Showing posts with label psirt. Show all posts
Showing posts with label psirt. Show all posts

Wednesday, July 21, 2010

Dell Needs a PSIRT

It's clear to me that Dell needs a Product Security Incident Response Team, or PSIRT. Their response to the malware shipping with R410 replacement motherboards is not what I would like to see from a company of their size and stature.

Take a look at this Dell Community thread to see what I mean. It's almost comical.

These are a few problems I see:

  1. They are informing the public of this malware problem using phone calls, not a posting on a Web site. A customer thinks he's being scammed and posts a question to a support forum. Someone named "DELL-Matt M" replies:

    "The service phone call you received was in fact legitimate... We have assembled a customer list and are directly contacting customers like you through a call campaign. On the call, you should be provided a phone number to call if you have additional questions. Hopefully you received this on your call. If not, let me know and we’ll get it to you as soon as possible so you have all of the follow-up information needed."

    Another customer rightfully asks: "So why is there no information in the recall links or other readily obvious place on the site?"

  2. The next information about the problem is another post to the same thread from "DELL-Matt M".

    "We will continue to update this forum as new information becomes available or questions arise."

    This story is making the news and Dell will update customers in a forum thread?!?

  3. One customer then questions whether 'DELL-Matt M" works for Dell!

    "Will you please post your employee number? In a phone call to Dell this morning I was told that no Dell employee wrote this...."

  4. "DELL-Matt M" replies:

    "Yes Art, I am a Dell employee and the information I posted is accurate. If you need specific information, please contact

    Thanks, Matt"

    Still no link to an official Dell story.

  5. Try searching for "Dell PSIRT" or "Dell security". You get nothing about the security of Dell products.

Dell needs to step up its game. It's shipping products to customers with malware, and it's "handling" the issue through a support forum.

I think my post Every Software Vendor Must Read and Heed referencing Matt Olney's recommendations is a good place to start, Dell!

Wednesday, July 07, 2010

Thoughts on "Application SOC" and New MSSPs

I'd like to briefly comment on a few ideas that appeared on lists I read.

First, in this Daily Dave post from June, Dave Aitel writes:

So when I gave the FIRST talk, one of the questions was "What is the solution?" ...

Immunity sees lots of success (and has for many years) with organizations that have done high level instrumentations [sic] against their applications, and then used powerful data mining tools to look at that data...

So what you see is the start up of what I like to call the "Application SOC". It's like a network SOC, but way more expensive, and with the chance of being actually useful!

On a related note, after discussing iTunes fraud, Stephen Northcutt adds the following comments in this SANS Newsbites post from yesterday:

I think we are seeing more and more market demand for a new type of MSSP, a cross between (1) a software security and quality consultant, (2) a monitoring company that focuses primarily on web logs and probably has some of their own routines (think Suhosin [a PHP hardening system] on steroids ) and (3) a high end code and configuration incident response capability.

Both Dave and Stephen mention an "application SOC" sort of idea, so let's talk about this first. I believe this already exists, and is indeed used effectively by a variety of organizations. It's certainly at the high end of maturity, but it's there.

Logs can be a supplementary data source, for forensic reference during incident response triggered by a traditional security indicator. Alternative, logs can provide the primary indicator. Unfortunately, logs alone may not necessarily contain the data needed to convince an analyst that a security incident has occurred.

There's also the problem of failing to build visibility in to applications. Gunnar, feel free to reply with a link to your latest logs for developers class!

Turning strictly to Stephen's remaining points, I think companies like Cigital already have the "a software security and quality consultant" space firmly in control.

Stephen's last point, however, seems really interesting. I may be misinterpreting what he said because I like my interpretation, but at the very least he may be advocating for an outsourced PSIRT. I think this is a cool idea. Create a MSSP who provides customer-facing support to vulnerability researchers and others who find software flaws. Work with the software developer to transform vulnerability reports into improved code, handling the public relations, disclosures, coordination with CERT, etc. I don't know of anyone who does that work, but I think every software provider needs a PSIRT. What do you think?

Wednesday, December 30, 2009

Every Software Vendor Must Read and Heed

Matt Olney and I spoke about the role of a Product Security Incident Response Team (PSIRT) at my SANS Incident Detection Summit this month. I asked if he would share his thoughts on how software vendors should handle vulnerability discovery in their software products.

I am really pleased to report that Matt wrote a thorough, public blog post titled Matt's Guide to Vendor Response. Every software vendor must read and heed this post. "Software vendor" includes any company that sells a product that runs software, whether it is a PC, mobile device, or a hardware platform executing firmware. Hmm, that includes just about everyone these days, except the little old ladies selling fabric at the hobby store.

Seriously, let's make 2010 the year of the PSIRT -- the year companies make dealing with vulnerabilities in their software an operational priority. I'm not talking about "building security in" -- that's been going on for a while. Until I can visit a variation of, I'm not satisfied. For that matter, I'd like to see as well, so outsiders can contact a company that might be inadvertently causing trouble for Internet users. (And yes, if you're wondering, we're working on both at my company!)

Thursday, May 21, 2009

PSIRT Equals Getting Serious About Product Security

Last fall I wrote Tips for PSIRTs, pointing to a new CERT document giving advice for Product Security Incident Response Teams. Today I read Adobe shifts to Microsoft patching process, incident response plan by Robert Westervelt. The company maintains an Adobe Secure Software Engineering Team and an Adobe Product Security Incident Response Team. All of this is a sign that Adobe is getting serious about product security. It mirrors Microsoft's evolution, and I am glad to see it happening.

I'd like to be able to do a search for "Oracle PSIRT" or "Apple PSIRT" and get real results. The Google Online Security Blog isn't a real PSIRT, either. Just as you should have a CIRT if you use computers, you should have a PSIRT if you sell software.

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

Friday, November 21, 2008

Tips for PSIRTs

If your company sells software, you probably need to have a Product Security Incident Response Team (PSIRT). The PSIRT should act as the single point of contact for any user of your product to report and coordinate security problems with your software product.

Examples of PSIRTs include:

I think you can tell how serious a company takes security by the way they promote their PSIRT, obscure its existence, or not even operate one. Try comparing Oracle to Cisco, for example.

If you're looking to start a PSIRT, Chad Dougherty's Recommendations to vendors for communicating product security information post on the CERT blog is a great start.

Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.