Security advisories

Security like I’m five

Author

Disable User
July 14, 2022

Security like I’m five: Security advisories

reading time 02:18

So you’ve decided to deep dive in security advisories?Hope you slept well and have a lot of patience because let me tell, I’ll need every bit of your attention.Luckily for you, I did all the hard work.The only thing you have to do is: • read the text• laugh at the jokes• come out this post a better person

In this post

➡ What is a security advisory?➡ How is this regulated?➡ What's important

Spill the beans, what is a security advisory?

The short version is this:

"Advisories warn companies for vulnerabilities and exploits so they can remediate them."

Or ignore them, whichever costs less.This may sound harsh but that's how most companies handle it.

 But, here comes the fun part.

.

You can imagine if there was not standard this would be total chaos. To fix this, the good guys and gals at MITRE (with a little help from the Homeland Security) created the CVE standard.

“Bro, what the hell is a CVE?"

Glad you asked!

CVE stand for Common Vulnerabilities and Exposures (CVE). MITRE made the CVE standard to, and I quote: “Identify, define, and catalog publicly disclosed cybersecurity vulnerabilities”.

And with success I must add. Most big tech adopted this standard and publish through CVE.org to list their vulnerabilities there.

So how is this regulated?

  • Basically anyone and their mom can list CVE’s. That means any person or organisation who finds a vulnerability can request a CVE to be published. This will then be forwarded to the related software co.

  • The software co has to reply. While the software company can still deny the request, once a claim is made it’s very bad for publicity to deny a true request. If they don't follow up on the request, an appeal can be made and cve.org will look at it.

 That’s cool and all, but how do I know what’s important? 

random guy in tech

Anyone working in security, IT or McDonald’s can attest to this; there is never a dull day.

With only so many hours in a day, it’s impossible to follow up on everything. That's why the National Infrastructure Advisory Council (yeah you can forget that) created the Common Vulnerability Scoring System (CVSS).The CVSS system helps you measure how likely it is this vulnerability will be used, and what the impact would be if they did.We could talk about the formula they use to calculate the score, but I’m pretty sure I don't understand either (I mean have you seen the thing?). Therefor, I made my own, comprehensible, down to earth version of the CVSS scores:

  • 0.0 – you’re safe, why is this even on here?

  • 0.1 – 3.9 – good that it’s being fixed, nothing to worry about though

  • 4.0 – 6.9 – let’s check our systems and see if the fix impacts business alot, otherwise autobots roll-out

  • 7.0 – 8.9 – Looks like we’re not going home anytime soon

  • 9.0 – 10.0 – CLOSE OFF EVERYTHING, THE SHIP IS SINKING, WOMEN AND CHILDREN FIRST (what?)

So there it is, security advisories. Probably not ‘like I’m five’ but hey, I tried. Until next time everybody!