My opinion on the latest trends in security incident response
Couple years ago, I co-authored a framework for Product Security Incident Response Team (PSIRT) alongside with my industry peers at FIRST. The idea originated from many of my PSIRT peers found Computer Security Incident Response Team (CSIRT) did not fully encapsulate the roles and responsibilities of PSIRT, thus it was worthwhile to differentiate PSIRT for security professionals to consider when they implement Incident Response (IR) in different organizations.
A week ago, a colleague of mine mentioned NSA released guidance on mitigating cloud vulnerabilities. It was a reflecting moment for me to contemplate how did cloud technologies evolve the role of PSIRT over the last few years. Indeed, cloud-computing has now gone mainstream. What NSA advocated was a shared responsibility model to security in the cloud. The ‘themes’ and common weaknesses mentioned by NSA should not be new to security veterans. Nevertheless, the new trend is to discuss product-security blended with cyber-security when we speak of securing technology.
I see PSIRT and CSIRT are converging in my daily work. Cloud products are ‘something’-as-a-service. Users evaluate their experience in its totality. Product security is no longer about changing source-code or getting customers to apply patches to fix security bugs. Trust, is an intangible value-proposition to users. Users do not care about the difference between PSIRT and CSIRT, as long as security is there by-default and they can trust data is safe.
Over the last few years, my peers at SAP PSIRT has embarked on a transformation journey. We have simplified ways for customers and researchers to report vulnerabilities, build up competency in handling security response in cloud products, alongside with expanding our bug-bounty program. The goal remains the same for us, and for anyone working on security topics at SAP, is to build and maintain trust our customers placed upon us in their journey to intelligent enterprises.