14:21 CET, 3rd April 2009 By Carsten Eiram.
I often receive questions about how the different teams in my department work, their responsibilities etc. and thought that I'd blog about it. That way I can just provide people asking these questions with a link in the future - a great example of Secunia efficiency.
My department is comprised of three different teams: Secunia Research, Secunia Binary Analysis, and Secunia Advisories. The team division is not strict, though, and people usually work in more than one team.
Secunia Advisories Team
The Secunia Advisories Team is responsible for issuing the advisories seen on our website and is thus the heart of the department. Much of the fruit of their labour is used by the other teams as starting points.
Most companies providing vulnerability information usually write up their advisories by reading the original reports only; a few merely do a quick rewrite of the contents from other security sites. However, the Secunia Advisories team spends a lot of time analysing, evaluating, verifying, and testing each reported vulnerability to the extent possible before issuing an advisory.
Naturally, this is not a small task and is quite resource consuming, but ultimately it makes it possible for us to provide the most comprehensive, detailed, and correct advisories available. This is why we deliver "Vulnerability Intelligence", not "vulnerability information".
Secunia Binary Analysis Team
This team is responsible for our "new" (it's two years old) Binary Analysis (BA) solution, which we provide to security vendors in the AV/IDS/IPS industry and certain larger organisations, e.g. developing their own IDS signatures or wanting to verify that their commercially bought solutions are as efficient as otherwise claimed.
Where a person in the Secunia Advisories team can handle multiple issues a day, a Binary Analysis report may take up to two days to complete - sometimes even longer.
Naturally, the BA team cannot (nor has the desire to) perform an in-depth analysis of every single vulnerability reported in an advisory issued by the Secunia Advisories team. Instead, the BA team looks at the advisories and then selects certain vulnerabilities, generally using the following three criteria:
1) Is the vulnerability in a popular piece of software?
2) Does the vulnerability have a "Denial of Service" or "System Access" impact?
3) Does the vulnerability have a rating of "Moderately critical" or higher?
With a few exceptions, a vulnerability usually has to fulfil each of these three criteria. If so, the BA team starts digging deeper into it in order to fully understand the core problem based on the previous verification done by the Advisories team.
Quite often the BA team uncovers new information (additional details, more vectors, silent fixes, incomplete fixes etc.). To improve the quality of our advisories even further, some of this information may be added to the already issued advisories if relevant.
Secunia Research Team
Based on the extensive verification and analysis work done by the Advisories and BA teams, we have a unique, in-depth knowledge about a lot of products, how they work, and common coding mistakes in these.
The Secunia Research team is responsible for discovering new vulnerabilities in popular software and report the findings to the software vendors to ensure that the vulnerabilities are fixed. The team is comprised of people in both the Secunia Advisories team and Secunia BA team, who have a proven track record in finding vulnerabilities in various popular and widely used products.
Members of the Secunia Research team get dedicated research time during the year to find vulnerabilities in applications usually of their choosing as long as the application fulfils requirements related to popularity and customer usage. Each member receives a target at the beginning of the year, which is to be met by the end of the year (exceeding the target is perfectly acceptable too).
This work done by the Secunia Research team ultimately enhances the quality of commonly used software as critical vulnerabilities are discovered and fixed before being reported to the public. This not only improves the security of our customers' systems and networks, but also the security of everyone's home systems.
More information on this team is available here.
Do You Have What It Takes?
If anyone reading this blog thinks that vulnerability analysis and discovery are the most cool things to spend your time doing, then you should send us an application as we're currently looking for new people (both Security Specialists and Reverse Engineers) to join the teams.
For more information about job openings:
Chief Security Specialist