New ISO Standards on Vulnerability Handling and Disclosure

New ISO Standards on Vulnerability Handling and Disclosure
Also in the news, ISO standard 30111 was published recently (on Jan 21) - a standard for the Vulnerability Handling Processes. The standard was edited by Katie Moussouris, Senior Security Strategist Lead at Microsoft The standard covers all the basics, including Vulnerability Verification steps, the Vulnerability Handling Process, and of particular interest is that it delineates where vendors should and should not be in the process. The companion document, ISO 29147 (published in 2013) covers Vulnerability Disclosure. This one is extremely valuable both to security researchers and for any company with a software product. This standard includes guidance on buidling a framework to address vulnerabilities, including a 5 step process that guides vendors through initial receipt and verification of the vulnerability, developing a resolution, releasing the final fix and communication with customers after the fix is released As with all ISO standards, unfortunately these are not free - both are well worth it if the standards apply to your organization. If your organization writes code, or if you sell hardware that runs code, both of these standards are a must-have. ISO 30111 can be purchased here: http://www.iso.org/iso/catalogue_detail.htm?csnumber=53231 ISO 29147 can be purchased here: http://www.iso.org/iso/catalogue_detail.htm?csnumber=45170 =============== Rob VandenBrink Metafore	Rob VandenBrink 542 Posts ISC Handler
Subscribe	Feb 7th 2014 6 years ago
"As with all ISO standards, unfortunately these are not free " It's not just that ISO standards aren't free... it is that the price of ordering a copy of ISO standards such as 27001 just to study are really very expensive... For the price of just one of the sections of the standards; you can buy a few thick books on Security Incident Response.	Anonymous
Quote	Feb 9th 2014 6 years ago