Those of us in the security industry saw the need to identify and share incident and vulnerability information, but unfortunately ‘security through obscurity’ was often the approach taken – operations over protection. Fast forward to today, and whether you agree or disagree with the state of software security, we at least have the forums and infrastructure to address the issues at a working level.
The Forum of Incident Response and Security Teams (FIRST) is an international organization that provides best practices and assistance when dealing with a security incident. If an attack is underway, there is often strength in numbers for all those being exploited, and this is an avenue to share that information. If you come across a vulnerability in the software you are using on your systems, you have some options on how to handle it.
Many reported vulnerabilities are characterized under the Common Vulnerabilities and Exposures tracked in the National Vulnerability Database (NVD) maintained by MITRE. You should check here first to see if the issue is already reported. If it exists in the database, then the vendor is aware of the issue and should be working to correct it. Though there is a level of confidentiality involved to prevent public disclosure and exploitation before a fix is available. While I mentioned FIRST and NVD, your company may have other reporting requirements, so check first.
In the news this week with their annual PWN2OWN 2021 competition, the Zero Day Initiative continues to discover new vulnerabilities that will need to be addressed. This is a valuable service that allows the vendors to fix the previously unknown issues, discovered by the security research experts, before they are publicly disclosed for open exploitation.
Like those experts, we have an obligation to take action on any vulnerabilities we may discover in performing our regular patch or IT activities. Take the time to see if the vulnerability has been reported and contact the vendor to see if it is a known issue. We all benefit in the long run.
April 2021 Patch Tuesday forecast: Security best practices
