As security operations manager, one thing that concerns me is the ability to use vendor information within our risk management methodologies. Vulnerability and configuration compliance tools are important assets. The discovery tool allows a team to find vulnerable systems. Configuration tools permit us to set a standard, discover outliers and enforce new policies. Nonetheless, there is a missing component -- the vendor interaction and how it affects your resource planning and immediate risk management.
Already in 2007, we've experienced some interesting vendor dynamics, which have forced us to stretch our normal operational methods. FreeBSD recently froze its ports distribution tree in order to upgrade Xorg and its interdependencies. The freeze meant that even though port maintainers had submitted patched versions of PHP, our normal methods of software patching were hindered. With Apple, we saw a handful of Java and Quicktime interdependent bugs. In one case, a third party's suggestion was to disable Java. This mitigation method left many enterprises at an impasse -- disable Java and hinder work performance or accept the risk. April brought the remote DNS RPC bug from Microsoft. Even though this vulnerability didn't affect us, its what began my dive into these thoughts. What's a consumer to do when put in a position of a serious vulnerability without a clear mitigation or solution strategy?
When put in such a position with little information and no place to acquire assistance, we become dependent on our own skills and strategies. The decisions made are highly driven by the vendor's ability to provide assistance. The ad hoc rating system below was spawned by this dilemma. This is a comparison of Apple, Microsoft and FreeBSD. How do your vendors rank?
| Item | Reason |  |
 |
 |
|---|---|---|---|---|
| Regular Bulletin Release Schedule | ERP |  |
 |
|
| Security Announcement Mailing List | Communications | |
|
|
| RSS Feeds | Communications | |
|
|
| Email Cryptographically Signed | Info Integrity | |
|
|
| Security Bulletin: Pre Announcement | ERP | |
|
|
| Security Bulletin: Summary | Communications | |
|
|
| Security Bulletin: FAQ | Communications | |
|
|
| Security Bulletin: Mitigations | Risk Mgmt | |
|
|
| Security Bulletin: Workarounds | Risk Mgmt | |
|
|
| Security Bulletin: Update/Patch | Risk Mgmt | |
|
|
| Security Bulletin: CVE Usage | Interoperability | |
|
|
| Security Bulletin: CVSS Usage | Interoperability | |
|
|
| Security Bulletin: Acknowledgments | Communications | |
|
|
| Security Bulletin: Website Uses SSL | Info Integrity | |
|
|
| Vendor Free Detection Tool | Risk Mgmt | |
|
|
| Vendor SDLC Public | Communications | |
|
|
| Alt Vendor Communication Forum | Communications | |
|
|
Comments (2)
Security Bulletin: Mitigations
Security Bulletin: Workarounds
Vendor Free Detection Tool
Security Bulletin: Update/Patch
Not to be nit picky, but shouldn't these things be vulnerability management, not risk management?
Posted by Alex | June 1, 2007 6:55 PM
Posted on June 1, 2007 18:55
Not a nit picky question. I used to think that there was a distinction. Vulnerability management is just one piece of risk management. I generally only make the distinction based on the audience at hand.
Posted by Andrew Storms | June 4, 2007 8:27 AM
Posted on June 4, 2007 08:27