Vulnerability Reporting Process David Coffey Principal Security Architect David_coffey@mcafee.com

What is a vulnerability Types of vulnerability Finders May 6, 2019 Overview 30,000 foot view What is a vulnerability Types of vulnerability Finders Types of process Full Disclosure Responsible Disclosure Organization for Internet Safety (OIS) Establishing process Wrap-up

Vulnerability gets reported Vulnerability is validated May 6, 2019 30,000 foot view (good) Vulnerability gets reported Vulnerability is validated Vulnerability gets fixed Code proceeds through QA and testing Update released Customers are safe and happy

Vulnerability gets reported (if possible) May 6, 2019 30,000 foot view (bad) Vulnerability gets reported (if possible) Vulnerability gets ignored/mis-handled Finder goes public with exploit Customers are un-safe and un-happy So are share-holders, employees, management…

Security Vulnerability May 6, 2019 Security Vulnerability Typical development process Clearly defined Widely adopted Everyone has their role Everyone has bugs A security flaw is a special bug Some people make the distinction between flaw and bug A security vulnerability is an exploitable security flaw/bug Security vulnerabilities will be discovered

S.T.R.I.D.E. (Microsoft’s model) May 6, 2019 Vulnerability types S.T.R.I.D.E. (Microsoft’s model) Spoofing Identity Tampering with data Repudiation Information Disclosure Denial of Service Elevation of Privilege Any one of these can be bad if reported and not handled

Types of Finders Internal External Employee of the company May 6, 2019 Types of Finders Internal Employee of the company Hired security firm External Security researcher Partner Knowledgeable end-user

Developer, architect, QA, hired security hand May 6, 2019 Internal Finders Developer, architect, QA, hired security hand Usually can be trust worthy it is their job contracts Has several motivations Curiosity Prestige Mission Job

External Security Researcher May 6, 2019 External Security Researcher Someone who finds security flaws in applications Unknown trust level They will usually communicate their intentions Has several motivations Money Prestige Curiosity Mission Malice

Business partner who is exposed to more IP Usually can be trustworthy May 6, 2019 External Partner Business partner who is exposed to more IP Usually can be trustworthy You are in business together Has several motivations Risk Assessment Business improvement Customer acquisition

Someone who discovered the flaw by chance Unknown trust level May 6, 2019 External Customer Someone who discovered the flaw by chance Unknown trust level Usually do not understand implications They are a customer Has several motivations Be safer Curiosity

Guidelines published by RFP May 6, 2019 Full Disclosure Definition: disclose all known information about a security vulnerability Alt: direct opposite of security through obscurity Theory: company will fix flaws faster by threatening full public disclosure Guidelines published by RFP 5 days for company to answer report Company coordinate publication of flaw with reporter Company gives reporter full credit for discovery Company usually has 30 days before disclosure This is difficult for large organizations

Responsible Disclosure May 6, 2019 Responsible Disclosure Similar to Full Disclosure except: Not required to publish flaw information Not required to publish all information Timeline can be flexible Allow a fix to be in place before disclosure occurs

Organization for Internet Safety May 6, 2019 Organization for Internet Safety Created guidelines for handling the reporting of security vulnerabilities Formalizes the good 30,000 foot view 5 phases Discovery Notification Investigation Resolution Release 30 day time period is the starting point for negotiations

Process Infrastructure May 6, 2019 Process Infrastructure Need to post process so people understand Need to have a reporting infrastructure / repository Website (http://www.microsoft.com/security/) Email (security-alert@foo.com) Possibly anonymous Need to have formalized vulnerability reports Need to have a tracking system in place Need to have established roles/responsibilities

Formal Report Structure May 6, 2019 Formal Report Structure You want all the information up-front Who are you? Contact information? What product? what OS? What tools did you use? What are your intentions? Proof of Concept code? Steps for re-production?

Communication is your friend May 6, 2019 Communication is your friend Finder locates your published process Finder submits report Format established in process Vendor sends an acknowledgement Establish rough dates Vendor sends weekly status mail to finder Encourage open communication and relationship Track all communication, dates, etc. (legal backup)

Establish process and communicate publicly Establish infrastructure May 6, 2019 Wrap-up Establish process and communicate publicly Establish infrastructure Establish roles / responsibilities Foster communication Track everything Remember, people generally want to do the right thing

May 6, 2019 Questions?