S E C U R I T Y
Professional Response to Security Incidents
In December 2021 , there was a much-publicized security incident . Known as “ Log4Shell ”, it is a good lesson in how important it is to respond to such problems with readiness , but also with care and structure .
Log4Shell was a vulnerability so critical that it received the greatest severity rating ( CVSS 10.0 ). It affected the Log4j library of the Apache Software Foundation , which is used by countless companies around the world .
The main products of Wibu-Systems ( Code- Meter Runtime and SDK , CodeMeter Protection Suite , CodeMeter License Central , CmCloud , WibuKey ) were not affected , and CodeMeter Keyring for TIA Portal and CodeMeter Cloud Lite only needed a minor update .
But what happened behind the scenes ? How does Wibu-Systems respond to such vulnerabilities in third-party components ? What if there is an issue with our own software ?
A look at our security incident response process :
1 . Incident Report Vulnerabilities and incidents are reported in either of two ways :
■ External report : Information about a possible vulnerability is sent by email to cert @ wibu . com or via the Incident Management System located at https :// support . wibu . com .
■ Internal report : Findings from internal scans , automated code reviews , or other security checks are flagged directly in our internal tracking system .
2 . Analysis The information is sent to our dedicated Product Security Incident Response Team ( PSIRT ), also called Wibu-CERT ( Computer Emergency Response Team ) for analysis , where four security specialists take care of coordinating the response and supporting the vulnerability analysis by the Product Security Board ( a group of specialists assigned to the job by our developer teams ). A score is given to each affected product in line with the accepted industry standard CVSS ( Common Vulnerability Scoring System ) to understand how severe the issue is .
3 . Countermeasures Two important tasks are covered in this phase :
■ Treatment : Once the analysis confirms the severity of the incident , the issue is flagged in our development tracking system . The tag tells our developers how urgent a response is needed : Either , the vulnerability is addressed in a planned release or an immediate bugfix has to be released .
■ Coordinated communication : The evaluation is provided to the reporter and further coordinated with him , if necessary . The CERT mailing list makes sure that clients are told in good time about vulnerability and necessary bugfixes . This gives them a vital head start to e . g . prepare their own security advisories and test necessary fixes before the vulnerability becomes public knowledge .
4 . Publication Security advisories are produced for publication on
https :// wibu . com / security-advisories , and a Tech News Flash ” email is sent to our clients , users , distributors , and the relevant authorities with more information about the vulnerability and available security fixes .
This simple , but critical process enables Wibu- Systems to respond immediately and prepare solutions for all clients and users affected , true to our guideline for all security incidents : Be open and be honest !
Report
Analysis
Countermeasures
Publication
15