)

Yeah, it just seems so foolish to me like this, you know, having a great infrastructure for managing these risks is for the amount of money we're talking about, it's in the low tens of millions of dollars to fund this program. It's a rounding error in the defense budget and it's really critical. Cybersecurity that may be the next battlefield. And keeping it secure is pretty critical to our defense and the safety of the world. So I don't understand the priorities here.

C (21:20)

Yeah, it really is. It's a common good.

D (21:23)

Yeah. And I think, you know, I don't know if our current government is really that interested in common goods.

C (21:30)

That's Jeff Williams from Contrast Security. Foreign. No, it's not your imagination. Risk and regulation really are ramping up and customers expect proof of security before they'll sign that deal. That's where VANTA comes in. VANTA automates your compliance process and brings compliance, risk and customer trust together on one AI powered platform. Whether you're preparing for SoC2 or managing an enterprise governance risk and compliance program, VANTA helps keep you secure and keeps your deals moving. Companies like Ramp and writer spend 82% less time on audits with Vanta. That's not just faster compliance, that's more time for growth. Take it from me, if you're thinking about compliance, take the time to check out Vanta. Get started@vanta.com cyber. Your planet is now marked for death.

E (22:44)

Marvel Studios the Fantastic Four First Steps is now streaming on Disney.

A (22:48)

We will protect you as a family.

E (22:50)

Light em up, Johnny. Marvel's first family is certified fresh on Rotten Tomatoes.

C (22:55)

That is fantastic.

E (22:57)

And critics say it's one of the best superhero movies of all time. Marvel Studios The Fantastic Four first steps now streaming on Disney. Rated PG 13.

C (23:06)

What time has it been? It's clobber DIIIII. And finally, in the escalating arms race between wearable tech and personal privacy, a hobbyist sociologist has entered the chat. Yves Jean Renault built an Android app called Nearby Glasses that scans for Bluetooth signatures of smart glasses, including those made by Meta in partnership with luxottica Group, and sends a polite but pointed alert. Smart glasses are probably nearby. The app listens for Bluetooth low energy advertising signals and flags devices tied to Meta or Snap. It may produce false positives, as one test confused a Meta Quest headset for eyewear, but it reflects growing unease as companies add artificial intelligence features. The New York Times recently reported Meta is exploring facial recognition for its glasses. Jean Renaud calls his project a tiny part of resistance. It will not stop surveillance culture, but it might at least let you know when it's looking back at you. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com be sure to check out this weekend's Research Saturday and my conversation with Dr. Renee Burton, Vice President of Infoblox Threat Intel. The research we're discussing is titled Parked Domains and Direct Search and Underreport Security Risk. That's Research Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producer is Liz Stokes were mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Foreign. If you only attend one cybersecurity conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26. I'll see you in San Francisco.