SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Sophos named a Numbering Authority in CVE programme
Tue, 19th Jan 2021
FYI, this story is more than a year old

Sophos has been recognised as a Numbering Authority (CNA) in the Common Vulnerabilities and Exposures (CVE) programme, an international standard for identifying cybersecurity vulnerabilities.

The company can now authoritatively assign CVE identification to vulnerabilities in its own products, while external security researchers can now collaborate with Sophos to open CVEs for its products.

The CVE programme, which runs an open data registry of vulnerabilities, enables programme stakeholders to correlate vulnerability information used to protect systems against attacks.

The registry is publicly available to security researchers, vulnerability disclosers and IT vendors, simplifying the task of sharing and cross-checking data across the industry's disparate security databases. The programme currently has 149 CNA's in 25 countries.

“Sophos' new status as a CNA is another example of our commitment to be transparent, and by having the ability to assign CVEs, we can provide the industry with pertinent information about our products faster,” says Sophos vice president and chief information security officer Ross McKerchar.

“This allows organisations to more quickly assess security issues, determine the scale of urgency and prioritise updates.

“Sophos' CVEs will also get entered into the multiple CVE-compatible databases within the industry. By working collectively on these databases with other vendors and industry standards watchguards, we can together improve defences against persistent attackers.

CVE board member Kent Landfield says Sophos' addition to the programme will provide long-term benefits.

“The Common Vulnerabilities and Exposures Team welcomes Sophos as our newest CVE Numbering Authority,” says Landfield.

“Sophos has a strong reputation of contributing to the global digital security community, producing antivirus, encryption and cybersecurity capabilities for over 30 years.

“Their experience brings real value to the CVE Program. We are very pleased to have Sophos as a contributing member of the CVE Team.

Sophos' recognition as a Numbering Authority comes just weeks after the company announced that it would open its data science breakthroughs by introducing four new AI development projects. The move was part of an effort to sharpen the industry's defence against cyber-attacks, and make its own practices and use of AI in cybersecurity more transparent.

The projects focused on malware detection, impersonation protection, digital epidemiology to determine undetected malware, and automatic signature generation tools.

Sophos says this model allows it to react quickly to market needs and predict where the industry must head to achieve better cybersecurity collaboration and innovation.

“With SophosAI's new initiative to open its research, we can help influence how AI is positioned and discussed in cybersecurity moving forward,” says Sophos CTO Joe Levy.

“Today's cacophony of opaque or guarded claims about the capabilities or efficacy of AI in solutions makes it difficult to impossible for buyers to understand or validate these claims.

“This leads to buyer scepticism, creating headwinds to future progress at the very moment we're starting to see great breakthroughs.

“Correcting this through external mechanisms like standards or regulation won't happen quickly enough. Instead, it requires a grassroots effort and self-policing within our community to produce a set of practices and language that will advance the industry in a disruptive, open and transparent manner.