On our website, we talk a lot about standards that contain requirements and are most often subject to certification or accreditation. However, many standards contain good practices and valuable guidance for the organization.
In this article, we will focus on one of such international standards, which will be ISO/IEC 29147 Information technology – Security techniques – Vulnerability disclosure. It is also worth mentioning the accompanying ISO 30111 standard. Information technology – Security techniques – Vulnerability handling processes, but a separate article will be about it. Also, please follow our news!
ISO/IEC 29147 and ISO 30111 provide useful guidance on vulnerability disclosure, including good practices and examples that can be used as templates.
ISO/IEC 29147 provides recommendations for suppliers to disclose vulnerabilities in products and services. What is it for? We will turn to ISO/IEC 27002 – Information technology – Security techniques – Information Security Practices, which tells us that disclosure of a security vulnerability enables users to technically manage their vulnerability.
Wait a minute, but what exactly is the vulnerability?
In the context of information technology and cybersecurity, a security vulnerability is a behavior or set of conditions present in a system, product, component or service that violates a secret or explicit security policy. A vulnerability can be thought of as a weakness or exposure that could have a security impact or some consequences. Attackers exploit vulnerabilities to compromise confidentiality, integrity, availability, performance, or other security properties.
Vulnerabilities often arise from program or system crashes as a result of the handling of untrusted or unexpected input. Reasons that lead to security vulnerabilities include coding or configuration errors, omissions about design choices, and unsecured protocol and format specifications.
The term “vulnerability disclosure” is used to describe the general activities related to receiving vulnerability reports and providing information on countermeasures. Additional activities such as examining and prioritizing reports, developing, testing and implementing countermeasures, and improving secure development are called “vulnerability handling” and are described in ISO/IEC 30111.
Disclosure of a security vulnerability:
– helps to protect data and systems
– prioritize the allocation of resources to information security
– it improves the risk management process.
The purpose of disclosing a vulnerability is primarily to reduce the risk of exploiting vulnerabilities. Coordinated vulnerability disclosure is especially important when multiple vendors are involved. The ISO/IEC 29147 standard includes:
– terms and definitions specific to vulnerability disclosure;
– vulnerability disclosure concept reviews;
– guidelines for receiving reports on potential weaknesses;
– Vulnerability Disclosure Guidelines;
– vulnerability disclosure techniques and policies;
– concrete examples of techniques and policies (Annex A) and communication (Annex B).
Other related activities that take place between receiving and disclosing vulnerability reports are described in ISO 30111, which we will talk about in the next article.
Sources used:
ISO / IEC 29147: 2018 Information technology – Security techniques – Vulnerability disclosure
