Security Advisories

Numerous web sites provide security advisory listings and details. Though all of them follow the same basic structure, a lot of them are missing out on the usability factor. Segments of the advisory are arranged according to the perceived order of importance for the reader. Before looking at a logical expected order of components of an advisory, lets look at a must-have list of components (in random order).

  • Name
  • Date of Discovery
  • Vulnerability Type
  • Impact
  • Exploit Code / Proof of Concept
  • Vulnerability Description
  • Software Affected
  • Platforms Affected
  • Solution
  • Workaround
  • Vendor Links - Advisory, Patches, Upgrades

To determine the order of importance, the best option is to slip into the shoes of the reader. A simple and quick approach is to look at a vulnerability in systems as if it were an impending blemish to or malfunction in, your most loved Pontiac, Lamborgini, Jaguar, Ford, Audi….you get the flow. So to begin with, you definitely want to know what the fault is about. Next come the fault vectors, followed by when it was discovered by your tribe. Next in line, you want to know how to find out if your baby is prone to any malfunction, and if she is, how would you find out ? You obviously do not want to rely on hearsay, so you’d prefer to see some evidence of malfunction with another car. Once you are convinced, you may want to find out how long will she be out of service (i.e., the total impact or repercussions). Finally, after dreading the impending malfunction, you would want to know in advance how to fix it or avoid it altogether and which is the nearest dealer or service center that can be contacted!

Now, as security analysts, advisors, and consultants, lets try to list questions on vulnerabilities in order of usable importance in-line with the automobile malfunction.

1. What is the vulnerability about ?

2. How can it be exploited ?

  • Remotely/Locally
  • Procedure

3. Which software and platforms are affected ?

4. Is the exploit code available ? Where can I find it ?

5. How do I know if I am affected ?

6. When was it reported and has it been updated ?

7. What is the direct and indirect impact ?

8. If I am affected, how do I patch or upgrade the affected component ?

9. If for some reason, I cannot apply a patch or upgrade, is there a workaround available ?

A lot of web sites like SecurityFocus, Secunia, FrSIRT, US-CERT, X-Force, etc. provide excellent vulnerability details. Some provide logical sections of the vulnerabilities on different tabs, whereas some provide detailed descriptions and references on the same page. Both these methods are useful for different sets of users. However, this scribe was only to bring forth the importance of order in the context of usability.

Please feel free to give your inputs.

Note: The criticality level has been left out intentionally because it is one component which differs greatly from one web site to another and also, a scratch on your beloved car would remain a scratch, no matter how big or small it is!

Technorati Technorati: , ,

Add this to:These icons link to social bookmarking sites where readers can share and discover new web pages.
  • blogmarks
  • del.icio.us
  • digg
  • Furl
  • Simpy
  • YahooMyWeb

This Scribe:

Published:
9.15.06
Category:
Fundamentals, Structure Scrutinization
Jump to comments:
Trackback URI:



Blogroll:

Technical Communication

  • Guy K. Haas
  • Kiruba Shankar
  • Tech. Writing Blogs
  • The Content Wrangler
    • InfoSec Resources

  • Anton Chuvakin
  • CIO Magazine
  • IT Audit - Institute of Internal Auditors
  • Schneier on Security
  • SecurityFocus