All software has bugs: some bugs have security implications (“vulnerabilities”). Working out how to resolve those implications quickly and effectively is a challenge – slightly technical, but mostly economic and sociological
The Proposal for a Regulation on Cybersecurity Requirements, recently published by the European Commission, significantly raises the profile of software vulnerabilities and processes for dealing with them after a product is delivered. The Regulation on Digital Resilience in the Financial Sector (DORA), proposed in 2020 and likely to become law shortly, does require organisations to […]
Legal cases aren’t often a source for guidance on system management but, thanks to the cooperation of the victims of a ransomware attack, a recent Monetary Penalty Notice (MPN) from the Information Commissioner (ICO) is an exception. Vulnerability management was mentioned in previous MPNs (e.g. Carphone Warehouse, Cathay Pacific, and DSG), but they don’t go […]
So many “AI ethics frameworks” are crossing my browser nowadays that I’m only really keeping an eye out for things that I’ve not seen before. The Government’s new “Ethics, Transparency and Accountability Framework for Automated Decision-Making” has one of those: actively seeking out ways that an AI decision-making system can go wrong. The terminology makes […]
Some security incidents need more than a technical solution. Two talks at this week’s FIRST conference looked at the importance of human factors, in crisis management and vulnerability handling. Jaco Cloete looked at situations where a cyber-incident can become a business incident, causing reputational damage, social media fallout, loss of market share, regulatory fines, even […]
Ben Hawkes, from Google’s Project Zero, gave a fascinating keynote presentation on vulnerability disclosure policies at this week’s FIRST Conference. There is little disagreement about the aim of such policies: to ensure that discovering a vulnerability in software or hardware reduces/minimises the harm the vulnerability subsequently causes. And, to achieve that, there are only really […]
The slides from our Networkshop session on Learning from Software Vulnerabilities are now available. All three talks showed how managing the process of finding, reporting and fixing vulnerabilities can improve the quality of software and the security of our systems. Graham Rymer and Jon Warbrick presented a case study of discovering and fixing a bug […]
Vulnerability handling – how organisations deal with reports of security weaknesses in their software and systems – is a field that has developed a lot in my time working for Janet. When I started most organisations received reports and fixed vulnerabilities on an ad hoc basis, if at all. Now we have guidelines on policies, […]
Thanks to recent work, particularly by the Dutch National Cyber Security Centre, the processes that result in successful discovery and reporting of software vulnerabilities are reasonably well understood. For those processes to work, though, potentially tricky human interactions need to be negotiated: discoverers don’t know whether they will be regarded as helpers, criminals or sources […]
Tilmann Haak’s presentation at this week’s TF-CSIRT/FIRST meeting was on incorporating security requirements into software development processes using agile methods, but his key points seem relevant to any style of software or system development: Make sure security features are treated as first-class user requirement, of equal status with the functional requirements provided by others. We’ve […]
“Is scanning lawful?” sounds as if it ought to be a straightforward question with a simple answer. However investigating it turns out to be a good illustration of how tricky it is to apply real-world analogies to the Internet, and the very different results that different countries’ legislators (and courts) can come up with when […]