Product Security Glossary

PSIRT

What is a PSIRT? 

PSIRT stands for Product Security Incident Response Team. 

Why is it important to have a PSIRT? 

Every company or organization that designs and sells network-connected devices should have a robust, active PSIRT.  What many people think is the role of a PSIRT is to respond to security incidents that come up after a device has been released for sale.  However, the proper role of a PSIRT consists of much more than just that.  A company’s PSIRT should be active in the design phase of devices, helping to perform risk modeling and helping to make the device architecture as secure as possible.  A PSIRT can also help with security problems that the company itself has found with the devices. 

How is a PSIRT deployed? 

There are three different methods for deploying a PSIRT in an organization.   

With the Distributed Model, the PSIRT is a small team that works with representatives of the various product teams, such as the Engineering, Support, and Product Management teams. 

With the Centralized Model, the PSIRT is larger, and its members come from other departments.  A centralized PSIRT will report to one or more senior executives who are responsible for product security. 

An organization can also use the Hybrid Model, which combines features of both the Distributed and Centralized Models. 

Regardless of which model an organization decides to use, the PSIRT must be autonomous enough to have an objective view of the organization’s product security. 

What does a PSIRT do? 

First, a PSIRT defines the policies that govern how security gets built into the process of designing and manufacturing devices.  This isn’t done in a vacuum, though.  The PSIRT policies must have the support of senior management, and they must be compatible with the organization’s overall business goals. 

Once a PSIRT has defined the policies, it must then educate everyone who has a stake in the successful launch of a securely-designed device.  The PSIRT must emphasize that security must be an integral part of the design and manufacture process, and not just something to be bolted on as an afterthought. 

Finally, the PSIRT needs to implement a set of metrics that it can use to analyze how successful it has been with its mission.  The PSIRT needs to be flexible, and needs to be able to modify its policies and procedures as changing needs might dictate.  Any bottlenecks that block the PSIRT’s accomplishment of its mission must be resolved.  This will lead to continuous improvement in the secure design and manufacture of network-connected devices. 

How do we create a PSIRT? 

There are various organizations that publish frameworks for setting up a PSIRT.  The best first step is to search the Internet to find the framework that works best for your organization. The second step should be acquiring automated tools for the PSIRT which allows them to execute their responsibilities. Such tools should be incorporated into the CI/CD process, and that allow clear understanding of how to mitigate security exposures.