The long years of experience have taught me through experience, hardware & software vulnerabilities are guaranteed. It is not a matter of “if” but when. The sad reality is that most hardware and software vendors are not ready for vulnerabilities when they happen. Their response ranges from “I’m going to take legal suit” against the person who found the vulnerability, to hiding the vulnerability, to pretending that it does not exist (if I don’t acknowledge then it does not exist). A smaller group of vendors have taken a different stance. They know vulnerabilities are real, normal, and part of their product lifecycle. These vendors work with each other, work with their customers, and focus on minimizing the risk. These vendors never give up, always looking for more tools, more proactive testing, more training, faster response time to get their customers security patches, and a broad effort to teach others from their experiences.
FIRST – the Community who Embraces Vulnerability Response
That community of vendors who embrace the reality of vulnerabilities gathered in Forum of Incident Security Response Teams, Inc. (FIRST). For over two decades, FIRST has been the core community of security incident response teams. FIRST comprises of Computer Emergency Response Team (CERT), Security Incident Response Teams (SIRTs), Product Security Response Teams (PSIRT), Security Operations Centers (SOCs), Managed Security Service Providers (MSSPs), and a whole range of other organizations and individuals. The vast majority of FIRST members are hardware & software vendors. ALL the National CERT teams are part of FIRST. Over the years, FIRST has used this vast collective experience to empower others. On June 21st, 2018 FIRST continued this spirit of empowering others with the new Product Security Incident Response Teams (PSIRT) Services Framework (PDF)
Product Security Incident Response Teams (PSIRT) Services Framework
The PSIRT Framework is the collective wisdom from the best minds in the incident response field. The tools in the PSIRT Framework are not theory, they are lessons from “the school of hard knocks.” It is experience pulled together with educational materials, an online tutorial, and a support community (via FIRST). This allows all sorts of organizations to build their own vulnerability response team. If you cannot find security people, look for someone on staff who has the desire, given them the PSIRT Framework and then send them to FIRST. That “in-house” person would then be able to plug into the best incident response teams who all constantly help each other through their pain.
The #1 tool the FIRST community has learned over the years is collaboration. The world will not see it, but the members of FIRST are constantly working with each other, sharing with each other, helping each other, and collectively working for the best interest of FIRST collective constituents – all those “connected-people and connected-things.” The PSIRT Framework, the training for the PSIRT Framework, and the FIRST community are here to help companies “plug it” and not be blindsided when the vulnerability is disclosed.
Don’t wait for the Brian Krebs or Black Hat disclosure! Prepare your organization by starting with FIRST PSIRT Framework!
FIRST Press Release is included here to help others explore this and other tools published by the FIRST community.
FIRST Releases Training to Help Companies Respond to Product Vulnerabilities
The Forum of Incident Security Response Teams, Inc. (FIRST) is pleased to release the final Product Security Incident Response Teams (PSIRT) Services Framework (PDF) and accompanying training video course. This framework and training video course were developed by a global team of PSIRT practitioners from FIRST members and relevant subject matter experts.
June 21st, 2018 – The Forum of Incident Response and Security Teams (FIRST) have today announced the release of new training resources to help companies build and mature Product Security Incident Response Teams (PSIRTs). Developed by FIRST’s own PSIRT committee the materials are aimed at inhouse teams responsible for identifying and responding to product vulnerabilities. The purpose of the training is to demonstrate the differences and requirements management and stakeholders should be aware of to fully realize the potential of a PSIRT to their organization. This training supplements the PSIRT Framework, which was developed over the course of the last few months by security practitioners across FIRST’s global members.
“Through the PSIRT Framework and training material, some of the industry’s leading security experts are sharing all their expertise for managing security crises,” stated Thomas Schreck, Chair of FIRST. “The accompanying video training will introduce all interested parties to the core services areas within the PSIRT Service Framework.”
The training materials help companies build and implement strategies to mitigate and respond to vulnerabilities in the products and hardware that propel much of the information infrastructure. “Recent events have shown the importance of having the ability to quickly respond to product vulnerabilities,” stated Serge Droz, Board member and Education Liaison. “This new framework is designed to assist both those looking to start a PSIRT program as well as those looking to mature their existing capabilities.”
If an organization engineers and develops products or services for customers that are internet connected, the PSIRT Committee suggests using the Framework as a means to support incident responders. The Framework can also be used to convey to others, in a common language, the importance of working on product security issues. Version 1.0 of the PSIRT Framework, released at the same time, is available on the FIRST website:
The training materials are available to the public for educational use on https://learning.first.org. FIRST will also provide training to PSIRT teams as part of its current Education and Training Program.
About the PSIRT Training Course
This video-based course introduces practitioners to the core Service Areas of the PSIRT Services Framework.
The course covers the key concepts of developing and maintaining a mature PSIRT.
- What a PSIRT is and the various organizational structures to them;
- The foundations of a solid PSIRT;
- How to define and manage stakeholders;
- Vulnerability discovery, reporting, and intake;
- Vulnerability qualification and reproduction;
- Patch management, remediation, and incident handling;
- Stakeholder notification, coordination, and disclosure;
- Training within your organization to ensure efficient product security processes.
FIRST thanks and recognizes the following organizations for participating in the production of the training videos DELL, EMC, Hikvision, Honeywell International, Lenovo, Microsoft, NVIDIA, Oracle, CERT/CC, and Red Hat.
Founded in 1990, the Forum of Incident Response and Security Teams (FIRST) consists of internet emergency response teams from more than 360 corporations, government bodies, universities and other institutions across 78 countries in the Americas, Asia, Europe, Africa, and Oceania. It promotes cooperation among computer security incident response teams. For more information, visit: https://www.first.org.