Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
A product security incident response team (PSIRT) identifies, evaluates and coordinates responses to the security vulnerabilities and incidents in the products an organization develops and/or manufactures. A traditional cybersecurity incident response team (CSIRT) protects the organization’s infrastructure, and the PSIRT maintains the products themselves. Although the core focus of each team is different, there are many similarities in establishing and running these capabilities and teams. This piece explains how to create a best-practice PSIRT tailored to your organization.
Establishing a PSIRT is similar to setting up a traditional CSIRT. First, and very importantly, senior leadership must support this and have the support codified in a PSIRT charter.
This charter should detail:
In addition, an operating budget must be established with adequate resources provided to address the charter scope.
There are three standard operating models for PSIRTs, each of which has its own pros and cons. The one you choose will depend on the capabilities and resources of your specific organization and environment (see Figure 1).
The time commitment required for setting up a PSIRT depends very much on:
Download: Create Incident Response Metrics Worth Reporting
The PSIRT should also establish multiple ways to identify security issues. These should include:
The Forum of Incident Response and Security Teams (FIRST) provides extensive guidance and a services framework for establishing a PSIRT
Many tools are available to support PSIRT operations. However, it is important for organizations to take the time to first establish policies, procedures and operations as a way to guide tool selection.
For example, the PSIRT will want tools to do vulnerability scanning and perform patch management or insert fixes into the existing development process. Prior to scanning, though, the organization must have a comprehensive asset management capability. This applies to product security, just as it does with computer security. The product team must maintain and provide to the PSIRT a detailed security bill of materials and asset list.
Many open source tools are available for PSIRT teams to obtain vulnerability information on products (e.g., Cisco’s PSIRT OpenVuln API). PSIRT teams can grow in maturity by automating and orchestrating vulnerability discovery and reporting. This can be implemented with a multitude of security orchestration, automation and response (SOAR) tools.
Overall, PSIRTs should create a business requirements document to select tools based on existing IT requirements, security requirements and desired functionality.
A basic PSIRT capability can be stood up with relative speed if the organization already has documented asset management, vulnerability management and patch management capabilities in place. The policies and procedures used in those disciplines can be used and tailored for the product line(s). To ensure success:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
September 26, 2023
By IANS Faculty
Access key data sets from the 2023 edition of IANS and Artico Search’s Security Budget Benchmark Report. Gain valuable insights on security budget increases and the drivers behind them.
September 21, 2023
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.