The first thing to do in the process of vulnerability patch is establish bug fix processes. When a company is small, the communication cost is low, and the problem can be solved quickly through word of mouth. But when the company becomes bigger, communication cost increases, the bug fix speed will be discouraged and relying on communication only may cause some mistakes, so the establishment of a bug fix flow in order to ensure the progress and quality of the bug fix is very necessary.
The most common problem is the delay in feedback on the bug report by the development team. This is because of the unforeseen nature of the problem. But this problem is not difficult to solve, because the development team will generally establish a bug management platform such as bugtracker, then submit security vulnerabilities to the bugtracker. This will become a routine to the development team and will be finished as planned. Many large open-source projects handle security vulnerabilities similarly, defining type as security in the bug, as well as defining the urgency of the bug.
In addition, there are other common problems such as inadequately fixed bug, with patches being released later on to fix the loopholes. This situation occurs because these patches and codes are not checked by the security team. Sometimes, due to insufficient training, the safety engineers do not understand the nature of the vulnerability, leading to a defective repair program.
Therefore, when developing a patch program, getting the safety engineer to do vulnerability analysis first is important. The safety engineer should collaborate with the development team to work out a technical solution. After safety engineers review the patch code, it can finally be published online.
In safe operation, establishment of the bug fix process requires you to complete the following tasks:
- Establish tracking mechanisms similar to bugtracker and set the selection priority according to the urgency of types of vulnerabilities.
- Establish a mechanism for vulnerability analysis, and work with the programmers to develop repair programs while reviewing patch codes.
- Archive the loopholes and summarize bug fix statistics regularly.
Possible loopholes are gathered from experience. Such loopholes are responsible for the company’s growth over the years in that they become part of the learning process for safety engineers and security personnel, which helps them in writing better codes and protection programs. The statistics on the number, types, and causes of vulnerabilities will help analyze the system from a global point of view and provide a basis for decision making.