• Coordinated Vulnerability Disclosure makes us stronger together.
• You may find vulnerabilities and weaknesses where you least expect them—in your own systems.
• Security-first product development, testing, and third-party assessments can help minimize the chance of vuln discoveries.
• Tools like Symantec Zero Trust Network Access can help you tighten up your security suite and prevent problems before they arise.

One of the great things about a conference like DEF CON is that it serves as a forum for Coordinated Vulnerability Disclosure (CVD)—in which user testing firms responsibly disclose vulnerabilities they discover as part of their work—so the organizations affected can take action right away. Typically, the outfit that discovers the vuln communicates privately with the vendor whose products are at risk. A public announcement about a patch or other remediation process then follows.

Legends of the pack

Earlier in August, AmberWolf gave us a live-action demo of CVD.  Their demonstration at DEF CON 33 revealed several vulnerabilities in Zero Trust solutions from myriad vendors. The unveiled vulns were severe, largely identity-based, and pretty much table stakes in today’s world. And yet, here they were. 

I wanted to shout out to the AmberWolf team on a job well done—theirs was a very coordinated and by-the-books disclosure. Take it from an old hacker: They really are doing great work over there. Kudos as well to the vendors who worked swiftly to patch things up.

There are no lone wolves

While watching these disclosures unfold, I asked myself the same question we should all be asking: “Could this have been us?” 

I’ve been around long enough to know that there are no lone wolves when it comes to vulns. Proximity can be blinding, making our own vulnerabilities and weaknesses hard to see. We should never forget to ask ourselves about our own potential exposure and if we could have just as easily been the subjects on the stage. Recognizing that no one is immune from vulnerabilities or breaches is, in fact, among a security vendor’s most important weapons. 

Fortunately, researchers like the AmberWolf team provide a critical service for us all. At Symantec and Carbon Black, we actively engage with responsible disclosure surrounding our own products. We always welcome feedback to improve outcomes for our partners and customers—and to prevent exposures like those AmberWolf brought to DEF CON.  

Responsible disclosure is vital, but it’s only part of the picture. At Broadcom, we consider security from the early building stages. Dedicated teams of product security engineers working alongside the development team create threat models of new features being built and review security requirements. Our products also undergo automated tests using industry-leading security tools throughout the building and testing stages of the software.

Finally, we engage reputable third-party security experts to obtain independent security assessments of our products. This is all done in service to a simple ethos that all vendors try to operate under: “Do no harm.”

Is it possible to protect yourself?

Cybersecurity vendors have a responsibility to protect their customers (and their customers’ customers), and to do no harm in the process. It’s not like we don’t know where the threats are. We all certainly know what products, tools, and services need to be put in place to combat vulnerabilities and strengthen the security stance of any organization.  

But in a fast-moving marketplace, the impulse to “move fast and break things” can introduce unnecessary risks to vendors and the organizations they serve. We all benefit from a little humility and a whole lot of careful, methodical controls that minimize the risks that come with bringing products to market. A single error or regression from a vendor with a large enough installed base can have cross-vertical impacts on a variety of critical environments. We’ve all seen this happen: When things go wrong for one vendor, the rest of us learn a vital lesson.

Keep moving—start mitigating 

Modern perimeters live at the endpoint. At Symantec and Carbon Black, we’ve been working under this assumption since 1982. 

In the past decade, the rise of cloud environments and remote work has scattered enterprise resources to the wind. Endpoints are everywhere, and it’s increasingly necessary to ensure every user, device, application and file is trustworthy before they gain access to everything you’re trying to protect. Tools like Zero Trust Network Access (ZTNA) mitigate threats, but this relies on a strong approach to security-first product development, proper configuration, and associated tooling. In our industry, these vulnerabilities are more than just vulnerabilities—they’re product and procedure flaws that reduce positive outcomes for customers. And that is a non-starter. It’s up to vendors to do all we can to prevent those problems.

Our analysis reveals two products and features that would mitigate such an attack on our solutions:

• A robust ZTNA solution. Implementing a robust ZTNA solution can help reduce the attack scope to authenticated and authorized users and devices. This effectively provides an Access Control List (ACL) layer to mitigate the ability to pass tokens and report them as an incident.
• ZTNA with Web Isolation (Application Protection). Through separating browsers from endpoints, combining ZTNA with Web Isolation can also mitigate attacks more thoroughly. When ZTNA is used in conjunction with Secure Web Gateway (SWG) and Web Isolation, URL manipulation becomes much more difficult. 

What’s more, end users have fewer opportunities to tamper with headers, parameters, or HTTP requests—they only see the visual stream or a sanitized proxy of the remote browser’s session. This stops the critical procedure that would be needed to exploit our products, at least in this way.

And by implementing ZTNA with other protections, such as Data Loss Prevention (DLP), you’ll add another much-needed layer of depth to your defense. And while you’re at it, consider layering on application control to further support your Zero Trust strategy.

Tried, trusted, and true

Our long-lived experience assumes the endpoint is the network edge, no matter where it may live, and both vendors and their customers must work to secure every single endpoint. No one and nothing is perfect—there are no lone wolves—but we work hard to get it right. Because when it comes to cybersecurity solutions, quality is everything.

Ready to learn more about Symantec Zero Trust Network Access? Take a page from our book.