The two previous articles covered vulnerability tracking and secure development. This article will dive deeper into the final phase of the secure development lifecycle — vulnerability response. Responding well to vulnerabilities is a sign of a mature development shop.
The primary objective is to keep all customers as safe as possible. Update software and communicate mitigation information to customers to keep them safe.
Step One: Assign a severity to each vulnerability
See the earlier article on tracking vulnerabilities for example severities. When a vulnerability is critical, a response is required. Often, the cone of uncertainty for a vulnerability will linger for days with new information surfacing regularly. For example, Shellshock contained 6 CVE identifiers spread out over about 5 days. A dedicated team needs to continuously analyze vulnerabilities and watch for new information.
Step Two: Follow process and decide when to update
To keep all customers safe, coordinate the release of software patches so all customers have an upgrade path. Release any mitigation details at the same time as the software patch.
If the vulnerability is in third party source, there may be no pre-arranged coordination. Heartbleed and Shellshock are two examples of third party source that required immediate attention.
Step Three: Update
Release the update to customers.
Step Four: Communicate
Communicate to customers the severity of the issue and give them mitigation strategies if they cannot update immediately. Do not release details that will tell attackers how to attack the vulnerability. Be forthcoming about the vulnerability, do not hide information. Customers would rather patch than be hacked because of a vulnerability that was not well communicated. Finally, use CVE numbers and update CVE/NVD with the details so that customers can find information.
ISO 30111 deals directly with vulnerability response and can be consulted for more information.
Following these steps and rigorously analyzing vulnerabilities will greatly improve your organization’s response to vulnerabilities.
Links to other articles in this series: