Product Security Incident Response: Key Strategies and Best Practices
Written By: Samuel Cure, CISO, AMI
In today’s digital landscape, it is essential to implement proactive measures to ensure the security of your organization’s products. But even with good practices in place, the dynamic nature of vulnerability identification, and ever-increasing attack tools and techniques, vulnerabilities can escape the best defenses and make their way into released products.
As such, organizations should have a plan to identify and address vulnerabilities in their products.
This is where the role of a Product Security Incident Response Team (PSIRT) comes into play.
A PSIRT is responsible for identifying, assessing, and addressing vulnerabilities in a product or service.
There are several key strategies and best practices to create an effective PSIRT. Understanding these strategies and best practices ensures that your organization is prepared to manage and address vulnerabilities as they arise effectively.
Five Best Practices of PSIRT
#1: Respond Proactively
When a vulnerability is discovered, the clock is ticking. The PSIRT should initiate its response process quickly, including notifying internal and external stakeholders. The moment a vulnerability is shared with an organization is the moment responsibility and due diligence start being measured, as additional phases of the PSIRT begin. Formalize the response in a manner that is documented, logged, and preserves the chain of custody for all communications.
#2: Ensure a Well-orchestrated Disclosure Process
If a sighted vulnerability poses a significant threat to the supply chain, starting a Coordinated Vulnerability Disclosure (CVD) with your regional Computer Emergency Readiness Team (CERT) may be necessary to build awareness among potentially affected parties.
The CERT is an organization within the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). To effectively alert all stakeholders about a CVD, consider the following three early warning mechanisms:
- Brief internal stakeholders about the vulnerability and provide them with the knowledge to handle inquiries.
- Use the CISA Traffic Light Protocol (TLP) alert to notify supply chain partners.
- For vulnerabilities involving proprietary code, consider sending Non-disclosure Agreement (NDA) advisories to affected parties while the CVD process is initiated.
Supply chains need a common language to identify vulnerabilities and communicate vulnerability information.
The best way to do that publicly is via Common Vulnerabilities and Exposures (CVEs), the standard for public advisories. CVEs should be created for all vulnerabilities, which are detailed in the public arena (publications, conferences, etc.) and CVDs.
#3 Clearly State Your Embargo Policy
Take a clear and transparent stance on defining your organization’s embargo policy. Embargo of a security issue means that the issue will not be publicly disclosed for some time by the vendor/discoverer while a fix is being generated.
A best-practice embargo period is between one and ten weeks. The embargo should be defined depending on the severity of the vulnerability.
Vulnerabilities should be classified into a tracking system with the identification of a severity score based on the Common Vulnerability Scoring System (CVSS) and handled in a confidential way during a defined and communicated embargo period.
Your PSIRT should be prepared to communicate this information downstream to customers as soon as it is available via advisory publications.
#4: Partner with Researchers and Security Vendors
Researchers and security tool vendors are vital partners in the fight to secure the supply chain. Cybersecurity researchers constantly search for vulnerabilities in software and hardware using the latest tools and technology and are key inputs into improving PSIRT, while security vendors make new tools for identifying vulnerabilities.
The more inputs into your PSIRT identification process, the more access to knowledge, tools, and resources. Build collaborative relationships with researchers and security vendors to better integrate your vulnerability sighting and advisory notification process with them.
#5: Optimize Your Investigation and Remediation Process
An effective investigation is important for ensuring that the PSIRT can identify affected code and that the risk posed can be communicated to customers in a timely manner. The steps of the investigation process should be formally documented, measured, and optimized for continuous improvement.
A good PSIRT should have an array of tools, automation, and methods to determine the extent to which the vulnerable code may exist in all products. Automation is often required to ensure all code libraries and product versions are analyzed for a given vulnerability sighting.
Verification of remediation is quintessential to ensure the risks have been appropriately addressed. A formalized “sign-off stage gate” is important to capture remediation’s approval and internal certification.
By ensuring that all patches or fixes have been properly implemented and applied, you can have confidence that your customers are protected from potential security threats.
A Good PSIRT Means Better Vulnerability Management
By following these best practices, your organization’s PSIRT can effectively identify and collaboratively address product vulnerabilities. Through swift remediation efforts and coordinated communication with regional CERTS such as US-CERT(CISA) or CERT/CC(SEI), as well as other research organizations, you can prioritize the security and satisfaction of your customers and partners.
A good source of information for any PSIRT is the Forum of Incident Response and Security Teams (FIRST). FIRST brings together a wide variety of security and incident response teams, including product security teams from the government, commercial, and academic sectors.
AMI is Firmware Reimagined for modern computing. As a global leader in Dynamic Firmware for security, orchestration and manageability solutions, AMI enables the world’s compute platforms from on-premises to the cloud to the edge. AMI’s industry-leading foundational technology and unwavering customer support have generated lasting partnerships and spurred innovation for some of the most prominent brands in the high-tech industry. AMI is also a critical provider to the Open Compute ecosystem and is a member of numerous industry associations and standards, such as the Unified EFI Forum (UEFI), PICMG, National Institute of Standards and Technology (NIST), National Cybersecurity Excellence Partnership (NCEP), and the Trusted Computing Group (TCG).
Sponsored and written by AMI