Computer Incident Response and Product Security

Monday, January 31, 2011

shawn merdinger


Book Review - Computer Incident Response and Product Security:  The practical guide to building and running incident response and product security teams, by Damir Rajnovic and contributing author Mike Caudill of Cisco PSIRT, is a book recently published by Cisco Press in December, 2010 (ISBN 978-1-58705-264-4).

It is really two books in one, with the first six chapters focused on more traditional computer incident response, and the seventh through thirteenth chapters covering the development of a product security response. 

The second part of the book is what is really innovative, and this section will prove particularly useful for software vendors who are exploring the building of a internal team to respond to security issues discovered in their products.  Far too many software vendors have absolutely zero response in place and this failure is what has led to many security researchers disclosing a vendor's software vulnerabilities on mailing lists like Bugtraq and Full-Disclosure.

Speaking from first-hand experience as a security researcher, it can be a frustrating experience trying to find an appropriate contact at a vendor to try and do "the right thing" in responsibly reporting a vulnerability to them.  Quite frequently, a security researcher will spend valuable, uncompensated time merely tracking down a competent, qualified technical person in that vendor's organization; and more often than not, will spend even more time with the tedious back-and-forth explaining the vulnerability and why it should be fixed.

Having a team and process in place to handle incoming vulnerability reports from external sources is a sign of vendor maturity.  Not having either can quite likely result in a vendor having a "zero day" vulnerability and proof-of-concept exploit published on a public mailing list.  To be sure, a zero-day publication can happen to even an established vendor -- put simply, security researchers are a finicky, unpredictable lot who are often some smart guy who may be in a far-off land and quite likely completely uncaring about a vendor's threats, legal or otherwise.

Savvy vendors know how to deal with security researchers, and a big part of that handling is good communications and recognition of the value that the security researcher is providing.  This book will help any software vendor develop that security vulnerability handling acumen and realize that good product security incident handling is good business.  As Cisco PSIRT managers, the authors have many years of dealing with product vulnerabilities and security incidents -- take my word for it, these guys have seen alot and you can learn from them.

N.B. In the spirit of full-disclosure, I am a former Cisco employee with a internal product security testing team who has previously worked with several members of PSIRT, including Gaus and Mike.  However, I've also reported vulnerabilities to Cisco PSIRT as an independent security researcher, and therefore I can speak from multiple perspectives.

The following is a brief chapter-by-chapter overview:

Chapter 1:  Why Care About Incident Response?

Overview of the business case for IR, legal rationale and costs.

Chapter 2:  Forming an IRT

Steps to establish a IRT, getting upper-management buy-in and support, selling the service to internal groups, types of teams (virtual, decentralized), developing policies and procedures, NDAs

Chapter 3:  Operating an IRT

The mechanics behind day-to-day operations including incident tracking, handling incoming reports, setting expectations.  Very useful insights into team member profiling (i.e. get people who do not panic easily!), coordination with other internal groups (legal, internal IT) and external (the press).  Good insights into preparation, creation of probable scenarios, and defining metrics of success. 

Chapter 4:  Dealing with an Attack

Addresses assigning ownership, dealing with LEA involvement, defining the scope and build on aspects covered in Chapter 3.

Chapter 5:  Incident Coordination

Touches on who the involved parties should be, dealing with geographical and timezone differences, setting-up standard contacts (i.e. very important to have a '' email and encryption/PGP).

Chapter 6:  Getting to Know Your Peers: Teams and Organizations Around the World

Provides a nice overview of the players from a worldwide perspective, different organizations like FIRST, APCERT, INFRAGARD, ISAC, etc.

Chapter 7:  Product Security Vulnerabilities

Delves into some of the more tricky definitions -- what qualifies as a product vulnerability?  Does there need to be a exploit?  What about a vulnerability found by internal testing, security or otherwise?

Chapter 8:  Creating a Product Security Team

What is the rationale for building up a product security team?  What should be the PST's role in dealing with engineering, product development, technical support and other groups?  How should the PST interact with other teams?  What about those sales and marketing guys -- how should the PST interact with them?  How big should the PST be?  Should/can they have global 24-hour response coverage?

Chapter 9:  Operating a Product Security Team

Gets into day-to-day technicals like a lab and testing environment, working hours, building a vulnerability tracking system.

Chapter 10:  Actors in Vulnerability Handling

My favorite chapter as it helps identify the players in the game like researchers, vendors, coordinators, users and how they play (or don't play) together.

Chapter 11:  Security Vulnerability Handling by Vendors

Covers what are the steps in the process in detail -- from discovery to triage to reproduction to remedy.

Chapter 12:  Security Vulnerability Notification

One of the most important chapters.  This is the fruit of your labors, and the public face and outcome of the PST's work.  Covers how notification can take place, who finds out first, public versus selective.  Nice section on the actual formatting structure and medium, as well as updating and maintaining advisories.

Chapter 13:  Vulnerability Coordination

Brief section with points on cooperating with the competition.  Touches on two huge areas: maintaining cultural sensitivity and using good communications skills.

Useful Links:

1.  Cisco Press:

2.  Sample Chapter:

3.  Cisco PSIRT:

Possibly Related Articles:
Management Incident Response Vendor Management Book Review Reporting
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.