Cisco Blogs

Cisco Blog > Security

Building in Security from the Ground Up with The Cisco Secure Development Lifecycle

At Cisco, security runs through everything that we do. It is our commitment to deliver verifiable, trustworthy network architectures built on secure software and secure hardware, backed by prudent supply chain security practices.

That’s why Cisco created the Cisco Secure Development Lifecycle (Cisco SDL) to ensure that security is central through the entire product development process. CSDL is a repeatable and measurable process we’ve designed to fortify the resiliency and trustworthiness of our offerings, allowing our customers to deploy high-quality products that they can trust.

Cisco SDL utilizes many industry standards and best practices, including ISO certification as part of our development processes. ISO certification provides customers validation and confidence that our processes, such as common technology requirements, secure coding procedures, code reviews, testing, and verification are consistently executed within our product development.

In 2013, we made internal compliance with the Cisco SDL process a stop-ship-grade requirement for all new Cisco products and development projects. As we make our way through 2014, we are building on this commitment, holding our teams accountable and training stakeholders to understand the importance of Cisco SDL process, adoption, and compliance.

From our Integrated Service Routers (ISRs) to our Aggregation Services Routers (ASRs), more products are being introduced across the Cisco portfolio that are Cisco SDL compliant. We look forward to keeping you up to date on progress with the CSDL initiative over the coming months.

Check out the video below where I explain Cisco SDL in more detail:

Learn more about Cisco SDL here:

Tags: , , , ,

Heartbleed: Transparency for our Customers

We know that communicating quickly and openly about security vulnerabilities can result in a little extra public attention for Cisco. As a trustworthy vendor, this is something we’re happy to accept.

It’s recently been said that there is only one thing being discussed by IT security people right now – the OpenSSL heartbeat extension vulnerability (aka Heartbleed). As the guy responding to related media questions for Cisco, that certainly rings true.

This is an industry-wide issue affecting commonly-used, open source encryption software. Some of my colleagues recommended this blog or this blog for an overview of the topic.

Cisco was one of the first to provide a comprehensive update for our customers (April 9): OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products. This advisory continues to be updated, and at the time of this posting was on its fourth version. It provides an overview of the topic, and a full list of the Cisco products confirmed as affected, remediated, or not affected. It also links to more information, including any available workarounds or free software updates.

Our customers can rely on the fact that our response will be managed according to our long-standing security disclosure policy. This means providing the best information we have, as quickly as possible, even if that information could be incomplete at the time. As we continue to make progress, we will continue to update our public-facing information.

To our customers: we recommend staying connected to this information, and consider any implications for your network.

Tags: , , ,

March 2014 Threat Metrics

The median rate of web malware encounters in March 2014 was 1:260, compared to a median rate of 1:341 requests in February. At least some of this increased risk appears to have been a result of interest in the NCAA tournaments (aka March Madness), which kicked off during the second week of March in the United States.


In February 2014, web malware encounters from sports and video sites were in the 18 and 28 spot, respectively. During March 2014, web malware from sports- and video-related sites jumped to the number 7 and 8 spots, respectively. The presumed longer time spent viewing sports-related content may have been a factor in a 1% decrease in the total volume of web requests in March coupled with a corresponding 18% increase in terabytes received.


The ratio of unique non-malicious hosts to unique malware hosts decreased by 1%, at 1:4841 in March 2014 compared to 1:4775 in February. The ratio of unique non-malicious IP addresses to malicious unique IP addresses also dropped from 1:1351 in February 2014 to 1:1388 in March. There was also far less volatility in the rate of unique malicious IP addresses throughout March compared to February.


Java encounters dropped from 9% of all web malware encounters in February 2014 to 6% in March. At 43% of all Java encounters, Java version 7 exploits were the most frequently encountered, with 26% targeting Java version 6, and 32% targeting other versions of Java.



Web malware encounters from mobile devices decreased 24% from February to March 2014. In March 3.6% of all Web malware encounters resulted from mobile device browsing, compared to 4.7% in February. Conversely, web malware encounters from non-Android and non-iOS devices doubled for the period, from 0.1% in February to 0.2% in March. The cause of this increase was not due to any specific device, but rather an across-the-board increase affecting all non-Android and non-iOS devices.


At 18%, advertising was the most common vector of mobile device encounters, followed by business-related sites at 13% and video-related sites at 11% of mobile device encounters. For comparison purposes, in February 2014, sites in the business category were the most common vector of mobile device encounters (20%), followed by advertising (13%) and personal sites (8%). Video came in fourth in February, at 7%.


Pharmaceutical & Chemical remained at 1100% of median risk for web malware encounters in March 2014, the same rate experienced in February. Companies in the Entertainment vertical experienced an increase from 321% in February to 643% in March. The Energy, Oil & Gas vertical increased from a rate of 276% in February to 397% in March.

To assess vertical risk, we first calculate the median encounter rate for all enterprises, and then calculate the median encounter rate for all enterprises in a particular vertical, then compare the two. A rate higher than 100% is considered an increased risk.



Following a 73% increase from January to February, spam volumes increased another 45% in March to an average of 207 billion spam messages per day.


The top five global spam senders in February 2014 were the United States at 8%, followed by the Republic of Korea at 5%, Russian Federation at 3%, China at 2%, and Ukraine at 1%.

Tags: , , , , ,

OpenSSL Heartbleed vulnerability CVE-2014-0160 – Cisco products and mitigations

*** UPDATED 15-April 2014  ***

By now, almost everyone has heard of the OpenSSL Heartbleed vulnerability with CVE id CVE-2014-0160. The vulnerability has to do with the implementation of the TLS heartbeat extension (RFC6520) and could allow secret key or private information leakage in TLS encrypted communications. For more detailed information, visit the VRT’s analysis.

Cisco maintains an Cisco Event Response Page with details and network mitigations about the vulnerability

Read More »

Tags: , , , ,

Drivers for Managed Security and what to look for in a Cloud Provider [Summary]

The first blog of this series discussing the role of data security in the cloud can be found here.

In 2014 and onward, security professionals can expect to see entire corporate perimeters extended to the cloud, making it essential to choose a service provider that can deliver the security that your business needs.

While organizations can let business needs trade down security we’ve begun to see how a recent slew of data breaches are encouraging greater vigilance around security concerns. For example, a recent CloudTweaks article highlights the need for organizations to be confident in their choice of cloud providers and their control over data. IT leaders have the power to control where sensitive information is stored. They also have the power to choose how, where and by whom information can be accessed.

An important driver in mitigating risk and increasing security is to ask the right questions.

An important driver in mitigating risk and increasing security is to ask the right questions.

Institute Control By Asking the Right Questions

However, adding to fears about ceding the control of data to the cloud is lack of transparency and accountability about how cloud hosting partner/ providers secure data and ensure a secure and compliant infrastructure.  Cloud consuming organizations often don’t ask enough questions about what is contained in their  service-level agreements, and about the process for updating security software and patching both network and API vulnerabilities.

Organizations need reassurance that a cloud provider has a robust set of policies, process and than is using automated as well as the latest technologies to detect, thwart and mitigate attacks, while in progress as well as be prepared to mitigate after an attack.

An important driver in mitigating risk and increasing security is to ask the right questions. When evaluating cloud service providers, IT leaders need to ask:  Read the full blog here.

Tags: , , , , , , , , , , , , , , ,