SlideShare a Scribd company logo

…But Now I See—A Vulnerability Disclosure Maturity Model

Priyanka Aash
Priyanka Aash

Someone politely knocks on your door and reports that there’s a hole in your wall big enough for a person to climb through. You immediately threaten legal action. Crazy? In the world of vuln research, this happens. This session will review a Vuln Disclosure Maturity Model created describe best-in-class practices. For any company wanting to get better bug reports faster—this session is a must. (Source: RSA USA 2016-San Francisco)

Technology
1 of 31
Download to read offline
Presenter’s Company Logo – replace on master slide #RSAC SESSION ID: #RSAC …But Now I See - a Vulnerability Disclosure Maturity Model HT-R04F
Presenter’s Company Logo – replace on master slide #RSAC Who the FSCK Are You? What is it you do here? 2 Chief Policy Officer, HackerOne Former Microsoft Security Strategist Former Hacker for Hire ISO Standards Editor New America Foundation Fellow MIT Sloan Visiting Scholar Harvard Belfer Affiliate
Presenter’s Company Logo – replace on master slide #RSAC Measuring Our Maturity 3 How would you answer these questions? When someone emails security@mycompany, who responds? How quickly? Would my company’s legal department threaten a well-intentioned hacker who came to us with a valuable bug?
Presenter’s Company Logo – replace on master slide #RSAC Measuring Our Maturity 4 Does engineering prioritize the importance of product features alongside security bugs that come in from the wild? If a reporter asked my CEO about a breach reported at our company, would she know what steps were taken to ensure user safety? Is $10,000 is too much, too little, or just right to offer a hacker for a bug?
Presenter’s Company Logo – replace on master slide #RSAC#RSAC The 5 Key Elements of Vulnerability Coordination Maturity
Presenter’s Company Logo – replace on master slide #RSAC Vulnerability Coordination Maturity Model 6 New model for organizations to assess maturity of their vulnerability coordination process Model guides how to organize and improve efforts inside and outside of an organization 5 Capability Areas: Organizational, Engineering, Communications, Analytics and Incentives 3 Maturity Levels for each Capability: Basic, Advanced or Expert Companies can benchmark their capabilities against the industry Analytics Communications EngineeringIncentives Organizational
Presenter’s Company Logo – replace on master slide #RSAC Organizational 7 Level Capability Basic Executive support to respond to vulnerability reports and a commitment to security and quality as core organizational values. Advanced Policy and process for addressing vulnerabilities according to ISO 29147 and ISO 30111, or a comparable framework. Expert You have executive support, processes, budget and dedicated personnel for handling vulnerability reports. People, process, and resources to handle potential vulnerabilities
Presenter’s Company Logo – replace on master slide #RSAC 8
Presenter’s Company Logo – replace on master slide #RSAC Engineering 9 Level Capability Basic Clear way to receive vulnerability reports, and an internal bug database to track them to resolution. See ISO 29147. Advanced Dedicated security bug tracking and documentation of security decisions, deferrals, and trade-offs. Expert Use vulnerability trends and root cause analysis to eliminate entire classes of vulnerabilities. See ISOs 29147, 30111, 27034. Capabilities to evaluate and remediate security holes, and improve software development lifecycle
Presenter’s Company Logo – replace on master slide #RSAC 10
Presenter’s Company Logo – replace on master slide #RSAC Communications 11 Level Capability Basic Ability to receive vulnerability reports and a verifiable channel to distribute advisories to affected parties. See ISO 29147. Advanced Tailored, repeatable communications for each audience, including security researchers, partners, customers, and media. Expert Structured information sharing programs with coordinated distribution of remediation. Ability to communicate to audiences internally and externally about vulnerabilities.
Presenter’s Company Logo – replace on master slide #RSAC 12
Presenter’s Company Logo – replace on master slide #RSAC Analytics 13 Level Capability Basic Track the number and severity of vulnerabilities over time to measure improvements in code quality. Advanced Use root causes analysis to feed back into your software development lifecycle. See ISOs 29147, 30111, 27034. Expert Track real-time telemetry of active exploitation to drive dynamic pivots of remediation strategy. Data analysis of vulnerabilities to identify trends and improve processes.
Presenter’s Company Logo – replace on master slide #RSAC 14
Presenter’s Company Logo – replace on master slide #RSAC Incentives 15 Level Capability Basic Show thanks or give swag. Clearly state that no legal action will be taken against researchers who report bugs. Advanced Give financial rewards or bug bounties to encourage reporting the most serious vulnerabilities. Expert Understand adversary behavior and vulnerability markets, and structure advanced incentives to disrupt them. Ability to encourage security researchers to report vulnerabilities directly.
Presenter’s Company Logo – replace on master slide #RSAC 16
Presenter’s Company Logo – replace on master slide #RSAC#RSAC Measuring Success in Vulnerability Disclosure A look at 100+ Companies
Presenter’s Company Logo – replace on master slide #RSAC Measuring Success in Vulnerability Disclosure 18 Survey Data N=194 IT/Security Professionals Collected between Sept. 2015 – Jan. 2016 via online survey
Presenter’s Company Logo – replace on master slide #RSAC Measuring Success in Vulnerability Disclosure 19 Capability Mean Score Analytics 1.52 Communications 1.38 Engineering 1.49 Incentives 1.09 Organizational 1.59 Analytics Communications EngineeringIncentives Organizational
Presenter’s Company Logo – replace on master slide #RSAC Avg. By Industry (min. 10 respondents) 20 Industry Sample Size Analytics Communications Engineering Incentives Organizational Education 15 1.27 1.27 1.40 0.67 1.53 Finance 15 2.07 1.47 2.20 1.53 2.00 Government 10 1.50 1.20 1.20 0.40 1.60 Healthcare 13 1.54 1.46 1.54 0.92 1.54 Manufacturing 21 1.52 1.52 1.62 1.14 1.67 Other 15 1.13 1.20 1.00 0.93 1.73 Technology - B2B 37 1.62 1.49 1.54 1.30 1.70 Technology - B2C 17 1.24 1.18 1.24 1.06 1.24 Technology - Mobile Apps 10 1.90 1.90 1.90 1.60 2.10 Unknown 10 1.40 1.50 1.30 1.00 1.40 163 1.52 1.42 1.50 1.10 1.65 Green = 1 𝛔𝛔 above Red = 1 𝛔𝛔 below Bold = 2𝛔𝛔 above or below
Presenter’s Company Logo – replace on master slide #RSAC Measuring Success in Vulnerability Disclosure 21 Analytics Comms Engineering Incentives Organizational Finance 1 5 1 2 2 Technology - Mobile Apps 2 1 2 1 1 Technology - B2B 3 4 4 3 4 Healthcare 4 6 5 8 7 Manufacturing 5 2 3 4 5 Government 6 8 9 10 6 Unknown 7 3 7 6 9 Education 8 7 6 9 8 Technology - B2C 9 10 8 5 10 Other 10 9 10 7 3 Rank of Industry by Capability, min. 10 respondents (1 = best, 10 = worst)
Presenter’s Company Logo – replace on master slide #RSAC Technology – B2B vs Overall Average 22 Analytics Communications EngineeringIncentives Organizational Overall Average Technology - B2B
Presenter’s Company Logo – replace on master slide #RSAC Government vs Overall Average 23 Analytics Communications EngineeringIncentives Organizational Overall Average Government
Presenter’s Company Logo – replace on master slide #RSAC Finance vs Overall Average 24 Analytics Communications EngineeringIncentives Organizational Overall Average Finance
Presenter’s Company Logo – replace on master slide #RSAC Sample Company – Riot 25 Capability Average Riot Analytics 1.52 2 Comms 1.38 2 Engineering 1.49 3 Incentives 1.09 3 Org. 1.59 3 Analytics Comms EngineeringIncentives Organizational Riot vs. VCMM Average Average Riot
Presenter’s Company Logo – replace on master slide #RSAC Sample Company – Adobe 26 Capability Average Adobe Analytics 1.52 2 Comms 1.38 2 Engineering 1.49 3 Incentives 1.09 1 Org. 1.59 3 Analytics Comms EngineeringIncentives Organizational Adobe vs. VCMM Average Average Adobe
Presenter’s Company Logo – replace on master slide #RSAC Sample Company – ToyTalk 27 Capability Average ToyTalk Analytics 1.52 2 Comms 1.38 2 Engineering 1.49 3 Incentives 1.09 3 Org. 1.59 3 Analytics Comms EngineeringIncentives Organizational ToyTalk vs. VCMM Average ToyTalk Average
Presenter’s Company Logo – replace on master slide #RSAC Next Steps 28 Continue to gather data Non self-reported Larger sample size Multi-vendor coordination is needed
Presenter’s Company Logo – replace on master slide #RSAC#RSAC Put Your Organization To The Test – Where Do You Rank
Presenter’s Company Logo – replace on master slide #RSAC “Apply” 30 Take the free maturity assessment within minutes at hackerone.com/vulnerability-coordination-maturity-model
Presenter’s Company Logo – replace on master slide #RSAC Appendix 31

Recommended

Future of Software Analysis & Measurement_CAST
Future of Software Analysis & Measurement_CASTFuture of Software Analysis & Measurement_CAST
Future of Software Analysis & Measurement_CAST
CAST
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016
Jeremiah Grossman
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Cenzic
 
Extreme risk - how bad tech mgmt destroys firms
Extreme risk - how bad tech mgmt destroys firmsExtreme risk - how bad tech mgmt destroys firms
Extreme risk - how bad tech mgmt destroys firms
Eric Tachibana
 
Establishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programEstablishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-program
Priyanka Aash
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
Priyanka Aash
 
A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREA Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SRE
James Wickett
 
Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?
Priyanka Aash
 

Recommended

Future of Software Analysis & Measurement_CAST
Future of Software Analysis & Measurement_CASTFuture of Software Analysis & Measurement_CAST
Future of Software Analysis & Measurement_CAST
CAST
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016
Jeremiah Grossman
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Cenzic
 
Extreme risk - how bad tech mgmt destroys firms
Extreme risk - how bad tech mgmt destroys firmsExtreme risk - how bad tech mgmt destroys firms
Extreme risk - how bad tech mgmt destroys firms
Eric Tachibana
 
Establishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programEstablishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-program
Priyanka Aash
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
Priyanka Aash
 
A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREA Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SRE
James Wickett
 
Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?
Priyanka Aash
 
Rapid Threat Modeling Techniques
Rapid Threat Modeling TechniquesRapid Threat Modeling Techniques
Rapid Threat Modeling Techniques
Priyanka Aash
 
CAST HIGHLIGHT - Overview & Demos
CAST HIGHLIGHT - Overview & DemosCAST HIGHLIGHT - Overview & Demos
CAST HIGHLIGHT - Overview & Demos
Jean-Patrick Ascenci
 
insert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student Nainsert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student Na
TatianaMajor22
 
insert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student Nainsert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student Na
LaticiaGrissomzz
 
Linda l jenkins resume 8 4-2016
Linda l jenkins resume 8 4-2016Linda l jenkins resume 8 4-2016
Linda l jenkins resume 8 4-2016
Linda Jenkins
 
Realizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsRealizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and Gains
Priyanka Aash
 
Make IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingMake IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and Reporting
Priyanka Aash
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....
Eturnti Consulting Pvt Ltd
 
5 Steps to Get Precise SAP Impact-Based Testing
5 Steps to Get Precise SAP Impact-Based Testing5 Steps to Get Precise SAP Impact-Based Testing
5 Steps to Get Precise SAP Impact-Based Testing
TurnKey Solutions
 
SAP-Basis-Support-for-Global-Technology-Distributor.pdf
SAP-Basis-Support-for-Global-Technology-Distributor.pdfSAP-Basis-Support-for-Global-Technology-Distributor.pdf
SAP-Basis-Support-for-Global-Technology-Distributor.pdf
Anil
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructures
Priyanka Aash
 
Linda l jenkins resume 5 26-16
Linda l jenkins resume 5 26-16Linda l jenkins resume 5 26-16
Linda l jenkins resume 5 26-16
Linda Jenkins
 
comspace technology profile
comspace technology profilecomspace technology profile
comspace technology profile
Wao Wamola
 
Rami AlHajbi-Resume
Rami AlHajbi-ResumeRami AlHajbi-Resume
Rami AlHajbi-Resume
Rami Alhajbi
 
There’s No Such Thing as a Cyber-Risk
There’s No Such Thing as a Cyber-RiskThere’s No Such Thing as a Cyber-Risk
There’s No Such Thing as a Cyber-Risk
Priyanka Aash
 
Balbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxBalbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptx
jjvdneut
 
Balbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxBalbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptx
jjvdneut
 
Introduction to CAST HIGHLIGHT - Rapid Application Portfolio Analysis
Introduction to CAST HIGHLIGHT - Rapid Application Portfolio AnalysisIntroduction to CAST HIGHLIGHT - Rapid Application Portfolio Analysis
Introduction to CAST HIGHLIGHT - Rapid Application Portfolio Analysis
CAST
 
Why Should Organizations Consider Extended Detection and Response (XDR)?
Why Should Organizations Consider Extended Detection and Response (XDR)?Why Should Organizations Consider Extended Detection and Response (XDR)?
Why Should Organizations Consider Extended Detection and Response (XDR)?
Enterprise Management Associates
 
Treating Security Like a Product
Treating Security Like a ProductTreating Security Like a Product
Treating Security Like a Product
VMware Tanzu
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
Priyanka Aash
 

More Related Content

Similar to …But Now I See—A Vulnerability Disclosure Maturity Model

insert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student Nainsert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student Na
TatianaMajor22
 
insert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student Nainsert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student Na
LaticiaGrissomzz
 
Realizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsRealizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and Gains
Priyanka Aash
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....
Eturnti Consulting Pvt Ltd
 
SAP-Basis-Support-for-Global-Technology-Distributor.pdf
SAP-Basis-Support-for-Global-Technology-Distributor.pdfSAP-Basis-Support-for-Global-Technology-Distributor.pdf
SAP-Basis-Support-for-Global-Technology-Distributor.pdf
Anil
 
comspace technology profile
comspace technology profilecomspace technology profile
comspace technology profile
Wao Wamola
 
Rami AlHajbi-Resume
Rami AlHajbi-ResumeRami AlHajbi-Resume
Rami AlHajbi-Resume
Rami Alhajbi
 
Balbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxBalbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptx
jjvdneut
 
Balbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxBalbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptx
jjvdneut
 
Why Should Organizations Consider Extended Detection and Response (XDR)?
Why Should Organizations Consider Extended Detection and Response (XDR)?Why Should Organizations Consider Extended Detection and Response (XDR)?
Why Should Organizations Consider Extended Detection and Response (XDR)?
Enterprise Management Associates
 

Similar to …But Now I See—A Vulnerability Disclosure Maturity Model (20)

Rapid Threat Modeling Techniques
Rapid Threat Modeling TechniquesRapid Threat Modeling Techniques
Rapid Threat Modeling Techniques
 
CAST HIGHLIGHT - Overview & Demos
CAST HIGHLIGHT - Overview & DemosCAST HIGHLIGHT - Overview & Demos
CAST HIGHLIGHT - Overview & Demos
 
insert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student Nainsert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student Na
 
insert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student Nainsert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student Na
 
Linda l jenkins resume 8 4-2016
Linda l jenkins resume 8 4-2016Linda l jenkins resume 8 4-2016
Linda l jenkins resume 8 4-2016
 
Realizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsRealizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and Gains
 
Make IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingMake IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and Reporting
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....
 
5 Steps to Get Precise SAP Impact-Based Testing
5 Steps to Get Precise SAP Impact-Based Testing5 Steps to Get Precise SAP Impact-Based Testing
5 Steps to Get Precise SAP Impact-Based Testing
 
SAP-Basis-Support-for-Global-Technology-Distributor.pdf
SAP-Basis-Support-for-Global-Technology-Distributor.pdfSAP-Basis-Support-for-Global-Technology-Distributor.pdf
SAP-Basis-Support-for-Global-Technology-Distributor.pdf
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructures
 
Linda l jenkins resume 5 26-16
Linda l jenkins resume 5 26-16Linda l jenkins resume 5 26-16
Linda l jenkins resume 5 26-16
 
comspace technology profile
comspace technology profilecomspace technology profile
comspace technology profile
 
Rami AlHajbi-Resume
Rami AlHajbi-ResumeRami AlHajbi-Resume
Rami AlHajbi-Resume
 
There’s No Such Thing as a Cyber-Risk
There’s No Such Thing as a Cyber-RiskThere’s No Such Thing as a Cyber-Risk
There’s No Such Thing as a Cyber-Risk
 
Balbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxBalbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptx
 
Balbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxBalbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptx
 
Introduction to CAST HIGHLIGHT - Rapid Application Portfolio Analysis
Introduction to CAST HIGHLIGHT - Rapid Application Portfolio AnalysisIntroduction to CAST HIGHLIGHT - Rapid Application Portfolio Analysis
Introduction to CAST HIGHLIGHT - Rapid Application Portfolio Analysis
 
Why Should Organizations Consider Extended Detection and Response (XDR)?
Why Should Organizations Consider Extended Detection and Response (XDR)?Why Should Organizations Consider Extended Detection and Response (XDR)?
Why Should Organizations Consider Extended Detection and Response (XDR)?
 
Treating Security Like a Product
Treating Security Like a ProductTreating Security Like a Product
Treating Security Like a Product
 

More from Priyanka Aash

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 

Recently uploaded (20)

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 

…But Now I See—A Vulnerability Disclosure Maturity Model

  • 1. Presenter’s Company Logo – replace on master slide #RSAC SESSION ID: #RSAC …But Now I See - a Vulnerability Disclosure Maturity Model HT-R04F
  • 2. Presenter’s Company Logo – replace on master slide #RSAC Who the FSCK Are You? What is it you do here? 2 Chief Policy Officer, HackerOne Former Microsoft Security Strategist Former Hacker for Hire ISO Standards Editor New America Foundation Fellow MIT Sloan Visiting Scholar Harvard Belfer Affiliate
  • 3. Presenter’s Company Logo – replace on master slide #RSAC Measuring Our Maturity 3 How would you answer these questions? When someone emails security@mycompany, who responds? How quickly? Would my company’s legal department threaten a well-intentioned hacker who came to us with a valuable bug?
  • 4. Presenter’s Company Logo – replace on master slide #RSAC Measuring Our Maturity 4 Does engineering prioritize the importance of product features alongside security bugs that come in from the wild? If a reporter asked my CEO about a breach reported at our company, would she know what steps were taken to ensure user safety? Is $10,000 is too much, too little, or just right to offer a hacker for a bug?
  • 5. Presenter’s Company Logo – replace on master slide #RSAC#RSAC The 5 Key Elements of Vulnerability Coordination Maturity
  • 6. Presenter’s Company Logo – replace on master slide #RSAC Vulnerability Coordination Maturity Model 6 New model for organizations to assess maturity of their vulnerability coordination process Model guides how to organize and improve efforts inside and outside of an organization 5 Capability Areas: Organizational, Engineering, Communications, Analytics and Incentives 3 Maturity Levels for each Capability: Basic, Advanced or Expert Companies can benchmark their capabilities against the industry Analytics Communications EngineeringIncentives Organizational
  • 7. Presenter’s Company Logo – replace on master slide #RSAC Organizational 7 Level Capability Basic Executive support to respond to vulnerability reports and a commitment to security and quality as core organizational values. Advanced Policy and process for addressing vulnerabilities according to ISO 29147 and ISO 30111, or a comparable framework. Expert You have executive support, processes, budget and dedicated personnel for handling vulnerability reports. People, process, and resources to handle potential vulnerabilities
  • 8. Presenter’s Company Logo – replace on master slide #RSAC 8
  • 9. Presenter’s Company Logo – replace on master slide #RSAC Engineering 9 Level Capability Basic Clear way to receive vulnerability reports, and an internal bug database to track them to resolution. See ISO 29147. Advanced Dedicated security bug tracking and documentation of security decisions, deferrals, and trade-offs. Expert Use vulnerability trends and root cause analysis to eliminate entire classes of vulnerabilities. See ISOs 29147, 30111, 27034. Capabilities to evaluate and remediate security holes, and improve software development lifecycle
  • 10. Presenter’s Company Logo – replace on master slide #RSAC 10
  • 11. Presenter’s Company Logo – replace on master slide #RSAC Communications 11 Level Capability Basic Ability to receive vulnerability reports and a verifiable channel to distribute advisories to affected parties. See ISO 29147. Advanced Tailored, repeatable communications for each audience, including security researchers, partners, customers, and media. Expert Structured information sharing programs with coordinated distribution of remediation. Ability to communicate to audiences internally and externally about vulnerabilities.
  • 12. Presenter’s Company Logo – replace on master slide #RSAC 12
  • 13. Presenter’s Company Logo – replace on master slide #RSAC Analytics 13 Level Capability Basic Track the number and severity of vulnerabilities over time to measure improvements in code quality. Advanced Use root causes analysis to feed back into your software development lifecycle. See ISOs 29147, 30111, 27034. Expert Track real-time telemetry of active exploitation to drive dynamic pivots of remediation strategy. Data analysis of vulnerabilities to identify trends and improve processes.
  • 14. Presenter’s Company Logo – replace on master slide #RSAC 14
  • 15. Presenter’s Company Logo – replace on master slide #RSAC Incentives 15 Level Capability Basic Show thanks or give swag. Clearly state that no legal action will be taken against researchers who report bugs. Advanced Give financial rewards or bug bounties to encourage reporting the most serious vulnerabilities. Expert Understand adversary behavior and vulnerability markets, and structure advanced incentives to disrupt them. Ability to encourage security researchers to report vulnerabilities directly.
  • 16. Presenter’s Company Logo – replace on master slide #RSAC 16
  • 17. Presenter’s Company Logo – replace on master slide #RSAC#RSAC Measuring Success in Vulnerability Disclosure A look at 100+ Companies
  • 18. Presenter’s Company Logo – replace on master slide #RSAC Measuring Success in Vulnerability Disclosure 18 Survey Data N=194 IT/Security Professionals Collected between Sept. 2015 – Jan. 2016 via online survey
  • 19. Presenter’s Company Logo – replace on master slide #RSAC Measuring Success in Vulnerability Disclosure 19 Capability Mean Score Analytics 1.52 Communications 1.38 Engineering 1.49 Incentives 1.09 Organizational 1.59 Analytics Communications EngineeringIncentives Organizational
  • 20. Presenter’s Company Logo – replace on master slide #RSAC Avg. By Industry (min. 10 respondents) 20 Industry Sample Size Analytics Communications Engineering Incentives Organizational Education 15 1.27 1.27 1.40 0.67 1.53 Finance 15 2.07 1.47 2.20 1.53 2.00 Government 10 1.50 1.20 1.20 0.40 1.60 Healthcare 13 1.54 1.46 1.54 0.92 1.54 Manufacturing 21 1.52 1.52 1.62 1.14 1.67 Other 15 1.13 1.20 1.00 0.93 1.73 Technology - B2B 37 1.62 1.49 1.54 1.30 1.70 Technology - B2C 17 1.24 1.18 1.24 1.06 1.24 Technology - Mobile Apps 10 1.90 1.90 1.90 1.60 2.10 Unknown 10 1.40 1.50 1.30 1.00 1.40 163 1.52 1.42 1.50 1.10 1.65 Green = 1 𝛔𝛔 above Red = 1 𝛔𝛔 below Bold = 2𝛔𝛔 above or below
  • 21. Presenter’s Company Logo – replace on master slide #RSAC Measuring Success in Vulnerability Disclosure 21 Analytics Comms Engineering Incentives Organizational Finance 1 5 1 2 2 Technology - Mobile Apps 2 1 2 1 1 Technology - B2B 3 4 4 3 4 Healthcare 4 6 5 8 7 Manufacturing 5 2 3 4 5 Government 6 8 9 10 6 Unknown 7 3 7 6 9 Education 8 7 6 9 8 Technology - B2C 9 10 8 5 10 Other 10 9 10 7 3 Rank of Industry by Capability, min. 10 respondents (1 = best, 10 = worst)
  • 22. Presenter’s Company Logo – replace on master slide #RSAC Technology – B2B vs Overall Average 22 Analytics Communications EngineeringIncentives Organizational Overall Average Technology - B2B
  • 23. Presenter’s Company Logo – replace on master slide #RSAC Government vs Overall Average 23 Analytics Communications EngineeringIncentives Organizational Overall Average Government
  • 24. Presenter’s Company Logo – replace on master slide #RSAC Finance vs Overall Average 24 Analytics Communications EngineeringIncentives Organizational Overall Average Finance
  • 25. Presenter’s Company Logo – replace on master slide #RSAC Sample Company – Riot 25 Capability Average Riot Analytics 1.52 2 Comms 1.38 2 Engineering 1.49 3 Incentives 1.09 3 Org. 1.59 3 Analytics Comms EngineeringIncentives Organizational Riot vs. VCMM Average Average Riot
  • 26. Presenter’s Company Logo – replace on master slide #RSAC Sample Company – Adobe 26 Capability Average Adobe Analytics 1.52 2 Comms 1.38 2 Engineering 1.49 3 Incentives 1.09 1 Org. 1.59 3 Analytics Comms EngineeringIncentives Organizational Adobe vs. VCMM Average Average Adobe
  • 27. Presenter’s Company Logo – replace on master slide #RSAC Sample Company – ToyTalk 27 Capability Average ToyTalk Analytics 1.52 2 Comms 1.38 2 Engineering 1.49 3 Incentives 1.09 3 Org. 1.59 3 Analytics Comms EngineeringIncentives Organizational ToyTalk vs. VCMM Average ToyTalk Average
  • 28. Presenter’s Company Logo – replace on master slide #RSAC Next Steps 28 Continue to gather data Non self-reported Larger sample size Multi-vendor coordination is needed
  • 29. Presenter’s Company Logo – replace on master slide #RSAC#RSAC Put Your Organization To The Test – Where Do You Rank
  • 30. Presenter’s Company Logo – replace on master slide #RSAC “Apply” 30 Take the free maturity assessment within minutes at hackerone.com/vulnerability-coordination-maturity-model
  • 31. Presenter’s Company Logo – replace on master slide #RSAC Appendix 31