Going forward, the company's Product Security Incident Response Team (PSIRT), which is responsible for responding to security threats affecting Cisco products, will include more detailed information about vulnerabilities in its advisories. This information will include a Common Vulnerabilities Scoring System (CVSS) score and the new Security Impact Rating (SIR). The former, which is an open standard, describes the severity of a vulnerability as a numeric value and looks at a variety of factors, including exploitability, access complexity and authentication. The latter provides a simplified vulnerability categorization of Critical, High, Medium or Low.
According to PSIRT principal engineer Omar Santos, the SIR "provides a more accurate and easy representation of risk in the event that there are additional factors not properly captured in the CVSS score," allowing customers to quickly gauge a threat.
In addition to providing CVSS scores and SIRs, Cisco will provide customers with indicators of compromise so that they know how to identify whether or not a vulnerability has actually been exploited against their systems. Oftentimes, this information can be difficult to track down.
APIs: a potent weapon in the security wars?
Ultimately, companies like Cisco can create the most detailed and useful security advisories, but if the customers who need them don't actually get them in time or make good use of them, they're of limited value.
With that in mind, Cisco plans to release an API that its customers can use to retrieve vulnerability information and integrate it into their own applications. For instance, a forward-thinking customer could build an application that integrates with Cisco's API to check for vulnerabilities related to products it uses and automatically notify the appropriate internal teams in real-time. Such an application could ensure that only relevant threats are surfaced and brought to the attention of those who have the responsibility to act.
Although Cisco currently only plans to distribute vulnerability information through the API in an effort to ensure the integrity of the information available through the API, other companies and organizations have started using APIs to receive vulnerability information from customers and stakeholders.
Earlier this year, Facebook launched ThreatExchange, an API-based platform that companies can use to share information about security threats. And the Federal Bureau of Investigation (FBI) operates Malware Investigator, a malware-analysis platform and repository that companies can submit files and data to through a private API.
Both Facebook and the FBI believe this kind of two-way information sharing is critical to their security efforts, and with the potential costs associated with security vulnerabilities continuing to increase and more and more organizations soliciting the public's help through formal bug bounty programs, it seems inevitable that APIs like those being developed by Cisco, Facebook and the FBI will become increasingly common. As they evolve, expect to see more discussion around standards for distributing and sharing security information through APIs.