Looking for a subject to write about for this blog, I thought I’d peruse the National Vulnerability Database (You can see it yourself by going to our NVD page). What I saw actually had to make me chuckle. As I scrolled through it, I saw line after line after line of vulnerabilities from one specific company’s products. Which company?
Some application focused company? No.
It was Cisco. That’s right, Cisco. The same company that came out with Apple a little while ago to talk about getting discounts on cybersecurity insurance for companies that implement Apple and Cisco products properly. Kinda funny, don’t you think?
The list of products that had vulnerabilities was impressive, to say the least. Just some of the products were:
- Cisco ISE (Kind of important to know about that one!)
- Cisco Prime Infrastructure (PI) and Evolved Programmable Network Manager (EPNM)
- Cisco Unified Contact Center Express (UCCx)
- Cisco Firepower Management Center
- Cisco Wide Area Application Services (WAAS)
- Cisco StarOS for Cisco ASR 5000 Series Routers
- And others.
Now, to be fair, I suspect someone decided to focus on the Cisco products to see what vulnerabilities were there. But, still, to see this number of vulnerabilities listed in a row really caught my eye and it made me wonder – If Cisco, who’s seen a way of selling their products by focusing on the cybersecurity ROI aspects, is allowing vulnerabilities to this extent to get into their products, what can you expect from companies that don’t think about how the market is viewing cybersecurity.
Scary, don’t you think?!?
Now, I’ve worked with Microsoft when they implemented their Trustworthy Computing initiative back around the turn of the century (man, that makes me feel old). And I ran the initiative to implement a SDLC into EDS, so I’ve been around the block a time or two when it comes to embedding security into products development. With that in mind, I went looking to see what I could regarding Cisco’s SDLC.
Cisco actually has a page on their website dedicated to their SDLC with a pretty good presentation on how they have integrated security into their development process. They obviously at least understand the importance of integrating security into their processes. They seem to have the different stages in the actual project delivery methodology covered. So how did this volume of vulnerabilities creep in?
Good question and only one that Cisco can answer. Maybe they got a little lazy in applying the SDLC. Maybe they weren’t doing the audit activities needed to enforce the SDLC (remember, this is like QA – you have to have the periodic checks to bring the awareness back up). Maybe they have scaled back on expenditures on this and now they have to spend more money on fixing vulnerabilities rather than capturing them in the first place.
One thing I will point out is that their SDLC is focused specifically on the activities in the product development lifecycle. But I don’t see any mention of the governance activities, the checks and balances. Not saying they don’t have them but it’s important to remember that an SDLC is a multi-layered thing. It’s like my view on Security Architecture activities – there’s Governance activities, there’s strategy/program activities, and then there are Project activities. Focusing on project activities only will still allow for these types of issues to arise.
I’ll be interested to see how Cisco deals with this volume of issues.
Hope this helps …