Adopt vulnerability management for greater benefit

Identification and Software vulnerability management Has always been an important element of good security and hygiene, and it is becoming more and more important to CISOs as the world becomes more interconnected and companies drive the digital transformation of their businesses.

Security researchers are part of the vulnerability management ecosystem and leverage their technology to identify vulnerabilities that pose a clear and current risk to consumers when exploited. However, when researchers identified these vulnerabilities, communicating information effectively and constructively was a historical challenge.

Vendor and corporate executives turn their eyes suspiciously, treating the approach as an act of attack or intimidation, refusing to participate in the conversation, or worse, threatening to disclose the parties in legal action. I was doing it. These actions either leave the vulnerability unhandled or leave the problem in the hands of the researcher. I will publish it anyway – Put everyone on their hind legs.

There are many forms of approaches from researchers. Some are ethical, Some confrontational, some intimidating. It can also be indirect through journalists and bloggers and consider its own moral and ethical norms for the public good. The best advice is to pre-determine what you want to do in the event of such a situation, rather than plunging your head into the sand.

And that’s where Responsible Disclosure (RD) comes in.

The main purpose of RD is to define policies to receive and manage vulnerabilities identified by researchers in a transparent, practical and collaborative way. The desired result is that both parties work together to minimize the potential for harm resulting from the vulnerability. The timing of communication must be agreed to maximize risk and impact (perhaps with proper reputation management and public relations), and both parties clarify what success will look like. Need to understand. Other rewards for confirmed vulnerabilities disclosed through the program.

There are no specific criteria for defining an approach to RD or how aggressively it should be promoted.Incentive scheme Bug bounty program etc. While sometimes useful, it can also pose a variety of challenges, including increased workloads caused by lucrative financial incentives.Organizations such as the British National Cyber ​​Security Center Now offers a handy toolkit For you to get started.

However, while setting up RD policies and processes is a practical step, it is important to recognize that disclosure situations can vary significantly. Be prepared to work outside the process in some circumstances, as long as you finally reach the desired published “good” results.

Once disclosed, the first triage of that information will help determine the next step. The purpose here is to reduce harm and manage risk, but it can be difficult to judge. Declaring a vulnerability before a patch is available can cause anxiety among customers, but it balances the ability to have a transparent conversation about workarounds and mitigations.

Disclosure without first patching can be risky if the vulnerability is related to a safety-critical asset, especially if the vulnerability is likely to be exploited.

Similarly, there may be moral and ethical issues to discuss. What if the vulnerability is large enough to exceed multiple vendors, products, and end users? In this case, even if it could cast a shadow over my organization, do I need to publish it immediately so that I can work together to resolve the issue? What if this vulnerability is already in the public domain? What if the disclosing party is already communicating outside the RD process?

If they warn you in advance and it becomes perceptually clear that you did nothing about it, you run the risk of losing your reputation. Preemptive communication may mitigate that risk. Or it can create another risk. Every situation is different, but if you plan ahead, at least you won’t have any problems.

Having a clear stance on RD promotes transparency and demonstrates commitment to the cause. Each party knows in advance how they are involved and where they stand in terms of potential consequences. Planning what to do before a situation arises is a practical step, but the two scenarios are not the same and present different sets of moral, ethical, and logistical challenges to overcome. You need to be aware of the possibilities and consider the uncertainties. Adopt vulnerability management for greater benefit

Back to top button