ISO 29147 How to leverage Dick Hacking Cornerstones of Trust 2014 Dick Hacking • Set up the response program at NetApp • Worked on Security issues in products for the last 30 years at CapGemini, Unisys and Zilog • Also familiar with SEC 17a4-compliant data retention products • Job seeker, currently I've looked at clouds from both sides now From up and down, and still somehow It's cloud illusions I recall I really don't know clouds at all Agenda • • • • • What are ISO 29147 and ISO 30111? In-depth How can we use these new standards Benefits to Practitioners Benefits to Vendors What are they? These standards together form a standardized vendor framework for a response and disclosure process to address Suspected Security Vulnerabilities in products ISO 29147 • Addresses how vendors should be responding to and disclosing suspected security vulnerabilities in their product • Covers the two ends of the cycle – Specifies how to act on received reports – Specifies what kinds of information to consider including in a disclosure notice – Suggests how to distribute information about the report (internally and externally) ISO 30111 • This standard covers the Engineering tasks needed to mitigate any problem(s) validated in a suspected vulnerability report – Triage – Investigation – Resolution • Usually internal to the vendor Goals of Vulnerability Disclosure • Ensuring that identified vulnerabilities are addressed • Minimizing the risk from vulnerabilities • Providing users with sufficient information to evaluate risks from vulnerabilities to their systems • Setting expectations to promote positive communication and coordination among involved parties ISO 29147 In Depth • Addresses both real and perceived vulnerabilities • Prescribes a special handling mechanism • Uses both perceived and real impact metrics • Ensures that all reports are tracked and responded to • Does NOT address timeframes ISO 30111 In Depth • • • • • Communication with support providers Communication with Product Management Communications with developers and QA Timing of public disclosure notices Timing of fixed releases • Recognizes that third-party (open-source) code could be involved • Provides for Coordinators between finders and vendors to minimize the possibility of blackmail or extortion • Ensures a consistent mechanism Disclosure Notice Content • • • • • • Whether it’s real or perceived How to recognize the vulnerability How to evaluate impact on your systems How to mitigate before a fix is available Which release(s) fix the issue(s) How to repair any damage How Can We Use These Standards • Need to know all Vendors’ CSIRT mail aliases • Know where to find previously addressed issues on vendor support site • Make your own template for submission – Contact info – Minimum needed to describe problem, product • Release version numbers are critical – Do not include reproduction info initially Minimum Submission Info • • • • • • • Product Name and version Release Version installed Operating System Client or Server issue Brief symptoms CVSS from your point of view Remediation(s) attempted with results Is there corrupted or lost data? Benefits to Practitioners • Clean method to report vulnerabilities • Clean method to research known issues • Common expectations as to responses Benefits to Vendors • Repeatable and well-oiled response process • Guidance as to expectations by customers • Common severity calculations – CVSS Common Vulnerability Scoring System How to Help Vendors • • • • Look up known and addressed issues Update all software/applications promptly Submit a report to the vendor Wait for further instructions to submit exact reproduction information in a secure manner • Don’t report multiple issues in the same mail unless they have a common root-cause Further Reading • CVSS Standards guide – http://www.first.org/cvss/cvss-guide.html • CVSS Calculator – http://nvd.nist.gov/cvss.cfm?calculator&adv&vers ion=2 Further Reading • ISO 15408 Information technology — Security techniques — Evaluation criteria for IT security • ISO 27034, Information technology – Security techniques - Application security • ISO 28001, Security management systems for the supply chain — Best practices for implementing supply chain security, assessments and plans Caveat • The US price for the two standards is over $400. The more useful one is ISO 29147 Contact Info • • • • Dick Hacking D.hacking@comcast.net 650-224-5418 http://www.linkedin.com/in/dickhacking