Software Vulnerabilities

1 April 2016 at 4:25pm

Learning from Software Vulnerabilities

Andrew Cormack
security
Software Vulnerabilities
vulnerability management
#nws16
The slides from our Networkshop session on Learning from Software Vulnerabilities are now available. All three talks showed how managing the process of finding, reporting and fixing vulnerabilities can improve the quality of software and the security of our systems.
Read more
28 September 2015 at 4:02am

Vulnerability Coordination - a maturity model

Andrew Cormack
Software Vulnerabilities
managed disclosure
Vulnerability handling – how organisations deal with reports of security weaknesses in their software and systems – is a field that has developed a lot in my time working for Janet. When I started most organisations received reports and fixed vulnerabilities on an ad hoc basis, if at all.
Read more
24 June 2015 at 2:21pm

The Human Side of Vulnerability Handling

Andrew Cormack
#firstcon15
Software Vulnerabilities
managed disclosure
Thanks to recent work, particularly by the Dutch National Cyber Security Centre, the processes that result in successful discovery and reporting of software vulnerabilities are reasonably well understood.
Read more
23 June 2014 at 10:55pm

Dutch national responsible disclosure guidelines

Andrew Cormack
Software Vulnerabilities
incident response
#firstcon14
From personal experience many years ago I know the frustration of discovering a security vulnerability in a website, wanting to warn the site owners, but being unable to find a responsive contact to accept the information. However I also know, from even longer ago, what it's like to be a sysadmin told by a stranger that my precious computer has a bug in it that I urgently need to fix. They no doubt thought they were helping me, but it was awfully tempting to shoot the messenger!
Read more
17 April 2014 at 2:49pm

Heartbleed OpenSSL Vulnerability CVE-2014-0160

Lee Harrigan-Green
CSIRT
openssl
vulnerability
Software Vulnerabilities
We have responded to the announcement of the OpenSSL vulnerability today, 8th April 2014. Technical advice (detailed below) has been issued to colleagues across the sector to assist them in responding to this vulnerability. In addition, replacement certificates, for those organisations affected by this vulnerability, will be issued at no cost by the Janet Certificate Service. If your organisation is affected by the OpenSSL vulnerability and is taking steps to address this, and requiring a replacement certificate, then please visit the following url for further information.
Read more
25 June 2013 at 3:31pm

Bug Bounties

Andrew Cormack
Software Vulnerabilities
incident response
#firstcon13
Bug bounty schemes have always been controversial. In the early days of the Internet someone who found a bug in software was expected to inform the author and help fix it, as a matter of social responsibility. Suggesting that those researching vulnerabilities be paid for their time and effort seemed rather grubby. Unfortunately not everyone shared those scruples.
Read more
Subscribe to Software Vulnerabilities