How cybersecurity solutions manage their own vulnerabilities

During CTI Week organized in partnership by Advens and CESIN (French Club of Information and Digital Security Experts), Benjamin Leroux, Chief Marketing Officer at Advens, joined Anouck Teiller, Chief Strategy Officer at HarfangLab, Tristan Savalle, CISO at Advens, and Fabian Cosset, Director of Advens CERT, for a roundtable discussion on the vulnerabilities of security solutions.  

Here are the conclusions. 

The explosion of vulnerabilities in cybersecurity solutions  

Everyone agrees that vulnerabilities in security components are not a new phenomenon, but as Fabian Cosset points out, 2024 was marked by massively exploited vulnerabilities, even though these solutions are the cornerstone of security systems.  

The geopolitical situation influences the context, and certain groups specifically target these tools, notably Chinese APTs, who see the commercial potential of security solution vulnerabilities.  

Tristan Savalle adds that for CISOs, monitoring tools like firewalls, antivirus software, VPNs, EDRs, and EPPs is constant, but exploits are becoming more numerous, available more quickly, and increasingly systematic. That is changing the game.  

“With the growing number of SaaS security solutions, the way we’re sharing responsibilities has changed. Excellent relationships must be maintained between partners to remediate vulnerabilities as quickly as possible. The contractual relationship and the maturity of the publisher are decisive factors,” he explains. 

From the vendor’s perspective, “the increase in vulnerabilities affecting security solutions is part of a broader trend of increasing vulnerabilities affecting software at large, which inevitably affects us as a cybersecurity solution provider. In fact, ANSSI (French National Cybersecurity Agency) has gone from 7 vulnerability management coordination units to more than 40 in 5 years! The threat is evolving and accelerating for everyone,” Anouck Teiller notes.  

Furthermore, the security of an information system runs as an ecosystem composed of different solutions. It is essential to consider not only its own vulnerabilities, but also the potential vulnerability of the entire stack.  

“Managing our own vulnerabilities has always been a priority, and HarfangLab has been structured this way from the outset, notably by being the first EDR to be certified by ANSSI in 2020. This certification encourages publishers to implement processes and best practices to combat vulnerabilities,” recalls Anouck Teiller.  

Although monitoring and combating vulnerabilities are crucial for all securityproviders and partners, it is nevertheless necessary to deal with them and be able to act in the event of an incident, and CERTs play a central role in this process. 

Cybersecurity solution vulnerabilities: how should an incident response team react?  

Fabian Cosset explains: “As soon as a vulnerability is reported, you need to be able to react. Monitoring is the first step in the process, and it is essential to have a thorough understanding of your IT infrastructure. It is also important to bear in mind that the CVSS score (Common Vulnerability Scoring System) is not the only criterion for criticality. Some vulnerabilities with low scores are part of a more complex modus operandi, and this chain reaction can have a catastrophic impact, particularly on components that are critical to the information system, such as a VPN.”  

In short, beyond the vulnerability score, the criticality of the relevant components must also be considered to prioritize corrective actions. In concrete terms, if a company or local authority risks being shut down, the vulnerability of the tool must be patched as a priority, even if the vulnerability itself has a low level of criticality.  

When applying patches, there are two possible scenarios.  

The publisher reports a vulnerability, a patch is quickly made available and then deployed. The issue is closed after first verifying that the vulnerability has not been exploited. This is the optimal case.  

However, if there is no patch or if it needs improvement, workarounds must be put in place, requiring the expertise of CERT and administration teams to reduce the risks. 

“The smoother the processes between CERT, monitoring centers, operations teams, experts, administrators, security teams, etc., the more effective the response will be. Thanks to the efficient flow of information, an organization will be better able to map its information system and understand attack paths. In addition, vulnerability monitoring and crisis management systems are crucial. You can’t invent crisis management at the same time as the crisis,” Tristan Savalle reminds us.  

Nevertheless, it is important to keep in mind that there is no such thing as a flawless provider. Certifications are important, but above all they signify a commitment to correcting vulnerabilities; they are not totems of immunity.  

“The vulnerabilities of cybersecurity solutions are raising more and more questions, which is a good sign because it encourages us to challenge the security level of software providers. That said, the question is not whether a security solution is likely to have a flaw, but whether monitoring and production processes are sufficiently well-established to validate the security of the components integrated into the solution, including open-source ones. It is also necessary to monitor vulnerabilities that are not widely publicized and commit to delivering patches or workarounds where necessary,” Anouck Teiller explains. 

Responsibilities may vary depending on the type of deployment. For a SaaS solution, the deployment of a patch is the responsibility of the vendor. However, for On-Premises solutions, the vendor may commit to providing the patch, in which case it is up to the customer or partner to deploy it.  

Given the need for responsiveness in vulnerability remediation, what impact could the Cyber Resilience Act have?  

The Cyber Resilience Act: the logical successor to security solution certifications  

The Cyber Resilience Act aims to increase the level of requirements for vulnerability management, both for companies and for cybersecurity solutions developers and rproviders.  

Anouck Teiller explains that in terms of processes and organization, HarfangLab sees the Cyber Resilience Act as a continuation of the CSPN qualification and ANSSI certification the platform has already achieved. Once again, this does not mean that there will never be any vulnerabilities; instead, these labels indicate that the vendor has been audited by a third party to ensure that it can manage the identification, correction, and deployment of patches. For HarfangLab, partnering with the European Union Agency for Cybersecurity (ENISA), which recently launched the new European vulnerability management database, is a natural evolution of its commitment to the wider cyber ecosystem. 

“These initiatives help dispel the myth that security solutions must be completely free of vulnerabilities. They are critical and require the highest level of vigilance, but there may be vulnerabilities, there will be vulnerabilities, and the cybersecurity ecosystem is collectively equipping itself to deal with them,” Anouck Teiller adds. 

And for a CISO, is the Cyber Resilience Act just another compliance project to undertake? What about non-European and small vendors? 

According to Tristan Savalle, “The Cyber Resilience Act makes vendors accountable, which is a good thing for increasing market maturity. However, as a CISO, I rely on close relationships with partners, which allow us to respond more effectively when needed, rather than depending solely on regulations.”  

Fabian Cosset agrees: “What matters most in order to be responsive and resilient is, above all, collaboration and information sharing between providers and partners.” 

Find out more about HarfangLab’s ANSSI
qualification and certification: