Connect with us   ​  

David Jorm

David has been involved in the security industry for the last 15 years. During this time he has found high-impact and novel flaws in dozens of major Java components. He has worked for Red Hat’s security team, led a Chinese startup that failed miserably, wrote the core aviation meteorology system for the southern hemisphere, and has been quoted in a major newspaper as saying North Korea’s nuclear program is “ready to rock”.

He is currently focusing on SDN security, and leads the OpenDaylight and ONOS security teams.

Twitter: @djorm

Presentation Title
CVE is logjammed, CNVD is nearly as bad, and my heart bleeds for the whole mess

In 2014-15 there were a range of high-impact vulnerabilities with catchy names: shellshock, heartbleed, logjam, etc. Debate raged around this trend, with many arguing that people took named vulnerabilities more seriously regardless of their actual impact. What people didn't really consider was whether naming vulnerabilities was necessary simply to ensure they had a useful canonical identifier associated with them.

This presentation will explore the common vulnerabilities and exposures (CVE) program, which aims to provide canonical identifiers to vulnerabilities. It will argue that CVE is fundamentally broken, and that the MITRE corporation running it is both unable to fix it, and unsuited to issuing canonical identifiers because of its conflict of interest as a government-funded program. A litany of failures of the CVE process will be detailed, along with inside information on the extent to which the process is governed by secret rules at the behest of large software companies *cough* Google *cough*.

Alternatives such as China's CNVD will also be examined, followed by discussion of a movement currently underway in the community to take over and fix the CVE process.


Conference Highlights

New Venue
Don't miss the best cyber security conference in Australia at the Surfers Paradise Marriott, only 150 m from Surfers Paradise beach

Conference MC
Comedian and Mathematician Adam Spencer will host the conference, Gala Dinner and Speed Debate

Career Café
Retreat to the back of the exhibition away from the noise for a real coffee at the AusCERT2016 Career Café and chat with specialist Infosec recruiters