Steve Christey Coley is a Principal Information Security Engineer in the Cyber Security Division at The MITRE Corporation, supporting the FDA CDRH on Medical Device Cyber Security. He likes changing his last name every two decades or so. With cybersecurity experience dating back to 1993, Steve was the co-creator and Editor of the Common Vulnerabilities and Exposures (CVE) list and chair of the CVE Editorial Board from 1999 to 2015. He is the technical lead for the Common Weakness Enumeration (CWE), Common Weakness Scoring System (CWSS), and the community-driven CWE/SANS Top 25 Software Most Dangerous Software Errors. He was a co-author of the influential "Responsible Vulnerability Disclosure Process" IETF draft with Chris Wysopal in 2002. He was an active contributor to other efforts including the Common Vulnerability Scoring System (CVSS) version 2, the Common Vulnerability Reporting Framework (CVRF), NIST's Static Analysis Tool Exposition (SATE), and certain non-public projects involving the assessment of static code analysis tools, and the SANS Secure Programming exams. His current interests include ensuring that emerging technologies do not repeat the chaotic path to effective vulnerability management that occurred with enterprise software in the 1990s; secure software development and testing; consumer-friendly software security metrics; the theoretical underpinnings of vulnerabilities; developing analogies between epidemiology and information security (e.g. within vulnerability statistics); improving the exchange of vulnerability information across global regions, language boundaries, emerging industries, and newly-connected technical domains; and making the cybersecurity profession more inclusive, diverse, and accessible to everybody who seeks a place in it. He holds a B.S. in Computer Science from Hobart College.
Toward Consistent, Usable Security Risk Assessment of Medical Devices