Following a recent Juniper security bulletin discussing unauthorized code, we have fielded a number of related questions from our customers. Being trustworthy, transparent, and accountable is core to our team, so we are responding to these questions publicly.
First, we have a “no backdoor” policy and our principles are published at trust.cisco.com
Our development practices specifically prohibit any intentional behaviors or product features designed to allow unauthorized device or network access, exposure of sensitive device information, or a bypass of security features or restrictions. These include, but are not limited to:
- Undisclosed device access methods or “backdoors”.
- Hardcoded or undocumented account credentials.
- Covert communication channels.
- Undocumented traffic diversion.
Second, we have no indication of unauthorized code in our products.
We have seen none of the indicators discussed in Juniper’s disclosure. Our products are the result of rigorous development practices that place security and trust at the fore. They also receive continuous scrutiny from Cisco engineers, our customers, and third party security researchers, contributing to product integrity and assurance.
Third, we have initiated an additional review of our products for similar malicious modification.
Although our normal practices should detect unauthorized software, we recognize that no process can eliminate all risk. Our additional review includes penetration testing and code reviews by engineers with deep networking and cryptography experience. We are tracking the case as PSIRT-0551621891, and will release any findings in accordance with our Security Vulnerability Policy.
Fourth, we initiated this additional review of our own accord.
Cisco launched the review because the trust of our customers is paramount. We have not been contacted by law enforcement about Juniper’s bulletin, and our review is not in response to any outside request. We are doing this because it’s the right thing to do.
Finally, we will investigate all credible reports and disclose findings with customer implications.
We ask all our customers and others to report any suspected vulnerabilities to the Cisco PSIRT for immediate investigation. Consistent with our long-standing process, we will manage and disclose results under the terms of our Security Vulnerability Policy.
Please see more information at our Trust & Transparency Center. Customers with additional questions can contact the Cisco PSIRT at email@example.com, referencing case: PSIRT-0551621891.
Tags: Cisco PSIRT, Cisco Security and Trust Organization, Cisco Security Vulnerability Policy, security and trust
When I was little, my father kept our family car in tip-top shape. He overhauled brakes, rebuilt engines, tuned carburetors, and swapped out suspensions. He could do just about anything, and he knew every component, inside and out.
From an early age, I enjoyed “helping” my father whenever there was a chance. I handed him wrenches, brought him cool glasses of water on hot summer days, and held the flashlight when the repairs went late into the night. Perhaps he could have managed without my help, but we both enjoyed our time together. Even more importantly, I learned from an early age how a little help could make a big difference.
At Cisco, we believe in the power of people helping people. We believe everyone could use a little help sometimes to save time, energy, and to get the most out of what they already have. We may not have a cool glass of water to offer, but we can hand you a useful tool or two while you’re working “under the hood” of your network. This is why we created Cisco Active Advisor.
Read More »
Tags: best practices, cisco active advisor, Cisco PSIRT, Cisco Verified Design, free, lifecycle management, network inventory
Cisco is committed to protecting customers by sharing critical security-related information in different formats. Guided by customer feedback, Cisco’s Product Security Incident Response Team (PSIRT) is seeking ways to improve how we communicate information about Cisco product vulnerabilities to our Customers and Partners. As John Stewart mentioned on his blog post, the Cisco PSIRT has launched a new and improved security vulnerability disclosure format. The new Cisco Security Advisories can be accessed at http://www.cisco.com/go/psirt and at http://cisco.com/security
The intent is to make it easier for Customers and Partners to access information about all security vulnerabilities in Cisco products. Each vulnerability disclosed through our new security advisories are assigned a Common Vulnerability and Exposures (CVE) identifier to aid in identification. Additionally, Cisco will continue to assess all vulnerabilities using the Common Vulnerability Scoring System (CVSS). Check out the sites for CVE, CVSS, and this CVSS scoring calculator if these terms are relatively new to you or you simply need a refresher.
Read More »
Tags: Cisco PSIRT, cvrf, Open Vulnerability and Assessment Language (OVAL), OVAL, psirt, security advisories, security automation, vulnerabilities, vulnerability disclosure, vulnerability management
Who doesn’t enjoy a vacation? And not just one day, but – four!
What if there were a cloud service that saved you so much time, you could actually send all of London’s working population on a 4-day vacation?
Well, that’s exactly what Cisco Active Advisor does – save you time and money so you can do just that! Read Pradeep’s post to find out how – Introducing Cisco Active Advisor – A Free Cisco Tool for Your Network.
But more on that later… Read More »
Tags: caa, cisco active advisor, Cisco PSIRT, Cisco Verified Design, CVD, End of Life, lifecycle, network discovery, network maintenance, network management
Today, we released the final Cisco IOS Software Security Advisory Bundled Publication of 2014. Six years ago, Cisco committed to disclosing IOS vulnerabilities on a predictable schedule (on the fourth Wednesday of March and September each calendar year) in direct response to your feedback. We know this timeline allows your organization to plan and help ensure resources are available to analyze, test, and remediate vulnerabilities in your environments.
Today’s edition of the Cisco IOS Software Security Advisory Bundled Publication includes six advisories that affect the following technologies:
- Resource Reservation Protocol (RSVP)
- Multicast Domain Name System (mDNS)
- Session Initiation Protocol (SIP)
- DHCP version 6 (DHCPv6)
- Network Address Translation (NAT)
Read More »
Tags: Cisco IOS software, Cisco IOS Software Checker, Cisco PSIRT, Cisco Security, psirt, security advisories, vulnerabilities