Software makers and online service providers need to prepare for two new ISO standards on vulnerability handling processes that are due for publication by the end of 2013.
ISO 30111 covers all vulnerability handling processes, whether they are identified internally or are reported by an external source.
ISO 29147 covers vulnerability disclosures from external sources such as end users, security researchers and hackers.
Katie Moussouris, editor of the 30111 standard and senior security strategist lead at Microsoft, expects ISO 29147 to make it easier to report vulnerabilities in software and services.
“The standard will also make advisory notices on vulnerabilities more useful in assessing risk and applying remediation,” she told attendees of RSA Conference 2013 in San Francisco.
ISO 29147 provides guidelines for preparing to receive external vulnerability reports, and the first requirement is for suppliers to make is easy to make contact with the right people internally.
“Make it easy to find the front door; it must be obvious where to submit reports because if it is not, vulnerability finders may resort to other channels such as the media or online forums,” said Moussouris.
The next thing is to acknowledge receipt of the vulnerability report, which the standard says must be done within 7 calendar days.
Application vulnerability disclosures rise, Microsoft finds
Dutch government publishes security flaw disclosure guide
Microsoft seeks true 'responsible' vulnerability disclosure
Is a full vulnerability disclosure strategy a responsible approach?
“This is not the same as acknowledging the vulnerability, so no investigation is required first,” said Moussouris.
An auto-reply is probably not a good idea, she said, adding that this is a good opportunity to get the relationship with the finder off to a good start and to find out as much information as possible about the vulnerability as this will save time later during the investigation.
Once the vulnerability has been verified, the next step is to send out an advisory. According to the ISO standard, advisory notices should include:
- Unique identifiers for the vulnerability and the advisory
- Enough information for users to determine the level of risk
- The platforms and/or services affected by the vulnerability
- How severe and exploit of the vulnerability could be
- Location of fixes or workaround documents
“It is also probably a good idea to give the finder of the vulnerability credit,” said Moussouris.
ISO 30111 provides guidelines and recommendations for investigating and remediating vulnerabilities:
- Have a process and organisational structure in place to support investigation and remediation
- Perform a root cause analysis to identify all products/services that could be affected
- If vulnerabilty affects multiple products/services, prioritise according to severity rating
- Balance speed with thoroughness – if threat is high, consider immediate temporary fix
- Co-ordinate with other suppliers if appropriate
There are several possible exit conditions, said Moussouris. These are:
- An inability to reproduce the vulnerability
- The vulnerability is already under investigation
- The vulnerability affects only obsolete products
- Vulnerability is not exploitable
- Vulnerability is in a third-party product/service
An inability to reproduce the vulnerability will require further discussion with the finder, knowing whether a vulnerability is exploitable demands that suppliers keep up with latest hacking techniques, and in the case of a third-party vulnerability, that supplier should be notified, said Moussouris.
Once resolution security update has been designed, created and released through an advisory to users, there are several post-release activities set out by the ISO standard:
- Ongoing maintenance
- Feedback to security development lifecycle to ensure continual improvement
- Monitoring of the effectiveness off the security update
- Monitoring of the time taken between vulnerability report and resolution
- Ensuring confidentiality of details of vulnerability and any person information involved
- Communication with finder, product divisions, affected users and supply chain
Moussouris expects ISO 3011 to raise the level of investigations carried out by suppliers and to improve the speed and quality of remediation.