Versions Compared

Old Version 3

changes.mady.by.user user-5e993

Saved on

compared with

New Version 4

changes.mady.by.user user-f8986

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Insofar as cloud-based services are built on traditional computing platforms, cloud service providers can be considered deployers as we've described above. However, as cloud-based services (e.g., software, platform, and infrastructure as a service) have risen to prominence, they have also distinguished themselves from traditional software vendors in that their development, deployment, and delivery processes for security fixes tend to be much more direct. 

For many cloud providers, the number of distinct instances of their software is quite limited, and control is centralized, so there are fewer independent decision makers in the path from vulnerability report to patch deployment.

Furthermore, the prevalence of DevOps practices among such providers means that the time from code commit to last vulnerable system patched can sometimes be measured in minutes. To be sure, development and delivery processes in traditional software environments have accelerated considerably as well, but the fact that cloud service providers have direct control over the vulnerable systems makes a significant difference in their ability to mitigate vulnerabilities across all their users in short order.

...

Another class of vendors are the purveyors of Internet of Things (IoT) products. The physicality of IoT products and services often places them on the opposite end of the deployment spectrum from cloud-based services.

Unlike most other devices (laptops, PCs, smartphones, tablets), many of today's IoT products are either non-updateable or require significant effort to update. Whether we're talking about cars, televisions, medical devices, airplanes, sensors, home automation, or industrial control systems, too often today the patch deployment process involves going out and physically touching the thing that must be updated. Systems that cannot be updated become less secure over time as new vulnerabilities are found and novel attack techniques emerge. Because vulnerabilities are often discovered long after a system has been delivered, systems that lack facilities for secure updates once deployed present a long-term risk to the networks in which they reside. This design flaw is perhaps the most significant one already found in many IoT products, and if not corrected across the board, could lead to years if not decades of increasingly insecure devices acting as reservoirs of infection or as platforms for lateral movement by adversaries of all types. Patch deployment will likely improve as more connected things get over-the-air (OTA) update capabilities, but there is already a large installed base of systems lacking such features. 

...

Mobile Platforms and Applications

...

Mobile

...

devices

...

present

...

yet

...

another

...

class

...

of

...

stakeholders

...

that

...

has

...

grown

...

distinct

...

in

...

recent

...

years.

...

The

...

device

...

vendors

...

themselves

...

are

...

most

...

akin

...

to

...

IoT

...

vendors,

...

but

...

app

...

developers

...

can

...

be

...

quite

...

a

...

diverse

...

bunch,

...

ranging

...

from

...

very

...

large

...

traditional

...

software

...

companies,

...

to

...

cloud

...

service

...

providers,

...

to

...

novices

...

with

...

a

...

good

...

idea

...

and

...

a

...

few

...

hours

...

of

...

coding.

...

Perhaps

...

the

...

most

...

significant

...

outstanding

...

issue

...

is

...

that

...

many

...

mobile

...

devices

...

have

...

multi-stage,

...

vertical

...

supply

...

chains,

...

each

...

step

...

of

...

which

...

can

...

stand

...

in

...

the

...

way

...

of

...

security

...

updates

...

reaching

...

their

...

intended

...

beneficiaries

...

(i.e.,

...

the

...

users)

...

\[1].

...

In

...

both

...

the

...

mobile

...

and

...

IoT

...

spaces,

...

high-viscosity

...

supply

...

chains

...

are

...

bad

...

for

...

end-user

...

security.

Governments

...

Governments

...

are

...

multifaceted

...

stakeholders

...

in

...

regards

...

to

...

cybersecurity

...

vulnerabilities

...

and

...

their

...

disclosure.

...

While

...

they

...

have

...

always

...

had

...

a

...

role

...

as

...

owners

...

and

...

operators

...

of

...

vulnerable

...

networks

...

and

...

systems,

...

issues

...

surrounding

...

vulnerability

...

discovery,

...

coordination,

...

disclosure,

...

and

...

mitigation

...

have

...

become

...

increasingly

...

important

...

to

...

governments

...

worldwide.

...



As

...

the

...

industries

...

they

...

regulate

...

move

...

toward

...

increasing

...

connectivity,

...

agencies

...

with

...

oversight

...

responsibilities

...

will

...

likely

...

see

...

an

...

increased

...

demand

...

to

...

extend

...

their

...

safety

...

monitoring

...

to

...

include

...

security

...

issues

...

(especially

...

for

...

security

...

issues

...

that

...

directly

...

impact

...

safety).

...

To

...

that

...

end,

...

changes

...

are

...

happening

...

rapidly

...

on

...

multiple

...

fronts.

...

For

...

example,

...

in

...

the

...

United

...

States

...

recent

...

developments

...

include

...

the

...

following:

...

The

...

FDA

...

Medical

...

Device

...

Reporting

...

process

...

enables

...

oversight

...

and

...

detection

...

of

...

potential

...

device-related

...

safety

...

issues

...

[2].

...

The

...

National

...

Highway

...

Transportation

...

and

...

Safety

...

Commission

...

(NHTSA)

...

collects

...

reports

...

of

...

vehicle

...

safety

...

issues,

...

which

...

helps

...

to

...

drive

...

its

...

investigation

...

and

...

recall

...

processes

...

[3].

...

The

...

FAA

...

offers

...

a

...

number

...

of

...

safety

...

reporting

...

capabilities

...

as

...

well

...

[4].

...



Beyond

...

just

...

documenting

...

observed

...

issues,

...

some

...

government

...

agencies

...

take

...

an

...

active

...

learning

...

approach

...

when

...

broader

...

engineering

...

failures

...

occur.

...

The

...

aforementioned

...

FDA

...

and

...

NHTSA

...

reporting

...

programs

...

serve

...

this

...

purpose,

...

but

...

other

...

programs

...

exist

...

as

...

well.

...

For

...

example,

...

the

...

National

...

Transportation

...

Safety

...

Board

...

is

...

explicitly

...

tasked

...

with

...

investigating

...

transportation

...

accidents,

...

and

...

NASA

...

collects

...

lessons

...

learned

...

in

...

a

...

public

...

database

...

[5].

...

This

...

kind

...

of

...

continuous

...

improvement

...

process

...

has

...

demonstrated

...

its

...

effectiveness

...

in

...

a

...

variety

...

of

...

environments

...

and

...

seems

...

to

...

provide

...

a

...

good

...

model

...

for

...

cybersecurity

...

vulnerabilities

...

in

...

both

...

the

...

private

...

and

...

public

...

sectors.

...



The

...

United

...

States

...

is

...

not

...

alone

...

in

...

realizing

...

that

...

vulnerability

...

discovery,

...

disclosure,

...

and

...

remediation

...

is

...

important

...

to

...

national

...

interests.

...

These

...

cybersecurity

...

issues

...

have

...

been

...

global

...

for

...

quite

...

some

...

time.

...

The

...

EU

...

Parliament

...

recently

...

held

...

hearings

...

on

...

modernizing

...

export

...

controls

...

and

...

the

...

trade

...

in

...

zero-day

...

vulnerabilities

...

[6].

...

Meanwhile,

...

a

...

quick

...

glance

...

at

...

the

...

vulnerability

...

database

...

catalog

...

being

...

developed

...

by

...

the

...

FIRST

...

gives

...

a

...

good

...

indication

...

of

...

the

...

international

...

interest

...

in

...

this

...

problem

...

space

...

[7].

References

  1. W. Dormann, "Supporting the Android Ecosystem," 19 October 2015. [Online]. Available: https://insights.sei.cmu.edu/cert/2015/10/supporting-the-android-ecosystem.html. [Accessed 23 May 2017].
  2. U.S. Food & Drug Administration, "Medical Device Reporting (MDR)," [Online]. Available: https://www.fda.gov/medicaldevices/safety/reportaproblem/. [Accessed 23 May 2017].
  3. National Highway Traffic Safety Administration, "File a Vehicle Safety Complaint," [Online]. Available: https://www-odi.nhtsa.dot.gov/VehicleComplaint/. [Accessed 23 May 2017].
  4. Federal Aviation Administration, "Report Safety Issues," [Online]. Available: https://www.faa.gov/aircraft/safety/report/. [Accessed 23 May 2017].
  5. NASA Office of the Chief Engineer, "NASA Lessons Learned," NASA Lessons Learned Steering Committee (LLSC), [Online]. Available: https://www.nasa.gov/offices/oce/functions/lessons/index.html. [Accessed 16 May 2017].
  6. European Commission, "Dual Use Controls: Commission proposes to modernise and strengthen controls on exports of dual-use items," 28 September 2016. [Online]. Available: http://europa.eu/rapid/press-release_IP-16-3190_en.htm. [Accessed 23 May 2017].
  7. FIRST, "Vulnerability Database Catalog," FIRST VRDX SIG, 17 March 2016. [Online]. Available: https://www.first.org/global/sigs/vrdx/vdb-catalog. [Accessed 16 May 2017].