One of the big news items from ShmooCon 2014 was that the ISO 30111 Vulnerability Handling Processes is now published. The document, edited by Microsoft Senior Security Strategist Lead Katie Moussouris, has been a long time coming. Specifically, it outlines how vendors should investigate, triage, and resolve all potential vulnerabilities, whether reported from external finders or via the vendor's internal testing.
She gave a detailed preview of what was to come during RSA 2013. You can see the video presentation here, but here are some guidelines, which she also outlined in that RSA talk:
Vendors should have a process and organizational structure to support vulnerability investigation and remediation.
- Vendors should perform root cause analysis
- Vendors should weigh various remediation options to adjust for real world risk factors
- Balance speed with thoroughness
- Vendors should try to coordinate with other vendors if appropriate
- Multi-vendor issues
- Supply chain issues
Vulnerability verification steps:
- Initial Investigation: The vendor attempts to confirm the potential vulnerability
- Root Cause Analysis: The vendor attempts to determine the underlying cause of the vulnerability
- Further Investigation: The vendor attempts to find other instances of the same type of vulnerability in the product or service, or in other products.
- Prioritization: The vendor considers the threat posed by the vulnerability to affected users of the product or online service.
- For each affected product or online service, there may be different severities of the same underlying issue.
- Some processes may occur in parallel, rather than sequentially
Overall vulnerability handling process:
- Report received
- Resolution development
- Post release