Finding and fixing flaws is one challenge, while effectively communicating security updates and risks to users is quite another. It’s a lesson that networking giant Cisco Systems is taking to heart, as it is redefining how it manages and communicates security issues from the Cisco Product Security Incident Response Team (PSIRT).
The new PSIRT efforts involve Cisco making security information more transparent and valuable to users. The PSIRT communications overhaul follows several weeks after Cisco customers were impacted by an attack known as SYNful Knock, which security firm FireEye reported. Though from a timing perspective, the update to PSIRT is close to the SYNful Knock incident, Cisco claims the two are unrelated.
“We’ve been talking about this with our customers for several months,” Omar Santos, principal engineer of Cisco PSIRT Security Research and Operations, told eWEEK.
Cisco is positioning the PSIRT overhaul as a streamlining of how the company communicates vulnerability information. Part of the new PSIRT communication is a Security Impact Rating (SIR) that is now being attached to vulnerability disclosure information.
“SIR is a simplified way to categorize vulnerabilities based on a CVSS score, and it will be highly visible on the disclosure landing page,” Santos said.
The Common Vulnerabilities Scoring System (CVSS) is a standardized way of providing a numerical value for the severity of a given vulnerability. Santos explained that with the updated PSIRT disclosures, instead of complicated numerical metrics, the SIR will clearly define for users a rating of critical, high, medium or low.
“It also provides a more accurate and easy representation of risk in the event that there are additional factors not properly captured in the CVSS score,” Santos said.
As part of looking at vulnerability risk, Santos commented that each advisory continues to have a section called Exploitation and Public Announcements, where Cisco PSIRT documents the exploitability of vulnerabilities.
“We’ve also added a new section called Indicators of Compromise to advise customers on what to watch for as evidence of an intrusion,” Santos said.
Cisco is planning to offer an API that will enable customers to directly consume and integrate product vulnerability information. Santos explained that Cisco will follow best practices for the security of the API and will have API keys to identify users.
“Only the GET HTTP verb will be supported, meaning users will only be able to obtain information from the API and cannot push any notifications, change information or compromise the integrity of what Cisco has published,” Santos said.
One thing that Cisco is not adding as part of its security disclosure revamp is any sort of formal bug-bounty program. Multiple reports and vendors have found great value in bug-bounty programs as a way to rapidly tap into the community of third-party security researchers.
“Cisco’s general philosophy is not to pay for bug or vulnerability reports, primarily because we’ve had great success engaging directly with customers and the research community,” Santos said.
While Cisco doesn’t actually pay researchers for bug reports, Santos noted that Cisco always thanks security researchers who report product vulnerabilities, unless they request not to be acknowledged publicly. At a core level, Cisco isn’t investing in bug-bounty programs because the company is continuing to invest in its own teams to break products down, find vulnerabilities and fix them.
“For a large organization whose technology poses significant barriers to entry for the research community, we see this investment as the best way to spend our dollars,” Santos said. “Building this type of core competency is an important part of any active secure development lifecycle.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.