Create a hypothetical Security Advisory for the vulnerability scenario described below, with SecureSoftwareCo as the issuing CVE Numbering Authority (CAN).: SecureSoftwareCo has developed a corporate

Create a hypothetical Security Advisory for the vulnerability scenario described below, with SecureSoftwareCo as the issuing CVE Numbering Authority (CAN).:

SecureSoftwareCo has developed a corporate finance software package, InvulnerableFinance, used by numerous large organisations for accounts payable and receivable. SecureSoftwareCo has recently discovered that InvulnerableFinance has a substantial security vulnerability, which they would like to address as a matter of urgency. The vulnerability allows remote unauthenticated attackers to view all of the records stored in the finance system. This is achieved by utilising a hardcoded set of credentials, common to all installations of the software, intended for use during support and debugging. A patch has been prepared to address this vulnerability and is ready for deployment.

This assessment is to be done individually. You may make reasonable assumptions as long as they are documented. • Work on it in class and submit doc/pdf online ahead of next week’s seminar.

How to write a security advisory • Common sections in an advisory include: – Vulnerability Type – Severity / Risk Assessment (use CVSS v3.0) – Vulnerability – Risk Mitigation (Workarounds) – Fix (Solution) – Acknowledgement of the reporter https://ffeathers.wordpress.com/2010/08/08/writing-a-security-advisory/

Example • Critical: flash-plugin security update

National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2016-7892

Adobe Advisory https://helpx.adobe.com/security/products/flash-player/apsb16-39.html

Microsoft Advisory https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-154

RedHat Advisory https://access.redhat.com/errata/RHSA-2016:2947