Professional Response to Security Incidents
In December 2021, there was a much-publicized security incident. Known as “Log4Shell”, it is a good lesson in how important it is to respond to such problems with readiness, but also with care and structure.
Log4Shell was a vulnerability so critical that it received the greatest severity rating (CVSS 10.0). It affected the Log4j library of the Apache Software Foundation, which is used by countless companies around the world.
The main products of Wibu-Systems (CodeMeter Runtime and SDK, CodeMeter Protection Suite, CodeMeter License Central, CmCloud, WibuKey) were not affected, and CodeMeter Keyring for TIA Portal and CodeMeter Cloud Lite only needed a minor update.
But what happened behind the scenes? How does Wibu-Systems respond to such vulnerabilities in third-party components? What if there is an issue with our own software? A look at our security incident response process:
1. Incident Report
Vulnerabilities and incidents are reported in either of two ways:
- External report: Information about a possible vulnerability is sent by email or via the Incident Management System.
- Internal report: Findings from internal scans, automated code reviews, or other security checks are flagged directly in our internal tracking system.
The information is sent to our dedicated Product Security Incident Response Team (PSIRT), also called Wibu-CERT (Computer Emergency Response Team) for analysis, where four security specialists take care of coordinating the response and supporting the vulnerability analysis by the Product Security Board (a group of specialists assigned to the job by our developer teams). A score is given to each affected product in line with the accepted industry standard CVSS (Common Vulnerability Scoring System) to understand how severe the issue is.
Two important tasks are covered in this phase:
- Treatment: Once the analysis confirms the severity of the incident, the issue is flagged in our development tracking system. The tag tells our developers how urgent a response is needed: Either, the vulnerability is addressed in a planned release or an immediate bugfix has to be released.
- Coordinated communication: The evaluation is provided to the reporter and further coordinated with him, if necessary. The CERT mailing list makes sure that clients are told in good time about vulnerability and necessary bugfixes. This gives them a vital head start to e.g. prepare their own security advisories and test necessary fixes before the vulnerability becomes public knowledge.
Security advisories are produced for publication, and a Tech News Flash” email is sent to our clients, users, distributors, and the relevant authorities with more information about the vulnerability and available security fixes.
This simple, but critical process enables Wibu-Systems to respond immediately and prepare solutions for all clients and users affected, true to our guideline for all security incidents: Be open and be honest!
KEYnote 43 – Edition Spring/Summer 2022