Defining Computer Security Incident Response TeamsA computer security incident response team (CSIRT) is a concrete organizational entity (i.e., one or more staff) that is assigned the responsibility for coordinating and supporting the response to a computer security event or incident. CSIRTs can be created for nation states or economies, governments, commercial organizations, educational institutions, and even non-profit entities. The goal of a CSIRT is to minimize and control the damage resulting from incidents, provide effective guidance for response and recovery activities, and work to prevent future incidents from happening

The Role of Computer Security Incident Response Teams in the Software Development Life CycleThis article describes one type of organizational entity that can be involved in the incident management process, a Computer Security Incident Response Team (CSIRT), and discusses what input such a team can provide to the software development process and what role it can play in the SDLC. CSIRTs in organizations performing software development and in related customer organizations may have valuable information to contribute to the life cycle. They may also be able to learn valuable information from developers concerning the criticality, operation, and architecture of software and system components that will help them identify, diagnose, and resolve computer security incidents in a more timely manner.

The composition of CSIRT staff varies from team to team and depends on a number of factors, such as

• mission and goals of the CSIRT
• nature and range of services offered
• available staff expertise
• constituency size and technology base
• anticipated incident load
• severity or complexity of incident reports
• funding

Basic Skills

The set of basic skills we believe CSIRT staff members need to have are described below, separated into two broad groups: personal skills and technical skills

1. Personal Skills

1.1. Communication

Written Communication

Oral Communication

1.2. Presentation Skills

1.3. Diplomacy

1.4. Ability to Follow Policies and Procedures

1.5. Team Skills

1.6. Integrity

1.7. Knowing One's Limits

1.8. Coping with Stress

1.9. Problem Solving

1.10. Time Management

2. Technical Skills

The basic technical skills that CSIRT staff need have been separated into two categories: technical foundation skills and incident handlingskills.

2.1.1. Security Principles

CSIRT staff members need to have a general understanding of basic security principles such as

• confidentiality
• availability
• authentication
• integrity
• access control
• privacy
• non-repudiation

2.1.2. Security Vulnerabilities/Weaknesses

• physical security issues
• protocol design flaws (e.g., man-in-the-middle attacks, spoofing)
• malicious code (e.g., viruses, worms, Trojan horses)
• implementation flaws (e.g., buffer overflow, timing windows/race conditions)
• configuration weaknesses
• user errors or indifference