EMC’s Approach to Vulnerability Response

Let’s face it – real software products have security vulnerabilities! While building strong secure software development practices goes a long way towards detecting and helping to eliminate security vulnerabilities during the development process, a strong product security program also needs to be prepared to properly handle and respond to security vulnerabilities found in the product after it has shipped.

We have designed EMC’s vulnerability response program with the goal of protecting our customers and providing customers with timely information, guidance and mitigation to address the threat from vulnerabilities in EMC and RSA products. Today, I wanted to take a moment to talk about the work of the EMC Product Security Response Center (PSRC) that was created in 2005 to put this goal into practice.

The PSRC is responsible for monitoring, managing, resolving, and responding to EMC and RSA product vulnerabilities.

There are a few guiding principles that I want to call out that software vendors like EMC try to adhere to and that are the cornerstones of any good vulnerability response program:

  1. Ensuring that the vulnerability is not publicly disclosed until a remedy addressing the vulnerability is available
  2. Communicating the remedy to customers in a way that they can take action before attackers may be able to exploit the vulnerability.

We have used the following specific elements in EMC’s vulnerability response program to help meet these guiding principles:

  1. Providing an easy way to report vulnerabilities– we offer on http://www.EMC.com/security a simple way to report vulnerabilities on EMC and RSA products. All vulnerability reports are then redirected to the PSRC for validation.
  2. Collaborating with security researchers – when a security researcher notifies the PSRC of a potential security vulnerability in an EMC or RSA product, we immediately start planning for a remedy for the vulnerability and keep the researcher apprised of the availability of the remedy. We believe in maintaining a good relationship with the researchers and also acknowledging them in our advisories. In return, we ask that the security research community gives us an opportunity to remediate the vulnerability before publicly disclosing it.  EMC believes that coordinating the public disclosure of a vulnerability is key to protecting our customers.
  3. Properly timing the release of the vulnerability – the maximum exposure for a customer in the lifecycle of a vulnerability is during the period when the security vulnerability is widely known and when a remedy for the vulnerability is deployed by the customers. As a product development organization, EMC’s responsibility is to minimize this window of vulnerability. EMC releases the same information on the vulnerability and how to protect against it to all customers at the same time in order to protect all customers equally. This makes sure that all customers are protected while a remedy is being created and receive proper information to remediate the vulnerability and are not exposed to malicious attacks while the remedy is being developed.
  4. Using a security focused communication vehicle – patching and keeping their IT infrastructure constantly updated is a challenge for most customers. Customers expect software vendors to provide them with a communication vehicle that helps them determine the difference between a regular patch and a security remedy so that they can perform proper prioritization in their patching process. The EMC PSRC uses EMC security advisories (ESA) for EMC products and RSA SecurCare® Online security advisories for RSA products as the communication vehicle which helps our customers differentiate from regular product updates provided by EMC. EMC customers can subscribe to the security advisories using EMC Online Support Site (https://support.emc.com)  and RSA customers can subscribe to the security advisories using RSA SecureCare® Online (https://knowledge.rsasecurity.com/scolcms).
  5. Providing the right information in the security advisory – security advisories need to walk the fine line of providing enough details so that a customer can protect themselves but not enough that allows malicious users take advantage of the information and exploit it to the detriment of our customers. EMC ESAs typically provide information such as the severity rating for the vulnerability (EMC uses the Common Vulnerability Scoring System, CVSS: http://www.first.org/cvss/cvss-guide.html), Common Vulnerability Enumeration (CVE: http://cve.mitre.org) identifier for the vulnerability so that the information on the vulnerability can be shared across separate vulnerability capabilities (tools like vulnerability scanners, repositories, and services), a description of the vulnerability, supported products and versions affected, remedy details with update/workaround information, credit to the finder for reporting the vulnerability and working with EMC on a coordinated release. This allows customers to get pertinent information on the nature of the vulnerability and take the right steps to protect themselves.

We also constantly benchmark our practices with the rest of the industry, by way of our participation in Software Assurance Forum for Excellence in Code (SAFECode: http://www.safecode.org), the Forum for Incident Response (http://www.first.org) and the international standards that are being developed for vulnerability disclosure, ISO 29147 (http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45170) and vulnerability handling processes, ISO 30111 (http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=53231).

Accommodating these successful, proven elements requires careful attention. It is important for our customers to receive our security advisories as they are intended to keep their product installations secure. So, do make sure you subscribe to our security advisories:

About the Author: Reeny Sondhi

Topics in this article