Introduction

• Vulnerability Management is the process to handle security incidents.
• The process includes to act in a timely manner.
• The process includes joint action of the SOS development team and support team.

Resources

• Vulnerability Reporting
  • SOS performs ongoing monitoring of vulnerabilities including 3rd-party components based on the JS7 - Software Bill of Materials.
  • Public Ticket System for users of the Open Source License
  • Private Ticket System for customers of the Commercial License
    • SOS Ticket System
  • Private e-mail
• Vulnerability Verification
  • CVE: https://cve.org
  • NIST: https://nvd.nist.gov/vuln
• Change Proposals
  • Public Change Management System
• Changes
  • Public GitHub Source Code Repositories
• Communication
  • Public Ticket System for users of the Open Source License
    • SourceForge JobScheduler Ticket System
    • SourceForge YADE Ticket System
  • RSS Feeds

Vulnerability Management Process

Vulnerability Reporting

• Reports about vulnerabilities are 
  • automatically detected by SOS monitoring tools based on a Software Bill of Materials (SBOM),
  • forwarded to SOS by automated vulnerability detection provided from the GitHub Source Code Repositories,
  • forwarded to SOS by users via private e-mail,
  • forwarded to SOS by customers via the SOS Ticket System.
• Detection of vulnerabilities includes both the SOS software product and any 3^rd-party components included with the software product.
  • Sources of vulnerability detection in source code of SOS software products include
    • automated scans performed by source code repositories,
    • security audits performed by users and customers for example for pen-testing,
    • security breaches reported by users and customers.
  • SOS tracks vulnerabilities in 3rd-party open source libraries by automated scans provided by source code repositories,
• Users are advised to use private e-mail to report vulnerabilities to support@sos-berlin.com 

Vulnerability Verification

• After receipt of a vulnerability report SOS sets up a task force to reproduce and to identify a reported vulnerability.
  • This includes to identify affected releases of the software product.
  • This includes to evaluate risks for a given vulnerability.
  • This step typically is completed within 24 hours after receipt of a respective report.
• If a vulnerability is confirmed then the task force will
  • request a CVE ID from https://cve.org and will provide the respective CVE report that is not publicly available,
  • add a private Change Request to the Change Management System,
  • report back to the vulnerability reporter about the assigned CVE ID. This step is completed immediately after receipt of a CVE ID and depends on cve.org response times.

Vulnerability Risk Mitigation

• Depending on the security risks identified with the previous step for verification of a vulnerability the following applies:
  • for high-risk and for medium-risk vulnerabilities an alert is provided to customers who subscribe to this type of notification with their product support option.
  • for low-risk vulnerabilities no information is provided to customers.
• Based on the criticality a release date is determined:
  • For high-risk and for medium-risk vulnerabilities an immediate maintenance release date is planned for branches of the software product that are under maintenance.
  • For low-risk vulnerabilities the typical release cycle of approx. 3 months or earlier is applied.
• Users have a choice to remove vulnerable 3^rd-party components from the installation of a JS7 product:
  • The JS7 - Package Management offers to disable/enable software packages.
  • This approach is applicable if minor features of JS7 are affected and if users are willing not to use such features.

Vulnerability Fixes

• Fixes are implemented within the scope of the Release Policy - Change Management.
• Fixes are provided for any branches of the software product that are under maintenance. Find the list of Vulnerability Remediation Releases.
• Fixes include the procedure to approve that an exploit of the vulnerability is no longer applicable.
• For high-risk and for medium-risk vulnerabilities this step typically is completed within five business days.

Vulnerability Communication

• With fixes being available the following applies:
  
  •  Downloads
    • Maintenance releases are published for download with the SOS web site and with SourceForge. 
    • Users should be aware that 3^rd-party web sites that mirror downloads of SOS software products might or might not indicate availability of maintenance releases. SOS denies any liability for accurate and timely downloads of maintenance releases available from 3^rd-party web sites.
  • CVE Reports
    • With downloads being available SOS asks cve.org to make the CVE report publicly available.
  •  Notification
    • Notifications are made available with the News section of the SOS web site.
    • Notifications are provided by RSS Feeds.
    • Customers who subscribe to notifications within their support option receive a notification by e-mail.
    • The Product Knowledge Base is added the information with the list of Vulnerability Remediation Releases.
• Fixes provided for any branches under maintenance are communicated at the same point in time.