You don't have to be a top-flight security company to understand that breach response and vulnerability disclosure are a huge part of the security process. And you don't need to be a security expert to know that, while they're all very important at a high level, not all actionable flaws are created equal. It's a problem eminent security minds across the industry have spent lots of energy trying to solve: When breaches are as varied as the software they're used to exploit, how do you create a response plan that'll fit all the shapes the average attack can take?
The good news, according to CA Veracode's "Five Steps for Preparing for a Vulnerability Disclosure" webinar, is that "future-proofing" against newfangled exploits that might pop up isn't as difficult as it first appears. Even better, the tools you need to do it mostly boil down to good decision-making and a keen understanding of context. From vulnerability disclosure to the rest of your company's response plan, here's a taste of what this means for you:
Remember that "understanding of context" thing from a few sentences back? CA Veracode Rapid Response Process Manager Jessica Lavery puts it a different way: "When everything's an emergency, nothing is."
While it sounds like a platitude, it's certainly not an empty one — in fact, that basic idea represents one of the biggest problems in security today, at least as it applies to response and disclosure. While, again, every bug, flaw and exploit is important from a conceptual/education standpoint, understanding how to categorize and respond to them with the appropriate level of effort is crucial.
The benefits explain themselves. The faster an organization learns to temper its responses with the facts of the situation, the faster those incidents can be handled. It also gives personnel a trail of breadcrumbs to follow when wading into the muddy waters of an as-yet-unknown vulnerability. You can go as deep or light as you want here, depending on your organization's goals and existing security — just make sure you're not going all-hands-on-deck for every vulnerability or breach you uncover, and you're making good strides.
Of course, knowing you need to work on your vulnerability disclosure and response skills is one thing — following through is another. While the webinar offers many tips for businesses looking to craft a better response plan, the webinar puts major emphasis on the use of small, multidisciplinary teams, or flexible groups whose professional toolsets match the skills an organization needs when a vulnerability or active breach is discovered.
One trick, Lavery suggests, is to put together two such teams: one to create the plan and make high-level decisions in the event of a breach or vulnerability disclosure, and another to carry out that plan. Keeping multiple professional perspectives in mind from the start — including security, IT, finance and customer-focused roles — allows organizations to craft more thorough vulnerability disclosure and security response plans from the beginning. By the same token, bringing different skill sets into play when it's time to react means multiple aspects of the breach or vulnerability are handled from the onset.
After assembling teams, Lavery recommends putting them to work figuring out exactly what an acceptable level of risk is. Since every business has a "different appetite for risk," as she says, making use of experienced personnel who understand the organization's goals and aptitude for/attitude toward handling risk is crucial — so important, it'll color every security-related decision your company makes from that point forward.
That said, there are a few factors of universal importance. First and foremost, defining the risk a particular bug represents almost always means outlining the potential impact it can have on the company. If you've discovered a major, widespread exploit (think something on the scale of Heartbleed) in your company's work, for example, you'll likely want to drop everything and deal with it right away, Lavery says. In other instances, you may be able to wait to address a vulnerability or skip it altogether in particularly low-risk situations.
Media exposure of a given bug is also an area of primary concern. Sometimes, patching against a well-known but contextually harmless flaw is better business than letting it go unchecked and explaining yourself later.
In fifteen minutes, Lavery's webinar packs in a lot of information on the finer points of breach response and disclosing vulnerabilities. Whether you're looking to overhaul your whole response plan or tweak a few key aspects, check out the webinar in its entirety. You'll undoubtedly find something that makes your organization more secure in the long run.
Photo Source: Flickr