I think we would agree the publishing of Common Vulnerabilities and Exposures (CVEs) is a very useful mechanism to collectively evolve and harden our networks and products. It starts the timer, if you will, on a race between the black hats and organizations to respectively exploit or neutralize the CVE. The one thing about a CVE, though, is that is goes from the generally unknown into the light of day for all to see and act upon.
There exists a bit of a grey area, though, around ongoing security hardening. For example, sometime back, Microchip released a version of software for the SyncServer S600 network time server that added a variety of user requested security enhancements. In some cases, the additions were completely new; in others, it made something that was already there even more secure. Which leads me to my point of musing on the topic of disclosure.
For the sake of security in general, we chose not to disclose the specifics regarding what was hardened in the SyncServer. Why point a black hat directly to a convenient point to start hacking away? For example, imagine if a major smartphone manufacturer recommended migrating to the latest version of OS because they found, and published, that if you do this that or another thing on the old OS version you might be able to access stored passwords? Yikes, heaven help us. I’m of the mind they not tell anyone, just fix it and recommended people to upgrade. Or perhaps they force me to upgrade from time to time with those middle of the night upgrades I learn about the next morning, but I digress.
I think there is a certain amount of product manufacturer wisdom and responsibility in discreetly improving and hardening the security aspects of products. In fact, that has been, and will continue to be, the Microsemi/Microchip approach with the SyncServer S600 and S650 network time servers. I find that with time there are fewer requests for hardening as the SyncServer evolves and we respond to customer requests for compliance to ever stricter security policies. Success is “no issues found” after customers perform their security assessments of the product.
Though there were no serious vulnerabilities needing to be mitigated in the recent SyncServer software update, it was rather like adding more armor plating to an already secure device. After all, with major corporations conducting sophisticated security testing of the SyncServers and providing recommendations for hardening improvements, which we often deploy, everyone benefits. As I always say, ongoing software support equals network security, and you can never have too much of that.
And now for the disclaimer: these postings are my own and do not represent Microchip’s positions, strategies, or opinions.
I welcome your comments and feedback; connect with me on LinkedIn.