Vulnerabilities Are Not A Security Problem

Common sense might tell you that the best people to deal with a security issue are security people, but that often couldn't be further from the truth.

Picture a scenario where a vulnerability has been identified in a newly-developed feature; for the sake of this analogy we'll say the vulnerability is down to broken access controls and would let a would-be attacker enumerate some account information of other user's of the application.

‍

In this instance an Information Security Manager (ISM) might respond, quite understandably, by blocking the release until the bug is fixed. After all, broken access controls have made it to #1 on the OWASP Top 10 and getting this issue fixed would seem pretty fundamental to most ISM's.

‍

So the ISM reaches out to the developers and tells them to fix the issue. It takes them a week to get solved, meanwhile they've pushed back a product release and are now behind schedule on the product roadmap.

‍

Picture instead what would happen if a working group was setup between key stakeholders:

‍

• The ISM could chair the meeting and share information about the vulnerability,
• A developer could then provide insight on how long it might take to fix,
• A data protection officer could confirm that the information disclosed is considered low-impact,
• A SOC analyst could implement a WAF rule to temporarily limit exposure, and a SEIM rule to monitor for attacks,
• A CTO could add addressing the issue into a wider programme of fixing bugs over the next few months.

‍

Simply engaging these five people could sufficiently manage the risk and enable the business to progress.

‍