Vulnerability Remediation
To reduce the security risks posed by software vulnerabilities, we
strive to address both the number of vulnerabilities in software that
is being developed and the number of vulnerabilities in software that
is already deployed. Reducing the number of new vulnerabilities is the
focus of our secure coding effort, while
removing existing vulnerabilities is the focus of our vulnerability
remediation work.
Removing vulnerabilities by patching or updating software is
usually an effective solution, but there are often other ways to
reduce risk. We promote a comprehensive approach that includes
following best practices, making configuration or architecture
changes, and applying workarounds. In some cases, these strategies
provide better long-term vulnerability reduction than simply patching
or updating.
Remediation process
Our vulnerability remediation process involves four basic
steps. However, we handle each vulnerability on a case-by-case basis,
so the timeframe and cycle may vary.
- Collection - We collect vulnerability reports in two ways:
monitoring public sources of vulnerability information and processing
reports sent directly to us. After receiving reports, we perform an
initial surface analysis to eliminate duplicates and false alarms, and
then catalog the reports in our database.
- Analysis - Once the vulnerabilities are cataloged,
we determine general severity, considering factors such as the number
of affected systems, impact, and attack scenarios. Based on severity
and other attributes, we select vulnerabilities for further
analysis. Our analysis includes background research, runtime and
static analysis, reproduction in our test facilities, and consultation
with vendors and other experts.
- Coordination - When handling direct reports, we work
privately with vendors to address vulnerabilities before widespread
public disclosure. We have established, secure communication channels
with hundreds of technology producers, both directly and through
relationships with computer security incident
response teams (CSIRTs) all over the world. We have years of
experience successfully coordinating responses to vulnerabilities that
affect multiple vendors.
- Disclosure - After coordinating with vendors, we
take steps to notify critical audiences and the public about the
vulnerabilities. To the best of our ability, we produce accurate,
objective technical information focused on solutions and mitigation
techniques. Targeting a technical audience (administrators and others
who are responsible for securing systems), we provide sufficient
information to make an informed decision about risk.
|
|
