psirt

June 20, 2017

SECURITY

CVRF Version 1.2 Now Available for Public Comment

1 min read

A few months ago, I wrote about the new OASIS Common Security Advisory Framework (CSAF) Technical Committee (TC). The purpose of the CSAF Technical Committee is to standardize the practices for structured machine-readable security vulnerability-related advisories. And then we will further refine those standards over time. The Common Vulnerability Reporting Framework (CVRF) Version 1.2, the […]

March 22, 2017

SECURITY

March 2017 Cisco IOS & IOS XE Software Bundled Publication

2 min read

Today, we released the first Cisco IOS & IOS XE Software Security Advisory Bundled Publication of 2017. (As a reminder, Cisco discloses vulnerabilities in Cisco IOS and IOS XE Software on a predictable schedule—the fourth Wednesday of March and September in each calendar year).  Today’s edition of the Cisco IOS & IOS XE Software Security Advisory […]

March 7, 2017

SECURITY

The Wikileaks Vault 7 Leak – What We Know So Far

3 min read

UPDATE: March 17, 2017 Based on the “Vault 7” public disclosure, Cisco launched an investigation into the products that could potentially be impacted by these and similar exploits and vulnerabilities. As part of the internal investigation of our own products and the publicly available information, Cisco security researchers found a vulnerability in the Cluster Management […]

February 27, 2017

SECURITY

Cisco PSIRT – Mitigating and Detecting Potential Abuse of Cisco Smart Install Feature

5 min read

A Cisco Security Response alerts about possible abuse of the Smart Install feature. While not considered a vulnerability, the Response provides guidance on how to protect their networks against abuse.

January 24, 2017

SECURITY

Keeping Up with Security Vulnerability Disclosures with the Cisco PSIRT openVuln API

3 min read

The Cisco PSIRT openVuln API is a RESTful API that allows customers to obtain Cisco security vulnerability information in different machine-consumable formats. It supports industrywide security standards such as the Common Vulnerability Reporting Framework (CVRF), Open Vulnerability and Assessment Language (OVAL), Common Vulnerability and Exposure (CVE) identifiers, Common Weakness Enumeration (CWE), and the Common Vulnerability Scoring System (CVSS). This API […]

January 20, 2017

SECURITY

Guidelines and Practices for Multi-Party Vulnerability Coordination Open to Review

1 min read

Recent cyber attacks on organizations around the world have demonstrated the need for consistency in managing security vulnerabilities. To answer that demand, the Industry Consortium for the Advancement of Security on the Internet (ICASI) and the Forum of Incident Response and Security Teams (FIRST) created the FIRST Vulnerability Coordination Special Interest Group (SIG). This is […]

January 19, 2017

SECURITY

Scoring Cisco Security Vulnerabilities with CVSSv3

1 min read

The Cisco Product Security Incident Response Team (PSIRT) is now scoring all security advisories addressing security vulnerabilities that affect Cisco products and multivendor vulnerability alerts using the Common Vulnerability Scoring System version 3 (CVSSv3). The stakeholders at the Forum of Incident Response and Security Teams (FIRST) have done a great job in this new version […]

October 31, 2016

SECURITY

The Evolution of Scoring Security Vulnerabilities: The Sequel

3 min read

Back in April, I wrote a blog post about the new version of the Common Vulnerability Scoring System (CVSS). The changes made for CVSSv3 addressed some of the challenges that existed in CVSSv2. For example, CVSSv3 analyzes the scope of a vulnerability and identifies the privileges an attacker needs to exploit it. The CVSSv3 enhancements […]

October 18, 2016

SECURITY

Evolving Security Disclosures : The New OASIS Common Security Advisory Framework (CSAF) Technical Committee

2 min read

During the last few years we have witnessed how the cyber security threat landscape has evolved. The emergence of the Internet of Things combined with recent events have profoundly changed how we protect our systems and people, and drive us to think about new approaches for vendors to disclose security vulnerabilities to customers and consumers. […]