Bob Lord 🔐 :donor: on Nostr: More questions for reporters when they ask companies about CVEs: -Ask about the CWE ...
More questions for reporters when they ask companies about CVEs:
-Ask about the CWE for this CVE. Does it even have one? Some vendors are not diligent at supplying them. If it doesn't have one, ask when that will be corrected.
-Get them to explain the CWE in non-technical terms. Remember, this is a coding error, so don't let them talk about what the villains are doing to exploit the vulnerability, but how the company let this defect through the SDLC.
-How many of those CWEs has this product experienced in the past 2 years? In other words, are they playing whack-a-mole rather than fixing the root cause?
-Do they have a detailed analysis of the internal hard and soft costs that this vulnerability cost the company? What is the dollar cost for this particular CVE? If they don't have a precise financial analysis of CVEs, ask why not.
-Assuming that they issued a patch for their customers, ask what the total cost of applying that fix was to all customers. (Something like number of customers * minutes to install * some $ amount/min)
-Which is greater: the internal cost to patch, or the total cost to all their customers?
-Ask them to explain their roadmap to eliminate this class of vulnerability and ask for dates. Most vulnerabilities have well-known mitigations, so this should be an easy question.
-Ask them when they last eliminated an entire class of vulnerability from their product lines.
-Ask them if they have "well-lit paths" established in their SDLC that will make the path of least resistance for devs the more secure one. Ask for examples.
-If the vulnerability is in an open source component, ask how they are supporting the maintainer and the open source community in general.
What am I missing?
-Ask about the CWE for this CVE. Does it even have one? Some vendors are not diligent at supplying them. If it doesn't have one, ask when that will be corrected.
-Get them to explain the CWE in non-technical terms. Remember, this is a coding error, so don't let them talk about what the villains are doing to exploit the vulnerability, but how the company let this defect through the SDLC.
-How many of those CWEs has this product experienced in the past 2 years? In other words, are they playing whack-a-mole rather than fixing the root cause?
-Do they have a detailed analysis of the internal hard and soft costs that this vulnerability cost the company? What is the dollar cost for this particular CVE? If they don't have a precise financial analysis of CVEs, ask why not.
-Assuming that they issued a patch for their customers, ask what the total cost of applying that fix was to all customers. (Something like number of customers * minutes to install * some $ amount/min)
-Which is greater: the internal cost to patch, or the total cost to all their customers?
-Ask them to explain their roadmap to eliminate this class of vulnerability and ask for dates. Most vulnerabilities have well-known mitigations, so this should be an easy question.
-Ask them when they last eliminated an entire class of vulnerability from their product lines.
-Ask them if they have "well-lit paths" established in their SDLC that will make the path of least resistance for devs the more secure one. Ask for examples.
-If the vulnerability is in an open source component, ask how they are supporting the maintainer and the open source community in general.
What am I missing?