Vendor SIG Activity Product Security Teams Meeting 16 November 2005

2005-November-16, Redwood Shores, CA, USA

The second meeting of Product Security Teams will be held on 2005-Nov-16 in USA. The host is Oracle and the venue is

350 Oracle Parkaway (across from the Fitness Center) Redwood Shores, CA 94065

Driving instructions:

Southbound – Take Highway 101 South (toward San Jose) to the Ralston Ave./Marine World Parkway exit. Take Marine World Parkway east which will loop you back over the freeway. Make a left at the first light onto Oracle Parkway. 350 Oracle Parkway will be on the right.

Northbound – Take Highway 101 North (toward San Francisco) to the Ralston Ave./Marine World Parkway exit. Take the first exit ramp onto Marine World Parkway. Make a left at the first light onto Oracle Parkway. 350 Oracle Parkway will be on the right.

Parking – The Conference Center has a designated parking lot located directly across from the building. If the lot is filled there is also additional parking in any of the parking garages located near by. No parking permits are needed.

Driving Alternative – SamTrans (San Mateo County's Transit Agency) provides public bus service between the Millbrae BART station and Palo Alto with three stops on Oracle Parkway - one of which is directly in front of the Oracle Conference Center.

In order to attend this meeting you do not have to be a FIRST member but you must be a vendor. Vendor is loosely defined as someone who is responsible for maintaining, at least, one product. There is no attendance fee but you must send a mail to Damir Rajnovic <>.

Additional information regarding hotels and transporations will be provided soon.

The following vendors expressed interest in attending the event:

  • Aruba
  • Cisco Systems
  • Ericsson
  • Hitachi
  • HP
  • IBM
  • Intel
  • Juniper
  • Microsoft
  • Mindjet
  • Oracle
  • Ricoh
  • Siebel
  • Silicon Graphic
  • Sun
  • Windriver

November 16th (Wednesday)
Vendor SIG Meeting
09h00 09h15

Introduction and welcome

GBDamir Rajnovic (Cisco PSIRT)

09h15 10h00

Vulnerability handling in JPCERT/CC


10h00 11h00

Vulnerability handling in CERT/CC

USArt Manion (CERT/CC)

11h00 11h15

Coffee break

11h15 12h00

Responsible Security Coordination with Open Source

USDerrick Scholl (Sun)

12h00 13h30


13h30 14h00

Responsible Security Coordination with Open Source (continued)

USDerrick Scholl (Sun)

14h00 14h45

Legal issues

USTara Flanagan (Cisco Systems)

14h45 15h00

Coffee break

15h00 15h45

OVAL scheme

Andrew Buttner (MITRE)

15h45 16h30

Feasibility Study of OVAL based Vulnerability Management Extension

Masato Terada (Hitachi Ltd.)

16h30 16h50

Closing remarks, next meeting

GBDamir Rajnovic (Cisco PSIRT)

Presentations outline:

Vulnerability handling in JPCERT/CC, Yurie Ito, JPCERT/CC

Yurie will be introducing the JPCERT/CC vulnerability handling/disclosure policy, legal document which JPCERT contract with vendors, vendor registration scheme of JPCERT/CC vulnerability handling, and JVN (JP Vendors status Notes) portal site. Also introducing JPCERT's international handling partnership with partner CSIRT (CERT/CC, NISCC).

Vulnerability handling in CERT/CC, Art Manion, CERT/CC

Art Manion will explain the process used by the CERT/CC to handle vulnerabilities, focusing on vendor coordination. A basic tenet of the CERT/CC process is that vendors should have an opportunity to investigate and respond to vulnerability reports. The process depends on factors that include communication, some degree of shared understanding/expectations, and consistent behavior.

Responsible Security Coordination with Open Source, Derrick Scholl, Sun

Sun Microsystems recently open sourced it's Solaris Operating System. I'd like to present some of the pitfalls and experiences we have encountered thus far as we learn to exist in both the open source and responsible vendor worlds. In addition, I'd like to ask some thought provoking questions and maybe even generate a discussion with other vendors about the future of responsible security coordination with open sourced products.

Legal issues, Tara Flanagan, Cisco Systems

Some legal issues related to handling product security vulnerabilites.

OVAL scheme, Andrew Buttner, MITRE

Introduction and some usage of OVAL scheme.

Feasibility Study of OVAL based Vulnerability Management Extension, Masato Terada, Hitachi Ltd.

Under the vulnerability management, it is difficult to check out the vulnerability of information system by only security advisory. In this work, we have taken up this issue. We have examined - how one can provide a useful vulnerability management service to administrators. This presentation shows a proof-of-concept prototype "OVAL based Vulnerability Management Extension". The functions of Extension are the followings to support the useful vulnerability management.

  • A framework based on pattern file supplied by product vendors
  • A connective Web service based OVAL interpreter (WebOVAL, CmdOVAL)
  • A vulnerability management with a priority ratings service of CVSS
Internet Infrastructure Vendors SIG