On Wednesday, September 9th at 11:00 AM ET, we presented "how to prevent security exposure by using IBM Security Bulletin effectively" on IBM Expert TV.
Replay : https://techtv.bemyapp.com/#/conference/5f46ada11ffd8f001b9b82af
Speakers: Jackson Leonard, Kristen Clarke, Hiroko Takamiya
Panelist: Emily Tuczkowski, Alain Del Valle
This blog gives you the overview from the video. We talked about following topics.
- Why staying current on security is important
- How IBM handles vulnerability reports
- The security bulletin listing page for WAS, Java, and IHS
What is Product Security Incident Response Team (PSIRT) ?
As part of IBM Secure Engineering, we have a PSIRT team that manages, investigates and coordinates the release of information for security vulnerabilities. This includes vulnerabilities identified from customers through IBM Technical Support, Third Party Vendors, Security Researchers and Internally found issues.
Link to PSIRT Process https://www.ibm.com/trust/security-psirt
Why it’s important to keep WAS, IHS, and Java secure
Most IBM Cloud products are designed to run on WebSphere Application Server traditional and Liberty, which itself is built on Java. This runtime is responsible for ensuring the integrity and confidentiality of stacked application software.
WebSphere traditional and Liberty manages:
- HTTP transports, SSL handshakes, etc.
- JEE authentication and authorization
- Connections to LDAP, OIDC providers, SAML providers, Databases etc.
Why known vulnerabilities should be remediated continuously
Once a vulnerability is publicly identified, more hackers will be aware of it.
IBM security bulletins are formatted in ways to prevent potential hackers from getting too many details, but this is still a general concern. IBM security bulletin makes it easy to remediate due to iFixes being released.
- IBM proactively supplies iFixes on the latest two fixpack levels at the time of a bulletin’s release
- Be prepared to install iFixes on a relatively short runway
Sources of vulnerability reports
WebSphere receives vulnerability reports from various sources
▪Customer support cases
▪Stack product reports
▪Java vulnerability report
▪Open source vulnerability reports
▪HackerOne (IBM Vulnerability Disclosure Program)
▪Internal FVT, SVT, and threat modeling
▪Internal code review, code scans, penetration scans
How does IBM handle new security vulnerabilities?
If you believe you have identified an exploit, please contact IBM by opening a support case. Do not try to open an RFE! During the investigation of a potential exploit, IBM will…
- Maintain confidentiality for any information about the potential exploit that is not already public
- Engage the product development team and Product Security Incident Response Team (PSIRT) to confirm the exploit and provide a CVE ID and CVSS score
- Provide fixes and (if applicable) mitigations
What about CWEs?
Common Weakness Enumeration – does not represent an actual exploitable vulnerability, but rather a recommendation for security hardening
Often these can be resolved through configuration tasks within the product
Solutions are likely to be documented in the Knowledge Center, or in some cases on component landing pages (“MustGather” pages)
IBM Support can still assist with these, even though they’re not vulnerabilities
Security Bulletin
Security Bulletin List landing page
Arranged by year CVEs are released Common Name of vulnerability CVE (Common Vulnerabilities and Exposures) number CVSS (Common Vulnerability Scoring System) Link to the WAS security bulletin page Link to the IHS security bulletin page Quick reference of Version affected
https://www.ibm.com/support/pages/websphere-application-server-and-ibm-http-server-security-bulletin-list
▪ Updated every time a new security bulletin or an existing bulletin is updated with relevant or significant information
▪ The top of the page shows the 15 most recent security bulletins
▪ After that, CVEs are sorted by date and CVE number
▪ Easy way to keep track of all known vulnerabilities for WAS, IHS, and Java
▪ Information about which versions are affected
▪ Quick reference of common names, CVE number, and CVSS score
Security Bulletin contents
▪ Description – A high level description of the vulnerability. IBM does not intend to provide vulnerability details that could enable someone to craft an exploit of the vulnerability.
▪ Affected Products and Versions – This is the sole determining factor as to whether your systems are affected. Do not attempt to make further determinations based on the vulnerability description.
▪ Remediation/Fixes – action needed to be taken if affected
▪ Workaround and Mitigations – this section identifies usage or configuration changes that may be available in place of fix installation. ▪ https://www.ibm.com/trust/security-psirt-securitybulletins
How can I keep track of security bulletins?
Subscribe to the security bulletin releases: https://www.ibm.com/trust/security-psirt
Bookmark the list page: https://www.ibm.com/support/pages/websphere-application-server-and-ibmhttp-server-security-bulletin-list
Summary
▪ IBM has a well-defined process for identifying vulnerabilities and exposures and providing fixes in the form of security bulletins
▪ Make sure to bookmark the security bulletin list page ▪ Additionally, subscribe to security bulletins to receive e-mail notifications
▪ IBM Support cannot provide more details than what is given in the security bulletins
▪ IBM Support can advise on potential NEW exposures if you think you have found one I
Terminology
▪ PSIRT - The Product Security and Incident Reporting Team Processes governs the handling and communication for ALL security vulnerabilities which are known to exist in supported code.
▪ X-Force - IBM X-Force Exchange is a threat intelligence sharing platform that provides detailed information from the IBM X-Force team on vulnerabilities, IPs, URLs, and web applications.
▪ CVE – Common Vulnerabilities and Exposures, a dictionary of publicly known information security vulnerabilities and exposures.
▪ CVSS – The Common Vulnerability Scoring System, a numerical system used to describe the general severity of a given CVE.
Additional Resources
▪ IBM Security Vulnerability Management: https://www.ibm.com/trust/security-psirt
▪ IBM Security Bulletins explained: https://www.ibm.com/trust/security-psirt-securitybulletins
▪ WebSphere product family Security Bulletin List: https://www.ibm.com/support/pages/websphere-application-server-and-ibm-http-server-security-bulletin-list