For software publishers, CVEs guarantee transparency and trustworthiness
Ideas & initiatives
What is the first thing businesses do when they start looking for a cybersecurity solution? They look at the list of certifications the publisher has for its solutions. Those certifications effectively guarantee a very high level of IT security and trust, with rigorous, independent assessments regularly carried out on the software that are supervised by the ANSSI (French national IT security agency). Beyond certifications, how many customers remember to check whether the publisher releases its software vulnerabilities? At first glance, the idea may seem counter-intuitive, but looking at the publisher’s CVE (Common Vulnerabilities and Exposures) publishing policy is nonetheless an indication of its strategy. Some publishers – including PRIM’X – actively publish their software vulnerabilities. That transparency shows our rigorous approach to IT security. It also reveals the importance publishers place on building a relationship of trust with their customers.
Software vulnerability management, a pillar of IT security
A continuous improvement process
The presence of vulnerabilities is inherent to all software development. Their discovery and correction are part and parcel of the product life cycle. The question is not whether software has vulnerabilities or not, but rather the software publisher’s ability to proactively seek out and correct them before they can be used for malicious purposes.
The discovery of vulnerabilities in software products allows publishers to work on corrective measures and strengthen the resilience of their solutions. A kind of virtuous loop that benefits everyone.
CVE publication: an internationally standardized system
Vulnerability management has become more streamlined and industrialized in recent years. On an international scale, computer security vulnerabilities are published in the cve.mitre.org database which is maintained by the MITRE non-profit organization. Publishers use this official, standardized and well-known system to publish their vulnerabilities. Every vulnerability is assigned a number in the following format: CVE-YEAR-NNNNN (YEAR = year the vulnerability was published / NNNNN = unique vulnerability identifier).
CVE publication, an obligation of excellence relating to safety certifications
An obligation and an issue of trust relative to the ANSSI
The publication of security vulnerabilities is part of publishers’ certification policies. Certified products are the subject of rigorous and comprehensive analyses by independent Information Technology Security Assessment Centers which are themselves accredited and certified by the ANSSI. These organizations carry out comprehensive product security assessments. The reports are then submitted to the ANSSI which is in charge of validating them.
Obtaining certifications imposes a number of obligations on software publishers relative to the ANSSI. PRIM’X, which has numerous certifications for its encryption solutions, is committed to notifying the ANSSI as soon as a vulnerability is discovered on its information system or its security products, for example. The challenge is to maintain both product quality and certifications, as well as the trust of the ANSSI.
How does PRIM’X manage the publication of its software vulnerabilities?
As part of its excellence and transparency strategy, PRIM’X has set up a vulnerability management system that includes direct communication with the ANSSI and customer notification through the publication of security bulletins.
PRIM’X’s CVE discovery, management and correction process
- Discovery of a potential vulnerability.
- Vulnerability analysis by the PRIM’X teams to confirm and assess its criticality.
- Problem considered major or critical => the ANSSI is informed.
- The PRIM’X teams work on a workaround to make available to customers, or on generating a new version of the product (security patches, tests, etc.).
- The CVE is published on cve.mitre.org with summary details of the vulnerability (to prevent it from being exploitable), on list sites (national watch and alert centers), and in a security bulletin on the PRIM’X website. Joint publication of the workaround or new version.
- PRIM’X customers receive enhanced communication, including more details on the vulnerability and security patches in order to have a better understanding of the risk and solutions.
Publishing CVEs, a transparent and trusting-building policy for customers
Maintaining trust between a publisher and its customers
Certification requirements are increasingly stringent, forcing software publishers to go ever further in vulnerability detection and analysis. The approach is becoming more structured and standardized, calling on publishers to respond effectively, and always in the interests of their customers.
While the time it takes to manage a CVE can vary from a week to several months, publishers have every interest in not moving too quickly to avoid worsening incidents that could put their customers in difficulty. The publisher’s support team plays a crucial role here by answering customers’ questions and helping them implement workarounds or security patches as quickly as possible. Software vulnerability management is far from a purely technical issue. It is the foundation of a relationship of trust between publishers and their customers.
To protect the security of our customers and the trust they place in us, PRIM’X has made it a rule never to publish a vulnerability until we have a genuine solution to correct it.
General transparency in the future?
By proactively and transparently publishing its vulnerabilities, PRIM’X intends to contribute to the democratization of the practice, which reflects the rigor and seriousness of software publishers. The approach is becoming standard practice, so much so that the paradigm could soon be reversed with publishers who don’t publish any vulnerabilities being suspected of not having looked hard enough!
Searching for, analyzing, and publishing vulnerabilities is part of PRIM’X’s commitment to excellence and to the ongoing certification of its software products. This stance is an indication of the quality and security of our solutions, which are constantly assessed with a view to continuous improvement. Above and beyond the obligations imposed by certifications, PRIM’X has made the requirement for transparency central to its DNA.
The issue of CVE management by software publishers is set to play an increasingly important role in the months and years to come. The NIS 2 directive strengthens requirements in terms of securing the entire supply chain and taking into account the risks associated with the IT supply chain.
