This morning an anonymous reader left a comment on my BIS Cyber-Enabled Activities post that was actually a reply to my last Reader Comment post about 3rd party KEV problems. The commenter makes some good points about advisories and 3rd party vulnerabilities; well worth the effort to read.
Vendors need to realize that people using their software/devices look to their advisories for both information about the scope of the vulnerabilities to use in their risk management processes, as well as information about how to mitigate (short term risk minimization) or fix the vulnerability. In my opinion, Broadcom does not do a good job in either department, but they are hardly the worst of those that I look at in my reporting on ICS vulnerabilities.
Interestingly, some of the most informative ‘advisories’ I
have seen are open source software discussions on github sites that frequently
include discussions about how the vulnerabilities could be exploited. That may
be a tad bit overbroad in the information sharing department, but it is
probably helpful to developers using the software to mitigate the problem in
their own usages.
Posts
No comments:
Post a Comment