Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Categories
Articles

Vulnerability Coordination – a maturity model

Vulnerability handling – how organisations deal with reports of security weaknesses in their software and systems – is a field that has developed a lot in my time working for Janet. When I started most organisations received reports and fixed vulnerabilities on an ad hoc basis, if at all. Now we have guidelines on policies, ideas on motivating researchers to report bugs, even presentations on the psychology of vulnerability reporting.

The latest development is a Vulnerability Coordination Capability Maturity Model (CMM) from hackerone, setting out five areas where organisations need to prepare if they want to be confident of receiving and handling vulnerability reports: organisational, engineering, communications, analytics and incentives. Like most CMMs, each of these has a number of different levels – here basic, advanced and expert. Definitions of each can be found in the slides linked from the hackerone post, or there’s an on-line self-assessment. For full details of the required processes, the CMM references various ISO standards in the area.

Expert level – when an organisation will be able to extract information from trends in reporting, identify issues in development processes, etc. – seems mainly aimed at software vendors, since it presumes a steady stream of vulnerability reports. However basic level seems well worth considering even for organisations that only use, rather than produce, software. If someone finds a vulnerability in one of your on-line services, you want the problem to be reported and fixed. Even if you only pass the report on to the software vendor, a basic level of vulnerability coordination maturity will help you to assess the risks to your organisation, consider appropriate mitigation measures, and highlight the importance of a fix to your supplier.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *