Cybozu, in order to minimize risk to clients, handles and repairs vulnerabilities in accordance with a vulnerability information handling policy which takes SCAP into consideration. This session will introduce the effectiveness of implementing a general vulnerability response process in a single organization, creative schemes implemented in operations and issues faced moving forward.
Until 2011 Cybozu measured the seriousness of vulnerabilities based on independent company standards and criteria. At the end of 2012, after internal discussions, investigations were conducted as to the necessity of handling vulnerabilities based on general and open evaluations of vulnerability risks.
Starting in 2013, based on the results of the aforementioned investigation, vulnerability handling policies in line with ISO29147 and ISO30111 were implemented referencing SCAP, evaluating vulnerabilities based on CVSS and assigning CVE identifiers. The following results were seen after implementing the new policies. ・Uniform vulnerability evaluation and priority during fixes ・Sharing of vulnerability information transcending projects ・Smooth disclosure of vulnerability information At the same time, the following issues were encountered. ・Existence of attack techniques not able to be evaluated with CVSS and response policy ・Coordination with CVE indexing organizations (JPCERT/CC) Moving forward, we intend to focus on dealing with these issues as well as emphasizing responsible information disclosure.
