Last updated: 
1 month 3 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Vulnerability Coordination - a maturity model

Monday, September 28, 2015 - 04:02

Vulnerability handling – how organisations deal with reports of security weaknesses in their software and systems – is a field that has developed a lot in my time working for Janet. When I started most organisations received reports and fixed vulnerabilities on an ad hoc basis, if at all. Now we have guidelines on policies, ideas on motivating researchers to report bugs, even presentations on the psychology of vulnerability reporting.

The latest development is a Vulnerability Coordination Capability Maturity Model (CMM) from hackerone, setting out five areas where organisations need to prepare if they want to be confident of receiving and handling vulnerability reports: organisational, engineering, communications, analytics and incentives. Like most CMMs, each of these has a number of different levels – here basic, advanced and expert. Definitions of each can be found in the slides linked from the hackerone post, or there’s an on-line self-assessment. For full details of the required processes, the CMM references various ISO standards in the area.

Expert level - when an organisation will be able to extract information from trends in reporting, identify issues in development processes, etc. - seems mainly aimed at software vendors, since it presumes a steady stream of vulnerability reports. However basic level seems well worth considering even for organisations that only use, rather than produce, software. If someone finds a vulnerability in one of your on-line services, you want the problem to be reported and fixed. Even if you only pass the report on to the software vendor, a basic level of vulnerability coordination maturity will help you to assess the risks to your organisation, consider appropriate mitigation measures, and highlight the importance of a fix to your supplier.