editione1.0.0
Updated October 9, 2023There are a range of great sources to use to keep up to date with security vulnerabilities: social media, vendor websites, CVE Details, RSS and news feeds, newsletters, podcasts, and so on. Please remember though, with each of these places, they each have a different motivation for sharing vulnerability information.
Information Source | What to Watch For |
---|---|
Social Media | A great source of varied opinions, often available without charge, social media hosts a range of security news feeds that announce vulnerabilities and updates. Buyer beware however, social media is rife with misinformation and not everyone sharing security know-how is credible. Use your research skills to review your sources before trusting. |
Vendor Websites | Tool and technology manufacturers may provide details of vulnerabilities as part of change notes, updates, or disclosures. Please remember however that most vendors are not obliged to announce if they have had a security issue unless it is mandated by law. Security details may be buried deep in technical patch notes or just listed as “Updates to security” on a new software release. |
Government Advisories | Many countries have centralized government bodies that help coordinate and communicate critical information security information to affected businesses and organizations. This may be your local CERT (computer emergency response team) or a larger organization such as NIST (the USA National Institute for Standards and Technology, which includes a number of security departments). Look at your local and national government entities and identify and notification services you can subscribe to. They are also a great source of support if something goes wrong with the security of your own organization or product. |
Scanning tools | Tools that can be built into your development and technical environments to identify components with known vulnerabilities such as Snyk or spot issues with configuration of components such as AWS Inspector. |
For a really clear picture of how this process works and why it’s important to your company, there is no better case study than the Log4J vulnerabilities identified in late 2021.
A standard open-source logging library for the Java language, Log4J is the de facto logging choice for a huge number of applications around the world.
In late 2021, researchers identified a remote code execution vulnerability in the source code for this library. They filed a vulnerability disclosure to both the Apache Software Foundation and NIST, resulting in a worldwide response.