Proactive and Responsible Disclosure Strengthens Business Cybersecurity

Jim Richberg, Head of Cyber Policy and Global Field CISO at Fortinet

By Jim Richberg, Head of Cyber Policy and Global Field CISO at Fortinet

Cyberattacks on businesses are growing in size and complexity, with almost one in three UK firms suffering an attack in the past year. With threat actors targeting businesses regardless of size and industry, attacks are now a matter of “if” and not “when.”

Identifying and disclosing vulnerabilities before they have the chance to affect the wider business is crucial to lowering the risk of an attack. With most vulnerabilities stemming from coding errors, early detection is key to protecting devices, businesses and customers from cyber threats. Ensuring this is done responsibly by aligning with government standards and communicating with customers on new and existing vulnerabilities plays a crucial role in protecting businesses against future threats.

Making impactful change

All digital devices and software are built on code. According to one recent industry analysis, an average software code sample contains 6,000 defects per million lines of code. Research indicates that about 5% of those defects can be exploited, roughly translating to three exploitable vulnerabilities for every 10,000 lines of code. In a world of imperfect code, who would we want to find the problems — the manufacturer, users and third party researchers, or malicious actors? While having users or third parties find problems is a common approach, a product’s manufacturer usually has the greatest expertise and resources to bring to bear to finding problems and vulnerabilities.

Every producer of IT products and services is responsible for following robust security standards at all stages of the product development lifecycle. These vendors must also practice responsible radical transparency and proactively search for and disclose vulnerabilities in their software. If a defect poses a security vulnerability it should be reported as such, and not labelled a functional fix or performance upgrade, since many large organizations will apply security patches but are more selective in applying functional fixes. Mis-labeling a security vulnerability as another type of problem doesn’t fully inform users of risk. Practicing radical transparency not only protects product users before they are exploited but also allows other organisations to examine their own code for similar vulnerabilities. There are several ways to do this; self-discovery through rigorous manual code analysis, penetration testing and automated fuzzing; encouraging third-party threat researchers to report discovered vulnerabilities to vendors; and detection via indications of active exploitation (where an organisation discovers a vulnerability itself).

Not all organisations follow the same standards for transparency in vulnerability disclosure regardless of how the gaps in defence are discovered. While there are a number of industry best practices for encouraging responsible disclosure processes, including the National Cybersecurity Centre (NCSC)’s Vulnerability Disclosure Toolkit, adhering to these guidelines is unfortunately not required.

Ensuring collaboration and transparency

IT manufacturers who prioritize building security into their products and services from day one benefit in a variety of ways, ranging from producing more secure offerings that will require less security patching after delivery to building a solid foundation of trust with customers, partners, and the public. Measures manufacturers should include aligning to industry-recognized standards from government organisations, such as the NCSC in the UK and the Cybersecurity and Infrastructure Security Agency (CISA) in the United States.

Also, having timely and ongoing communication with customers is essential in protecting and securing businesses from external threats. Doing so allows for threats to be responded to appropriately. It also allows for remediation measures to be quickly and transparently published. Robust communication enables everyone within a business to understand where associated threats may lie, allowing teams to be proactive in taking additional cybersecurity measures as needed.

Understanding the potential for vulnerabilities to surface while setting high standards for responsible development and disclosure to mitigate them empowers businesses to make informed risk-based decisions about their cybersecurity. To take this one step further, once this policy has been implemented by an organisation, the next step is to adopt a ‘secure by design’ approach.

Secure by design is a concept that prioritises security as a core business requirement. Secure-by-design covers every stage of product development, from concept to end-of-life, while also operating in accordance with leading standards such as NIST 800-53. Embracing secure by design principles also encompasses being transparent about potential risks, proactively disclosing vulnerabilities, and sharing actionable steps to help customers improve their cyber resilience.

Introducing a comprehensive framework

As the threat landscape grows more complex, customers will begin demanding that their vendors embrace secure by design principles, making this approach far more than a “nice to have” feature when procuring software.

For technology providers, having an effective cybersecurity framework in place is vital and requires a continual commitment to transparency, collaboration, and proactive vulnerability disclosure. With code defects posing significant risks, leaders must identify, patch, and disclose vulnerabilities responsibly. Ensuring responsible disclosure empowers organisations to make more security-informed decisions, which improves cybersecurity for all.