Disclosures of vulnerabilities – a look behind the scenes
In my blog post, I would like to take a closer look at these reports of new security vulnerabilities. How are vulnerabilities discovered in the first place – and how can they be eliminated? You have to keep in mind that there is not just one way to deal with them, but a multitude of different options. The approach outlined in this article can therefore only be taken as an example.
The traditional approach: Before updating or launching a new product – this might be any application, a mobile smartphone app or a smart TV – manufacturers commission an external company to carry out a penetration test. Experts check whether the product contains faults that could make it easy for hackers to view confidential data, penetrate the system or impair the product’s functionality. If such a fault is found, it is called a security vulnerability. After the results are evaluated, measures are taken to eliminate the vulnerability. If the product is already in use, it is now common practice to show this in the version history and, if possible, to clearly identify it with a CVE-ID. CVE stands for Common Vulnerabilities and Exposures and is an industry standard for labelling publicly known vulnerabilities. An example would be “CVE-2020-0001”. The ID consists of the CVE designation followed by the year and a sequential number.
Do uncovered vulnerabilities damage a company’s reputation?
I am often asked why a manufacturer should voluntarily announce that their product is affected by a vulnerability? Isn’t that counterproductive? The answer is complex. Of course, admitting mistakes is not conducive to the reputation of a company at first glance.
Covering up vulnerabilities is a dangerous mistake
This also shows that a strategy focused purely on avoiding errors cannot be the solution. What is required, instead, is an integrated approach, which also includes the coordinated and responsible handling of existing vulnerabilities – in particular disclosing vulnerabilities in one’s own products via the company website. Especially if the product is used millions or billions of times worldwide, transparent communication of weaknesses can only be beneficial for a company’s reputation in the long term.
Let’s change the perspective from the manufacturer of the product where a vulnerability has been identified to the company using that product. Today, companies run a large number of software applications that require regular maintenance. This also includes updating the software. Anyone who has ever done an update knows that this can entail problems. This is why updates are often carried out in advance on a test system. Patches are therefore rarely applied immediately, but only after a certain amount of time has passed. And not all patches are applied all the time. If, for example, an update only changes the color of an icon, the patch can also be delayed.
Now let’s assume that a software manufacturer is trying to cover up the fact that their software contained a serious security vulnerability. To fix the problem quietly and secretly, they release a patch that adds a feature users want – for example, a new color for the toolbar. At the same time, the vulnerability is eliminated, but without explicitly mentioning this. Ultimately, this could mean that the IT department of the affected company decides not to install the update for several months – or not at all. If a hacker succeeds in their attack because the vulnerability has been covered up, the reputational damage is likely to be significantly greater than the damage that would be caused if a vulnerability was openly discussed.
To be continued…
Dr. Benedikt Westermann
Lead Security Analyst / Practice Leader Embedded & Cybersecurity Testing
Electric mobility: charging infrastructure getting more extensive
The new decade is all about climate protection – and one of the major challenges we face is climate-friendly (electric) mobility. The new EU emissions target, which comes into force in 2021.
Cool title – no applicants? Sorting the good ads from the bad
Skills shortages, the talent war and demographic change – all excellent choices for a round of buzzword bingo as played by HR specialists. The job market’s not getting any easier for employers.