The number of reported vulnerabilities of a product is sometimes cited as a measure of its relative security. In this article, we will dispel the notion that the count of Common Vulnerabilities and Exposures (CVEs) is a useful indicator of the security of products. Rather, CVEs simply serve to catalog security vulnerabilities and provide the needed [...]
At Cisco, our leadership made the decision over twenty four years ago that we would clearly publicly communicate security vulnerabilities or other issues that could potentially expose customers to risk. This is when the Cisco Product Security Incident Response Team (PSIRT) was born. Our team and the security vulnerability process has evolved to meet customer [...]
The Industry Consortium for Advancement of Security on the Internet (ICASI) welcomes new members Honeywell International and BlackBerry Limited into the consortium. In this increasingly connected ecosystem, industry leaders are banding together to better coordinate vulnerability response, promote security response best practices, and be an active partner with security researchers to make the Internet more [...]
On October 16th, Mathy Vanhoef and Frank Piessens, from the University of Leuven, published a paper disclosing a series of vulnerabilities that affect the Wi-Fi Protected Access II (WPA2) protocol. These are protocol-level vulnerabilities that affect wireless vendors providing infrastructure devices and wireless clients, which follow the WPA and WPA2 specifications. These vulnerabilities were also referred to as “KRACK” [...]
During the last few years we have witnessed how the cyber security threat landscape has evolved. The emergence of the Internet of Things combined with recent events have profoundly changed how we protect our systems and people, and drive us to think about new approaches for vendors to disclose security vulnerabilities to customers and consumers. [...]
Dr. Dan Plante is a very persuasive guy. Plante serves as professor of Computer Science at Central Florida’s Stetson University. In 2008, to promote collaboration between his students and the university and enhance computer security on campus, he convinced the university to allow him to develop a unique computer and networking class that uses the [...]
On 8-9 September, 2016, OASIS will host Borderless Cyber Europe 2016 at the European Commission Headquarters in Brussels, Belgium. Those who attend the event will be able to participate in discussions on the value of threat information sharing as well as learn how to better protect their customers by sharing their experiences with one another. [...]
An eWeek article tells how Cisco’s release of its OpenVuln API, based on the ICASI Common Vulnerability Reporting Framework (CVRF) and other standards, is a further push by the company to make security advisories easier to consume and act upon. Omar Santos, principal engineer of Cisco PSIRT Security Research and Operations and also ICASI’s USIRP [...]
This week I’m attending the 2015 FIRST Conference in Berlin (www.first.org) to co-chair a meeting of the newly chartered Vulnerability Coordination SIG. This SIG was born out of issues such as Heartbleed, which highlighted the need for a multi-faceted solution to the difficult challenges of vulnerability coordination across a diverse, global stakeholder community. ICASI recognized [...]
In support of its efforts to facilitate industry-wide conversation around ways to improve vulnerability coordination, ICASI will be hosting two sessions on the topic during this week’sFIRST Conference in Boston. We encourage anyone who will be at FIRST to stop in and join the discussion. The sessions will be as follows: Panel: Developing a Multi-Faceted [...]