Network Optix Becomes One of 300 Organizations Worldwide to Achieve CVE Numbering Authority Status, Bolstering Customer Cybersecurity
Network Optix is delighted to announce its official recognition as a CVE Numbering Authority, or CNA, by The MITRE Corporation. This recognition is a major achievement for Nx, as it positions us among the select group of around 300 organizations that have achieved this distinction globally.
While those skilled in the field of cybersecurity may be familiar with the CVE program and CNAs, many of us outside of the field remain totally oblivious to their importance in ensuring consumers' awareness of security vulnerabilities. To shed light on what being a CNA means for Network Optix and its customers, we sat down with Nx's Director of Cybersecurity, Vitaly Malkin, for an in-depth Q&A.
As Nx’s Director of Cybersecurity, can you give us a rundown of the CVE program before we get into exactly what a CNA is?
For example, let’s say Microsoft Windows had a vulnerability but released a patch that addressed it, making the software secure. However, not everybody regularly updates their software with the most recent patch, meaning that vulnerability still exists in the unpatched version of the software. To stay ahead of these potential security threats, it is paramount that companies make these vulnerabilities aware to their customers should they choose not to install the updated version of the software.
To address this, the Common Vulnerabilities and Exposures (CVE) program was established. CVE is a public record that aims to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities, assigning each a unique identifier, the CVE ID. A CVE ID enables automation and multiple parties to discuss, share, and correlate information about a specific vulnerability, knowing they are referring to the same thing.
How does a company report security vulnerabilities in order to obtain a CVE ID?
A: Well, that’s where CNAs come in. A CNA, or CVE Numbering Authority, is an organization that has been named as an authority by one of the few Global CNAs, like The Mitre Corporation, to assign CVE IDs to vulnerabilities and to create and publish information about the vulnerability in the associated CVE Record.
What are the implications of being a CNA for Network Optix as a software company?
A: Being a CNA is pivotal. Typically, it takes months for vulnerabilities to be cataloged and assigned CVE IDs. However, as a CNA, we are now authorized to publish vulnerabilities that exist within our own product as well as our partners’ products. This means we are able to quickly report and catalog vulnerabilities in the CVE, which sets us apart from other software companies.
What requirements must be met in order for an organization to be approved as a CNA?
A: To secure CNA status, Nx had to demonstrate to The MITRE Corporation our cybersecurity team's proficiency in generating and processing CVE reports. In order to do so, we began a diligent and meticulous reporting process two to three years ago. Through a long-term series of exercises and comprehensive reports, the team was able to showcase their proficiency in conducting CVE assessments. After a few years of maintaining consistency in our reporting, the Nx cybersecurity team applied for CNA authorization with the MITRE Corporation. Overall, the approval process took three to four weeks.
How common is it for a company to be established as a CNA?
A: There are approximately 300 CNAs globally, making Network Optix's status as a software company particularly unique.
Beyond Network Optix, what does CNA status mean for our customers and partners?
A: For our customers and partners, CNA status ensures that all the vulnerabilities in Nx products are promptly reported and cataloged in the CVE, being that it is a CNA requirement from The Mitre Corporation. This achievement is another testament to Network Optix’s ongoing dedication to product security, providing assurance to our stakeholders.