We are keen to keep evolving. In 2022, we have added the capability to assess and manage containers , added several external information sources and improved security and risk management.
In 2023, we will first address the challenge of product security communications. Many of product companies face the challenge, that they develop one (or several) piece of software, which is then used in a plethora of products as a key functional element. Unfortunately software tend to change faster than products due, so that different products of the same "type" come with different releases of software under the hood. This situation bears a high challenge to many PCERT teams. This is why we jump in and not only support the identification and resolution of vulnerabilities, but also the communication towards their customers. This will include the product - release mapping, which then can be used to auto-populate VEX documents and Security Advisories. This we conclude under the general topic PCERT support.
Still on the agenda we have last year's announcement on "Adding Tech Debt". This is not forgotten, but did not find room between the need to cope with our own tech debt or update requirements.
In addition to that, we plan to introduce Threat Modelling. Since we have quiet a good understanding of the different modules of a project, we may use this knowledge to generate the basic elements of a Threat Model from this data. This allows the user to complete the model by adding the data transfer lines and we will be able to support him on assembling a list of risks. Here we once more can support in identifying the corresponding controls and measures to cope with. Whether we forward a task to remove a library or to implement a certain control in to jira does not make a difference for Jira, but Security will profit a lot.
But this is not enough. Given a Vulnerability appears, it will have an CWE and an AV associated. This we may then add to the Threat Model, allowing even an outsider to gain a better understanding of the situation and the new risks associated with this vulnerability. This can trigger new work items and new controls.
And now assume, the PCERT integration we have talked about just before.... What are you waiting for?
Comments
0 comments
Article is closed for comments.