nazira omuralieva - susan kaufman - improving application security - vulnerability response in the...
DESCRIPTION
TRANSCRIPT
1© Copyright 2011 EMC Corporation. All rights reserved.
Nazira OmuralievaSusan Kaufman
RSA, The Security Division of EMC
Improving Application Security – Vulnerability
Response in the ISV World
SourceBoston 2011
2© Copyright 2011 EMC Corporation. All rights reserved.
Session Objectives
• Vulnerability response ecosystem and guiding principles for effective vulnerability response
• Important roles & responsibilities in a software vendor organization for vulnerability response
• Typical vulnerability response process• Tips on how you can create an effective
vulnerability response program in your organizations including resources in the public domain
2
3© Copyright 2011 EMC Corporation. All rights reserved.
Vulnerability Response Ecosystem
4© Copyright 2011 EMC Corporation. All rights reserved.
Source: Counterpane
time
risk
Vulnerabilitydiscovered
Vulnerabilityreported
Vendorpatches
vulnerability
Usersinstallpatch
Minimize time between patch availability and patch installation
(Customer)
Minimize time between vulnerability report and patch availability (Vendor & Finder)
Key actors: Finder Vendor
Customer
Key actors: Finder Vendor
Customer
Critical Components of a Successful Vulnerability Management Approach
5© Copyright 2011 EMC Corporation. All rights reserved.
Vulnerability Response: Guiding Principles • Drive towards simultaneously
publishing the vulnerability and the remedy
– Maintain a good relationship with the finder
– Ensure prompt response, updates and resolution
• Protect company’s reputation & shareholders
– Avoid bad press– Enforce legal review
• Align with customer best practices
– Proactive notification of security patch availability
– Continuous evaluation of public vulnerability impact on products
– Efficient response to customers’ scan reports
• Enable customers to evaluate related risk
– Provide enough information to evaluate ease of exploitation and impact
Product SProduct Securityecurity R ResponseesponseProduct SProduct Securityecurity R Responseesponse
6© Copyright 2011 EMC Corporation. All rights reserved.
Vulnerability Response: EMC’s Guiding Principles • Drive towards simultaneously
publishing the vulnerability and the remedy
– Maintain a good relationship with the finder
– Ensure prompt response, updates and resolution
• Protect company’s reputation & shareholders
– Avoid bad press– Enforce legal review
• Align with customers best practices
– Proactive notification of security patch availability
– Continuous evaluation of public vulnerability impact on products
– Efficient response to customers’ scan reports
• Enable customers to evaluate related risk
– Provide enough information to evaluate ease of exploitation and impact
EMC Product SEMC Product Securityecurity R Response Center*esponse Center*EMC Product SEMC Product Securityecurity R Response Center*esponse Center*
*EMC PSRC is a direct function of the EMC Product Security Office
7© Copyright 2011 EMC Corporation. All rights reserved.
EMC PSRC Leverages Industry Resources and Relationships• Supports industry standards:
– Common Vulnerability & Exposure (CVE)• Unique definition of vulnerabilities
maintained by MITRE
– Common Vulnerability Scoring System (CVSS)
• Severity rating defined by FIRST
– Common Weakness Enumeration (CWE)• a list of software weakness types
maintained by MITRE
• Relationships with researchers, reporting organizations & other industry bodies
– Tipping Point’s Zero Day Initiative (ZDI)– Computer Emergency Response Team (CERT)– Fortinet's FortiGuard– Secunia– Member of FIRST
8© Copyright 2011 EMC Corporation. All rights reserved.
Roles & Responsibilities: Vulnerability Response Process
9© Copyright 2011 EMC Corporation. All rights reserved.9
Finder
•Disclose vulnerability information to EMC privately
Product Engineering
•Appoint vulnerability response team members
•Create inventory of embedded components and subscribe to security alerts
•Validate vulnerability reports
•Create timeline for response
Security Response Taskforce
•Includes trained members from Engineering, Legal, Marketing, Public Relations, Investor Relations, Customer Service
•Review and approve the remediation and communication plans
Customers
•Receive security advisories and keep up to date with patches
Roles & Responsibilities for an Effective Vulnerability Response Program (EMC example)
10© Copyright 2011 EMC Corporation. All rights reserved.
Typical Vulnerability Response Process Flow
11© Copyright 2011 EMC Corporation. All rights reserved.11
Important Steps After the Remedy Release
• Root Cause Analysis– Analyze the root cause of product
vulnerabilities to detect and eliminate similar vulnerabilities that may already exist in the product
– Adjust development practices to prevent similar vulnerabilities in the future
• Vulnerability Regression Testing– Add tests to the regression test suite to
prevent reintroduction of the vulnerability
12© Copyright 2011 EMC Corporation. All rights reserved.
Examples of how to publicly share information on your vulnerability
response program
13© Copyright 2011 EMC Corporation. All rights reserved.
www.emc.com/security
13
Make it easy to report a security vulnerability
14© Copyright 2011 EMC Corporation. All rights reserved.
Detailed Process on Reporting a Security Vulnerability
14
•Monitored mailbox•PGP key for communication
15© Copyright 2011 EMC Corporation. All rights reserved.
Example of a Security Advisory
15
•CVE Identifier•Severity Rating•Details•Resolution steps
16© Copyright 2011 EMC Corporation. All rights reserved.
EMC Response Examples
17© Copyright 2011 EMC Corporation. All rights reserved.
No One Size Fits All 1. Coordinated Disclosure – researcher and vendor working in
harmony– EMC Celerra vulnerability publicly disclosed at Black Hat
2. Industry wide impact and cooperation on a vulnerability in a widely used protocol
– SSL TLS protocol vulnerability
3. Researcher/ customer publicly discloses information about a vulnerability not giving time for the vendor to respond
– Vulnerability in EMC product publicly posted in an industry forum
Model your process on industry best practices but expect surprises
18© Copyright 2011 EMC Corporation. All rights reserved.
Questions to consider and tips
19© Copyright 2011 EMC Corporation. All rights reserved.
Tricky Questions That The PSRC Comes Across Regularly
• Responsible disclosure vs. coordinated disclosure vs. full disclosure vs…….
• When to release a security patch vs. remediating the vulnerability in the next maintenance pack?
• When to publicly disclose security vulnerabilities vs. just fixing them in product releases?
• How to coordinate remediation and release of vulnerabilities found in common components developed by your company to take care of internal dependencies?
• How to keep third party/ open source embedded components up to date?
• Many more….
20© Copyright 2011 EMC Corporation. All rights reserved.
Steps to Creating a Vulnerability Response Program• Create a company wide Vulnerability Response Policy and Process
including roles and responsibilities and timelines for response – Do not wait till a vulnerability gets publicly reported
• Get executive acceptance and buy-in• Train internal employees on their roles and responsibilities• Set up a monitored mailbox that researchers can use to send
vulnerability reports and make it available on your website• Create a way to deliver security patches and send security
advisories to customers (public facing website, subscribed email lists)
• Establish disclosure practices (choose your poison – responsible/coordinated…)
• Maintain good relationships with finders – give them credit for finding vulnerabilities
20
Do not reinvent the wheel but customize it to your unique needs
Do not reinvent the wheel but customize it to your unique needs
21© Copyright 2011 EMC Corporation. All rights reserved.
• Resources in the public domain– Forum for Incident Response and Security Teams – Organization for Internet Safety: Security
Vulnerability Reporting and Response Guidelines– National Infrastructure Advisory Council:
Disclosing and Managing Vulnerability Guidelines– Common Vulnerabilities and Exposure (CVE)– Common Vulnerability Scoring System– National Vulnerability Database
21
Speaking of Not Reinventing the Wheel…
22© Copyright 2011 EMC Corporation. All rights reserved.
THANKYOU