Does GlobalSCAPE release security patches for products separate from general version releases?


THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • All products, all versions

QUESTION

Does Globalscape release security patches for products separate from general version releases?

ANSWER

YES, absolutely! Globalscape has a security vulnerability discovery, remediation, and messaging process that formally defines how Globalscape:

  • Escalates reports of a security vulnerability (provided by customer or third-party security assessor)
  • Gauges the risk level and assigns a severity rating to reported vulnerabilities, using the Common Vulnerability Scoring System (CVSS)
  • Prioritizes and assigns resources to duplicate and remediate the problem according to the threat level
  • Prepares timely, effective, and consistent external communications
  • Handles internal and external dissemination of approved communications, including:
    • Public patches to all customers for critical vulnerabilities
    • Private patches to individual customers (situation dependent)
    • No patch -> rolled up into next major version (low CVSS score or security best practice only)

As of March 2010, Globalscape has only encountered a single critical vulnerability (SFTP-based vulnerability with a CVSS score of 8.5), which was announced publicly via email to all EFT customers on September 3, 2009, along with a link to a patch. On several occasions Globalscape has released private patches to select customers to address low-scoring security vulnerabilities that were important to those specific customers. Those fixes are typically rolled up into the next public maintenance (minor) or major release, which typically include other general bug fixes and/or feature enhancements.

Not all potential vulnerabilities reported to Globalscape are considered security vulnerabilities. Application bugs or flaws that result in undesirable behavior during normal operations, including memory leaks or even crashes, while potentially business impacting, are not considered security vulnerabilities. Security best practices, such as use of HttpOnly header or use of the Secure flag for web session cookies, are not considered vulnerabilities, although Globalscape strives to implement as many security best practices as possible.

Security vulnerabilities can be categorized as application flaws or bugs that, if exploited, may result in the ability for a remote (or local) attacker to compromise the Confidentiality, Availability, or Integrity (CIA) of a server. For example:

    • Execute commands as another user (pose as another entity)
    • Access, modify, or destroy data that is contrary to the specified access restrictions for that data
    • Deny normally authorized access either completely or partially (Denial of Service)
    • Result in a back door, Trojan, or worm that may compromise a system or an entire network.

Upon validation of high-rated security issues (according to CVSS 2.0 scoring) on the software and/or service (including security loopholes), Licensor shall notify Licensee, by mail, fax, or other written means within 72 hours in advance, and provide corresponding solutions (including security patches) to Licensee through a formal release channel. Public notification will happen according to Responsible Disclosure guidelines developed by OIS.

To report a potential security vulnerability, please contact your account representative or technical support. Globalscape’s internal processes for handling potential security vulnerabilities involves rapid escalation to engineering and product management, usually providing a preliminary response to the customer inquiry with one or at most two business days.

Further reference: EFT Server’s Security Best Practices.