Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: New ISO Standards on Vulnerability Handling and Disclosure - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New ISO Standards on Vulnerability Handling and Disclosure

Also in the news, ISO standard 30111 was published recently (on Jan 21) - a standard for the Vulnerability Handling Processes.  The standard was edited by Katie Moussouris, Senior Security Strategist Lead at Microsoft

The standard covers all the basics, including Vulnerability Verification steps, the Vulnerability Handling Process, and of particular interest is that it delineates where vendors should and should not be in the process.

The companion document, ISO 29147 (published in 2013) covers Vulnerability Disclosure.  This one is extremely valuable both to security researchers and for any company with a software product.  This standard includes guidance on buidling a framework to address vulnerabilities, including a 5 step process that guides vendors through initial receipt and verification of the vulnerability, developing a resolution, releasing the final fix and communication with customers after the fix is released

As with all ISO standards, unfortunately these are not free - both are well worth it if the standards apply to your organization.  If your organization writes code, or if you sell hardware that runs code, both of these standards are a must-have.
ISO 30111 can be purchased here: http://www.iso.org/iso/catalogue_detail.htm?csnumber=53231
ISO 29147 can be purchased here: http://www.iso.org/iso/catalogue_detail.htm?csnumber=45170

===============
Rob VandenBrink
Metafore

Rob VandenBrink

458 Posts
ISC Handler
"As with all ISO standards, unfortunately these are not free "

It's not just that ISO standards aren't free... it is that the price of ordering a copy of ISO standards such as 27001 just to study are really very expensive...

For the price of just one of the sections of the standards; you can buy a few thick
books on Security Incident Response.
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!