Showing posts with label psirt. Show all posts
Showing posts with label psirt. Show all posts

Wednesday, July 21, 2010

Dell Needs a PSIRT

It's clear to me that Dell needs a Product Security Incident Response Team, or PSIRT. Their response to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 malware shipping with R410 replacement mocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rboards is not what I would like to see from a company of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir size and stature.

Take a look at this Dell Community thread to see what I mean. It's almost comical.

These are a few problems I see:

  1. They are informing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public of this malware problem using phone calls, not a posting on a Web site. A customer thinks he's being scammed and posts a question to a support forum. Someone named "DELL-Matt M" replies:

    "The service phone call you received was in fact legitimate... We have assembled a customer list and are directly contacting customers like you through a call campaign. On cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 call, you should be provided a phone number to call if you have additional questions. Hopefully you received this on your call. If not, let me know and we’ll get it to you as soon as possible so you have all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 follow-up information needed."

    Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r customer rightfully asks: "So why is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re no information in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 recall links or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r readily obvious place on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 site?"

  2. The next information about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem is anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r post to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same thread from "DELL-Matt M".

    "We will continue to update this forum as new information becomes available or questions arise."

    This story is making cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 news and Dell will update customers in a forum thread?!?

  3. One customer cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n questions whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r 'DELL-Matt M" works for Dell!

    "Will you please post your employee number? In a phone call to Dell this morning I was told that no Dell employee wrote this...."

  4. "DELL-Matt M" replies:

    "Yes Art, I am a Dell employee and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information I posted is accurate. If you need specific information, please contact US_EEC_escalations@dell.com.

    Thanks, Matt"

    Still no link to an official Dell story.

  5. Try searching for "Dell PSIRT" or "Dell security". You get nothing about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security of Dell products.


Dell needs to step up its game. It's shipping products to customers with malware, and it's "handling" cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issue through a support forum.

I think my post Every Software Vendor Must Read and Heed referencing Matt Olney's recommendations is a good place to start, Dell!

Wednesday, July 07, 2010

Thoughts on "Application SOC" and New MSSPs

I'd like to briefly comment on a few ideas that appeared on lists I read.

First, in this Daily Dave post from June, Dave Aitel writes:

So when I gave cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FIRST talk, one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 questions was "What is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 solution?" ...

Immunity sees lots of success (and has for many years) with organizations that have done high level instrumentations [sic] against cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir applications, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n used powerful data mining tools to look at that data...

So what you see is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 start up of what I like to call cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "Application SOC". It's like a network SOC, but way more expensive, and with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 chance of being actually useful!


On a related note, after discussing iTunes fraud, Stephen Northcutt adds cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following comments in this SANS Newsbites post from yesterday:

I think we are seeing more and more market demand for a new type of MSSP, a cross between (1) a software security and quality consultant, (2) a monitoring company that focuses primarily on web logs and probably has some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own routines (think Suhosin [a PHP hardening system] on steroids ) and (3) a high end code and configuration incident response capability.

Both Dave and Stephen mention an "application SOC" sort of idea, so let's talk about this first. I believe this already exists, and is indeed used effectively by a variety of organizations. It's certainly at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 high end of maturity, but it's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re.

Logs can be a supplementary data source, for forensic reference during incident response triggered by a traditional security indicator. Alternative, logs can provide cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 primary indicator. Unfortunately, logs alone may not necessarily contain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data needed to convince an analyst that a security incident has occurred.

There's also cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem of failing to build visibility in to applications. Gunnar, feel free to reply with a link to your latest logs for developers class!

Turning strictly to Stephen's remaining points, I think companies like Cigital already have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "a software security and quality consultant" space firmly in control.

Stephen's last point, however, seems really interesting. I may be misinterpreting what he said because I like my interpretation, but at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 very least he may be advocating for an outsourced PSIRT. I think this is a cool idea. Create a MSSP who provides customer-facing support to vulnerability researchers and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs who find software flaws. Work with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 software developer to transform vulnerability reports into improved code, handling cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public relations, disclosures, coordination with CERT, etc. I don't know of anyone who does that work, but I think every software provider needs a PSIRT. What do you think?

Wednesday, December 30, 2009

Every Software Vendor Must Read and Heed

Matt Olney and I spoke about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 role of a Product Security Incident Response Team (PSIRT) at my SANS Incident Detection Summit this month. I asked if he would share his thoughts on how software vendors should handle vulnerability discovery in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir software products.

I am really pleased to report that Matt wrote a thorough, public blog post titled Matt's Guide to Vendor Response. Every software vendor must read and heed this post. "Software vendor" includes any company that sells a product that runs software, whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r it is a PC, mobile device, or a hardware platform executing firmware. Hmm, that includes just about everyone cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se days, except cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 little old ladies selling fabric at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hobby store.

Seriously, let's make 2010 cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 year of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PSIRT -- cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 year companies make dealing with vulnerabilities in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir software an operational priority. I'm not talking about "building security in" -- that's been going on for a while. Until I can visit a variation of company.com/psirt, I'm not satisfied. For that matter, I'd like to see company.com/cirt as well, so outsiders can contact a company that might be inadvertently causing trouble for Internet users. (And yes, if you're wondering, we're working on both at my company!)

Thursday, May 21, 2009

PSIRT Equals Getting Serious About Product Security

Last fall I wrote Tips for PSIRTs, pointing to a new CERT document giving advice for Product Security Incident Response Teams. Today I read Adobe shifts to Microsoft patching process, incident response plan by Robert Westervelt. The company maintains an Adobe Secure Software Engineering Team and an Adobe Product Security Incident Response Team. All of this is a sign that Adobe is getting serious about product security. It mirrors Microsoft's evolution, and I am glad to see it happening.

I'd like to be able to do a search for "Oracle PSIRT" or "Apple PSIRT" and get real results. The Google Online Security Blog isn't a real PSIRT, eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r. Just as you should have a CIRT if you use computers, you should have a PSIRT if you sell software.


Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

Friday, November 21, 2008

Tips for PSIRTs

If your company sells software, you probably need to have a Product Security Incident Response Team (PSIRT). The PSIRT should act as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 single point of contact for any user of your product to report and coordinate security problems with your software product.

Examples of PSIRTs include:

I think you can tell how serious a company takes security by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y promote cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir PSIRT, obscure its existence, or not even operate one. Try comparing Oracle to Cisco, for example.

If you're looking to start a PSIRT, Chad Dougherty's Recommendations to vendors for communicating product security information post on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CERT blog is a great start.


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.