ISO 29147 How to leverage

advertisement
ISO 29147 How to leverage
Dick Hacking
Cornerstones of Trust 2014
Dick Hacking
• Set up the response program at NetApp
• Worked on Security issues in products for the
last 30 years at CapGemini, Unisys and Zilog
• Also familiar with SEC 17a4-compliant data
retention products
• Job seeker, currently
I've looked at clouds from both sides now
From up and down, and still somehow
It's cloud illusions I recall
I really don't know clouds at all
Agenda
•
•
•
•
•
What are ISO 29147 and ISO 30111?
In-depth
How can we use these new standards
Benefits to Practitioners
Benefits to Vendors
What are they?
These standards together form a standardized
vendor framework for a response and disclosure
process to address Suspected Security
Vulnerabilities in products
ISO 29147
• Addresses how vendors should be responding
to and disclosing suspected security
vulnerabilities in their product
• Covers the two ends of the cycle
– Specifies how to act on received reports
– Specifies what kinds of information to consider
including in a disclosure notice
– Suggests how to distribute information about the
report (internally and externally)
ISO 30111
• This standard covers the Engineering tasks
needed to mitigate any problem(s) validated
in a suspected vulnerability report
– Triage
– Investigation
– Resolution
• Usually internal to the vendor
Goals of Vulnerability Disclosure
• Ensuring that identified vulnerabilities are
addressed
• Minimizing the risk from vulnerabilities
• Providing users with sufficient information to
evaluate risks from vulnerabilities to their
systems
• Setting expectations to promote positive
communication and coordination among
involved parties
ISO 29147 In Depth
• Addresses both real and perceived
vulnerabilities
• Prescribes a special handling mechanism
• Uses both perceived and real impact metrics
• Ensures that all reports are tracked and
responded to
• Does NOT address timeframes
ISO 30111 In Depth
•
•
•
•
•
Communication with support providers
Communication with Product Management
Communications with developers and QA
Timing of public disclosure notices
Timing of fixed releases
• Recognizes that third-party (open-source)
code could be involved
• Provides for Coordinators between finders and
vendors to minimize the possibility of
blackmail or extortion
• Ensures a consistent mechanism
Disclosure Notice Content
•
•
•
•
•
•
Whether it’s real or perceived
How to recognize the vulnerability
How to evaluate impact on your systems
How to mitigate before a fix is available
Which release(s) fix the issue(s)
How to repair any damage
How Can We Use These Standards
• Need to know all Vendors’ CSIRT mail aliases
• Know where to find previously addressed
issues on vendor support site
• Make your own template for submission
– Contact info
– Minimum needed to describe problem, product
• Release version numbers are critical
– Do not include reproduction info initially
Minimum Submission Info
•
•
•
•
•
•
•
Product Name and version
Release Version installed Operating System
Client or Server issue
Brief symptoms
CVSS from your point of view
Remediation(s) attempted with results
Is there corrupted or lost data?
Benefits to Practitioners
• Clean method to report vulnerabilities
• Clean method to research known issues
• Common expectations as to responses
Benefits to Vendors
• Repeatable and well-oiled response process
• Guidance as to expectations by customers
• Common severity calculations
– CVSS Common Vulnerability Scoring System
How to Help Vendors
•
•
•
•
Look up known and addressed issues
Update all software/applications promptly
Submit a report to the vendor
Wait for further instructions to submit exact
reproduction information in a secure manner
• Don’t report multiple issues in the same mail
unless they have a common root-cause
Further Reading
• CVSS Standards guide
– http://www.first.org/cvss/cvss-guide.html
• CVSS Calculator
– http://nvd.nist.gov/cvss.cfm?calculator&adv&vers
ion=2
Further Reading
• ISO 15408 Information technology — Security
techniques — Evaluation criteria for IT security
• ISO 27034, Information technology – Security
techniques - Application security
• ISO 28001, Security management systems for
the supply chain — Best practices for
implementing supply chain security,
assessments and plans
Caveat
• The US price for the two standards is over
$400. The more useful one is ISO 29147
Contact Info
•
•
•
•
Dick Hacking
D.hacking@comcast.net
650-224-5418
http://www.linkedin.com/in/dickhacking
Download