Last updated: 
2 months 6 days ago
Blog Manager
I'm the Information Security Manager at Janet and through this blog I'll be sharing some of my experiences, ideas and thoughts on information security topics.

Group administrators:

Suppliers and vulnerability management

Tuesday, September 5, 2017 - 09:47
Vulnerability management is a critical aspect of cybersecurity. Understanding and limiting the vulnerabilities in our systems reduces the chance that they will cause harm to others, to Jisc, or it’s reputation.
For some products and services (such as computer operating systems), vulnerability management is a relatively mature and well understood field. In others, particularly for highly specialised software, the level of service available from suppliers to help you manage vulnerabilities in their products and systems is variable to non-existent. 
Within our procurements we focus on several aspects of vulnerability management.

That the supplier will work with Jisc on any vulnerabilities we discover

We ask suppliers to acknowledge a report of a security vulnerability by Jisc within two working days. We then ask for them to investigate and address these security vulnerabilities within 90 days. 90 days is aligned with Google’s Project zero responsible disclosure deadline.

That the supplier will communicate to Jisc any vulnerabilities that they discover and endeavour to provide fixes or workarounds

We need to know when, how, and to whom, the supplier will communicate any security vulnerabilities in the product or service, and what actions Jisc needs to take to protect our systems.

That the supplier has processes and practices in place that reduce the introduction of vulnerabilities

The existence of secure development and coding practices and integration of them within the software development lifecycle should not come as a surprise to suppliers in 2017. We need to ensure that the risk of introduction of vulnerabilities into systems is minimised, reducing the risk that Jisc becomes the victim of a previously-unknown vulnerability

Where appropriate we often reference third party content such as the OWASP Top Ten (a list of the most common security mistakes found in web based applications).

That the supplier will work with others who discover vulnerabilities in their products and services

Jisc’s vulnerability management becomes simpler and more effective when our suppliers will collaborate and work in partnership with third party security researchers bringing vulnerabilities to their attention. Engagement by the supplier with organisations like Mitre and the Common Vulnerabilities and Exposures CVE ensures that they publish and distribute information on security vulnerabilities in an open and standard way, allowing Jisc’s existing vulnerability management toolsets to automatically manage vulnerabilities in supplier’s product.