ISO 29147 How to leverage

Dick HackingCornerstones of Trust 2014

Dick Hacking

• Set up the response program at NetApp• Worked on Security issues in products for the

last 30 years at CapGemini, Unisys and Zilog• Also familiar with SEC 17a4-compliant data

retention products• Job seeker, currently

I've looked at clouds from both sides now From up and down, and still somehow It's cloud illusions I recall I really don't know clouds at all

Agenda

• What are ISO 29147 and ISO 30111?• In-depth• How can we use these new standards• Benefits to Practitioners• Benefits to Vendors

What are they?

These standards together form a standardized vendor framework for a response and disclosure process to address Suspected Security Vulnerabilities in products

ISO 29147

• Addresses how vendors should be responding to and disclosing suspected security vulnerabilities in their product

• Covers the two ends of the cycle – Specifies how to act on received reports– Specifies what kinds of information to consider

including in a disclosure notice– Suggests how to distribute information about the

report (internally and externally)

ISO 30111

• This standard covers the Engineering tasks needed to mitigate any problem(s) validated in a suspected vulnerability report– Triage– Investigation– Resolution

• Usually internal to the vendor

Goals of Vulnerability Disclosure

• Ensuring that identified vulnerabilities are addressed

• Minimizing the risk from vulnerabilities• Providing users with sufficient information to

evaluate risks from vulnerabilities to their systems

• Setting expectations to promote positive communication and coordination among involved parties

ISO 29147 In Depth

• Addresses both real and perceived vulnerabilities

• Prescribes a special handling mechanism• Uses both perceived and real impact metrics• Ensures that all reports are tracked and

responded to• Does NOT address timeframes

ISO 30111 In Depth

• Communication with support providers• Communication with Product Management• Communications with developers and QA• Timing of public disclosure notices• Timing of fixed releases

• Recognizes that third-party (open-source) code could be involved

• Provides for Coordinators between finders and vendors to minimize the possibility of blackmail or extortion

• Ensures a consistent mechanism

Disclosure Notice Content

• Whether it’s real or perceived• How to recognize the vulnerability• How to evaluate impact on your systems• How to mitigate before a fix is available• Which release(s) fix the issue(s)• How to repair any damage

How Can We Use These Standards

• Need to know all Vendors’ CSIRT mail aliases• Know where to find previously addressed

issues on vendor support site• Make your own template for submission– Contact info– Minimum needed to describe problem, product• Release version numbers are critical

– Do not include reproduction info initially

Minimum Submission Info

• Product Name and version• Release Version installed Operating System• Client or Server issue• Brief symptoms• CVSS from your point of view• Remediation(s) attempted with results• Is there corrupted or lost data?

Benefits to Practitioners

• Clean method to report vulnerabilities• Clean method to research known issues• Common expectations as to responses

Benefits to Vendors

• Repeatable and well-oiled response process• Guidance as to expectations by customers• Common severity calculations– CVSS Common Vulnerability Scoring System

How to Help Vendors

• Look up known and addressed issues• Update all software/applications promptly• Submit a report to the vendor• Wait for further instructions to submit exact

reproduction information in a secure manner• Don’t report multiple issues in the same mail

unless they have a common root-cause

Further Reading

• CVSS Standards guide– http://www.first.org/cvss/cvss-guide.html

• CVSS Calculator– http://nvd.nist.gov/cvss.cfm?calculator&adv&versi

on=2

Further Reading

• ISO 15408 Information technology — Security techniques — Evaluation criteria for IT security

• ISO 27034, Information technology – Security techniques - Application security

• ISO 28001, Security management systems for the supply chain — Best practices for implementing supply chain security, assessments and plans

Caveat

• The US price for the two standards is over $400. The more useful one is ISO 29147

Contact Info

• Dick Hacking• D.hacking@comcast.net• 650-224-5418• http://www.linkedin.com/in/dickhacking