Jun 01, 2016
In the last couple of years there seems to have been an ever-growing number of high-profile vulnerability disclosures: Heartbleed, GHOST, Shellshock. High-profile vulnerabilities like these shine a spotlight on application security, which means your security team is put under increased pressure to react to this particular vulnerability, rather than focusing on creating a comprehensive plan to secure the applications your teams are developing. While your security team can’t ignore potentially threatening vulnerability disclosures, it’s important that they have a plan in place to help them determine how to prioritise it, and how they should respond. So today I’m looking at 4 steps that make-up a vulnerability response plan.
1) Establish a Rapid-Response Team
You need to clearly define who is responsible for coordinating the vulnerability response process. This team will determine how the company should respond to new vulnerability disclosures, and how urgently the vulnerability needs to be addressed.You also need to make sure that everyone in your company knows who is in your rapid-response team. This means that any employee who hears about a new vulnerability disclosure – from a press release, an email from a vendor, or from social media, for example – will know who to share this information with as an immediate priority.
2) Define Priority Levels and Responses
Every organisation will have their own definition of what constitutes a high- or low-risk vulnerability, depending on the platforms, programming languages or frameworks you use during the development process. This will guide the differing levels of urgency with which your team will need to respond.It’s vital that your company has documentation which clearly defines what constitutes a high-risk vulnerability compared with a low-risk one, and map out clearly defined steps to follow for each one. But before you can create that framework, you need to define these levels and the corresponding responses.
3) Set Up a Priority Framework
By explicitly outlining what actions your security team will take depending on the priority level of the disclosed vulnerability, you can be sure that your team responds appropriately and consistently in the event of a security breach.A high-priority, high-urgency vulnerability that poses an immediate risk to your customer or company data will no doubt put your team under a huge amount of pressure, so having a pre-defined framework to follow will prevent panic from clouding their judgement and ensure that the vulnerability is addressed in a timely, effective manner.Additionally, having a written framework in place means that, if an incident does occur, your company can justify your response to your customers and company board if needed, to reassure that you acted according to protocol.
4) Create Clear Response Procedures
Once your rapid-response team has determined the priority level of the vulnerability, your security team will begin their response. It is important that you have a clear plan for how the team should respond, depending on the level of urgency of the vulnerability.Even in the event of a vulnerability disclosure that is high-risk and classed as high-urgency, your security team should ensure that security best-practices are followed, so that you don’t accidentally introduce further vulnerabilities whilst responding to this particular vulnerability disclosure.