AppSecSchool:
Writing Security Advisories

Enjoy our additional free content from our channel

Writing Security Advisories

How to Write an Effective Security Advisory
The Importance of Security Advisories

Whether you're dealing with open source or proprietary software, it's crucial to alert users swiftly upon discovering a security vulnerability. This is where security advisories step in. The advisory's caliber is fundamental to guide product users: determining if they're affected and whether immediate patching is essential. There's a vast chasm between commendable and poor advisories.

What is a Security Advisory?

A security advisory is essentially a notification by a software provider or third-party, detailing a software product's security vulnerability. Its goal is to demystify risks and prompt users towards protection.

Crafting Your Security Advisory

The dilemma often lies in the detail depth. Excessive information may simplify exploitation, but sparse data complicates remediation efforts for the good guys. Remember, persistent threat actors will exploit vulnerabilities if given an opening.

Stellar Advisory Examples

The Ruby on Rails security team's advisories shine in quality. Taking CVE-2016-2098 as an example, we observe:

  • A succinct issue encapsulation.
  • A lucid summary of affected and rectified versions.
  • Illustrative vulnerable code demonstrations.
  • Guidance to the revised release.
  • Solutions for those unable to immediately patch.
  • Patch collections for all versions.
  • Recognition for the vulnerability's discoverers.

Moreover, advisories employing mathematical notations for the impacted version, such as CVE-2021-22904, augment clarity.

Enhancements for Advisories

Several advisories could benefit from additional information:

  • Timeline: Chronicles from bug report to resolution, offering insights into the issue's age.
  • Severity: While cybersecurity professionals might deduce risks, it's not always intuitive for developers or non-security personnel.

For context, CVE-2023-36542 impacting Apache NiFi embodies both elements.

Timely Advisory Issuance

Roll out advisories ASAP! Early alerts grant users ample patching time. Ensure you have an accessible, transparent repository for advisories and provide prompt vulnerability notifications. For paramount products, pre-notifications are beneficial, hinting at the advisory's public disclosure.

Advisory Evolution

If you're a regular advisory publisher, embrace a template. Iterate and refine based on feedback, perhaps sourcing opinions from your stakeholders on advisory comprehensibility.

Concluding Notes

Security advisories aim to enlighten, not intimidate. Prioritize clarity and simplicity. Make it universally comprehensible, catering even to non-tech-savvy or non-native English speakers.