Deploying JP Vendor Status Notes (JVN) for Dissemination of Security Information Throughout Japan

Virtually all security information today is distributed in the form of HTML-based web pages. This means that fragmented information from various web sites are collected and reassembled, and considerable time and effort is required reestablish the interconnections and relatedness between the various bits and pieces of information. From the information provisioning side, if information could be published in a form more easily processed by machine, then information could be reused much more flexibly and extensively.

One manifestation of this concept is the "Semantic Web(*1)" that defines and links information in a way that can be automatically processed by computers using XML(*2) and RDF (Resource Description Framework)(*3). Using RDF--a key technology of the Semantic Web--document headlines and summaries can be provided in a common XML-based format. RSS(*4) (RDF Site Summary), now being rapidly adopted as a new Internet trend, permits efficient distribution of site update and other information. Capitalizing on RSS is an essential point in the operation of JVN, for this handily resolves following two basic issues:

• Distribution designed to encourage reuse of information

Since our primary objective is the aggregation of vulnerability mitigating information from software product vendors, the information recombined on JVN is in HTML-based webpage format. But in order for published information to be reused, it must be distributed in a format that is machine-processable. This is where RSS comes in. By using RSS, JVN data can be distributed in the same format as the news feeds provided by news sites. And because the content is described by RSS, one can easily verify if additional information has been added to an item or an item has been updated.

• More efficient aggregation of information from product vendors

It is envisioned that JVN will aggregate and combine vulnerability mitigating information received from software product vendors in the form of mail notifications, so a format is being prepared for that purpose. But in order to enlist the participation of as many product vendors as possible, some efficient means of collecting information other than mail must also be set up. Use of RSS will enable information to be collected from product vendor websites and automatically recombined on the JVN site. An obvious prerequisite for this is the ability of the product vendor sites to accommodate RSS, but clearly the rapid and efficient dissemination of vulnerability mitigating information is just as important for putting in place an official framework for providing software vulnerability related information. Right now in other words, the ability to use RSS holds the key to successfully implement a scheme for distributing security related information.

By developing a database that can interact with and store RSS lists, CERT-CA, CERT-VU, CVE, and CIAC bulletins, and other sources of security related information and by putting in place the same mechanisms used at other sites dealing with security information, the operational overhead involved in collecting the security information can be greatly reduced.

*1

Semantic Web:
Technology which enables collection of higher quality information by allowing computers to understand the meaning of web-site information. "Meta-data", which helps computers understand the content, is added to the page content by RDF format.

*2

XML (eXtensible Markup Language):
A general-use extensible meta-language for creating structured documents. The data is human-readable because it is a text format, and it can be processed easily by computer because tags are added to the text to give it structure.

*3

RDF (Resource Description Framework):
A fixed framework for a method to describe meta-data, i.e., information about information. The information is described using XML, allowing automation of tasks such as classification or searching of information processed by computer.

*4

RSS (Rich Site Summary or RDF Site Summary):
An XML format for distributing web site summaries. Can include a web page title, address, headings, summary and update time.