SlideShare a Scribd company logo

…But Now I See—A Vulnerability Disclosure Maturity Model

Priyanka Aash
Priyanka Aash

Someone politely knocks on your door and reports that there’s a hole in your wall big enough for a person to climb through. You immediately threaten legal action. Crazy? In the world of vuln research, this happens. This session will review a Vuln Disclosure Maturity Model created describe best-in-class practices. For any company wanting to get better bug reports faster—this session is a must. (Source: RSA USA 2016-San Francisco)

Technology
1 of 31
Download to read offline
Presenter’s Company Logo – replace on master slide #RSAC SESSION ID: #RSAC …But Now I See - a Vulnerability Disclosure Maturity Model HT-R04F
Presenter’s Company Logo – replace on master slide #RSAC Who the FSCK Are You? What is it you do here? 2 Chief Policy Officer, HackerOne Former Microsoft Security Strategist Former Hacker for Hire ISO Standards Editor New America Foundation Fellow MIT Sloan Visiting Scholar Harvard Belfer Affiliate
Presenter’s Company Logo – replace on master slide #RSAC Measuring Our Maturity 3 How would you answer these questions? When someone emails security@mycompany, who responds? How quickly? Would my company’s legal department threaten a well-intentioned hacker who came to us with a valuable bug?
Presenter’s Company Logo – replace on master slide #RSAC Measuring Our Maturity 4 Does engineering prioritize the importance of product features alongside security bugs that come in from the wild? If a reporter asked my CEO about a breach reported at our company, would she know what steps were taken to ensure user safety? Is $10,000 is too much, too little, or just right to offer a hacker for a bug?
Presenter’s Company Logo – replace on master slide #RSAC#RSAC The 5 Key Elements of Vulnerability Coordination Maturity
Presenter’s Company Logo – replace on master slide #RSAC Vulnerability Coordination Maturity Model 6 New model for organizations to assess maturity of their vulnerability coordination process Model guides how to organize and improve efforts inside and outside of an organization 5 Capability Areas: Organizational, Engineering, Communications, Analytics and Incentives 3 Maturity Levels for each Capability: Basic, Advanced or Expert Companies can benchmark their capabilities against the industry Analytics Communications EngineeringIncentives Organizational
Presenter’s Company Logo – replace on master slide #RSAC Organizational 7 Level Capability Basic Executive support to respond to vulnerability reports and a commitment to security and quality as core organizational values. Advanced Policy and process for addressing vulnerabilities according to ISO 29147 and ISO 30111, or a comparable framework. Expert You have executive support, processes, budget and dedicated personnel for handling vulnerability reports. People, process, and resources to handle potential vulnerabilities
Presenter’s Company Logo – replace on master slide #RSAC 8
Presenter’s Company Logo – replace on master slide #RSAC Engineering 9 Level Capability Basic Clear way to receive vulnerability reports, and an internal bug database to track them to resolution. See ISO 29147. Advanced Dedicated security bug tracking and documentation of security decisions, deferrals, and trade-offs. Expert Use vulnerability trends and root cause analysis to eliminate entire classes of vulnerabilities. See ISOs 29147, 30111, 27034. Capabilities to evaluate and remediate security holes, and improve software development lifecycle
Presenter’s Company Logo – replace on master slide #RSAC 10
Presenter’s Company Logo – replace on master slide #RSAC Communications 11 Level Capability Basic Ability to receive vulnerability reports and a verifiable channel to distribute advisories to affected parties. See ISO 29147. Advanced Tailored, repeatable communications for each audience, including security researchers, partners, customers, and media. Expert Structured information sharing programs with coordinated distribution of remediation. Ability to communicate to audiences internally and externally about vulnerabilities.
Presenter’s Company Logo – replace on master slide #RSAC 12
Presenter’s Company Logo – replace on master slide #RSAC Analytics 13 Level Capability Basic Track the number and severity of vulnerabilities over time to measure improvements in code quality. Advanced Use root causes analysis to feed back into your software development lifecycle. See ISOs 29147, 30111, 27034. Expert Track real-time telemetry of active exploitation to drive dynamic pivots of remediation strategy. Data analysis of vulnerabilities to identify trends and improve processes.
Presenter’s Company Logo – replace on master slide #RSAC 14
Presenter’s Company Logo – replace on master slide #RSAC Incentives 15 Level Capability Basic Show thanks or give swag. Clearly state that no legal action will be taken against researchers who report bugs. Advanced Give financial rewards or bug bounties to encourage reporting the most serious vulnerabilities. Expert Understand adversary behavior and vulnerability markets, and structure advanced incentives to disrupt them. Ability to encourage security researchers to report vulnerabilities directly.
Presenter’s Company Logo – replace on master slide #RSAC 16
Presenter’s Company Logo – replace on master slide #RSAC#RSAC Measuring Success in Vulnerability Disclosure A look at 100+ Companies
Presenter’s Company Logo – replace on master slide #RSAC Measuring Success in Vulnerability Disclosure 18 Survey Data N=194 IT/Security Professionals Collected between Sept. 2015 – Jan. 2016 via online survey
Presenter’s Company Logo – replace on master slide #RSAC Measuring Success in Vulnerability Disclosure 19 Capability Mean Score Analytics 1.52 Communications 1.38 Engineering 1.49 Incentives 1.09 Organizational 1.59 Analytics Communications EngineeringIncentives Organizational
Presenter’s Company Logo – replace on master slide #RSAC Avg. By Industry (min. 10 respondents) 20 Industry Sample Size Analytics Communications Engineering Incentives Organizational Education 15 1.27 1.27 1.40 0.67 1.53 Finance 15 2.07 1.47 2.20 1.53 2.00 Government 10 1.50 1.20 1.20 0.40 1.60 Healthcare 13 1.54 1.46 1.54 0.92 1.54 Manufacturing 21 1.52 1.52 1.62 1.14 1.67 Other 15 1.13 1.20 1.00 0.93 1.73 Technology - B2B 37 1.62 1.49 1.54 1.30 1.70 Technology - B2C 17 1.24 1.18 1.24 1.06 1.24 Technology - Mobile Apps 10 1.90 1.90 1.90 1.60 2.10 Unknown 10 1.40 1.50 1.30 1.00 1.40 163 1.52 1.42 1.50 1.10 1.65 Green = 1 𝛔𝛔 above Red = 1 𝛔𝛔 below Bold = 2𝛔𝛔 above or below
Presenter’s Company Logo – replace on master slide #RSAC Measuring Success in Vulnerability Disclosure 21 Analytics Comms Engineering Incentives Organizational Finance 1 5 1 2 2 Technology - Mobile Apps 2 1 2 1 1 Technology - B2B 3 4 4 3 4 Healthcare 4 6 5 8 7 Manufacturing 5 2 3 4 5 Government 6 8 9 10 6 Unknown 7 3 7 6 9 Education 8 7 6 9 8 Technology - B2C 9 10 8 5 10 Other 10 9 10 7 3 Rank of Industry by Capability, min. 10 respondents (1 = best, 10 = worst)
Presenter’s Company Logo – replace on master slide #RSAC Technology – B2B vs Overall Average 22 Analytics Communications EngineeringIncentives Organizational Overall Average Technology - B2B
Presenter’s Company Logo – replace on master slide #RSAC Government vs Overall Average 23 Analytics Communications EngineeringIncentives Organizational Overall Average Government
Presenter’s Company Logo – replace on master slide #RSAC Finance vs Overall Average 24 Analytics Communications EngineeringIncentives Organizational Overall Average Finance
Presenter’s Company Logo – replace on master slide #RSAC Sample Company – Riot 25 Capability Average Riot Analytics 1.52 2 Comms 1.38 2 Engineering 1.49 3 Incentives 1.09 3 Org. 1.59 3 Analytics Comms EngineeringIncentives Organizational Riot vs. VCMM Average Average Riot
Presenter’s Company Logo – replace on master slide #RSAC Sample Company – Adobe 26 Capability Average Adobe Analytics 1.52 2 Comms 1.38 2 Engineering 1.49 3 Incentives 1.09 1 Org. 1.59 3 Analytics Comms EngineeringIncentives Organizational Adobe vs. VCMM Average Average Adobe
Presenter’s Company Logo – replace on master slide #RSAC Sample Company – ToyTalk 27 Capability Average ToyTalk Analytics 1.52 2 Comms 1.38 2 Engineering 1.49 3 Incentives 1.09 3 Org. 1.59 3 Analytics Comms EngineeringIncentives Organizational ToyTalk vs. VCMM Average ToyTalk Average
Presenter’s Company Logo – replace on master slide #RSAC Next Steps 28 Continue to gather data Non self-reported Larger sample size Multi-vendor coordination is needed
Presenter’s Company Logo – replace on master slide #RSAC#RSAC Put Your Organization To The Test – Where Do You Rank
Presenter’s Company Logo – replace on master slide #RSAC “Apply” 30 Take the free maturity assessment within minutes at hackerone.com/vulnerability-coordination-maturity-model
Presenter’s Company Logo – replace on master slide #RSAC Appendix 31

Recommended

Future of Software Analysis & Measurement_CAST
Future of Software Analysis & Measurement_CASTFuture of Software Analysis & Measurement_CAST
Future of Software Analysis & Measurement_CASTCAST
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Cenzic
 
Extreme risk - how bad tech mgmt destroys firms
Extreme risk - how bad tech mgmt destroys firmsExtreme risk - how bad tech mgmt destroys firms
Extreme risk - how bad tech mgmt destroys firmsEric Tachibana
 
Establishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programEstablishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programPriyanka Aash
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 
A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREA Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREJames Wickett
 
Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Priyanka Aash
 

Recommended

Future of Software Analysis & Measurement_CAST
Future of Software Analysis & Measurement_CASTFuture of Software Analysis & Measurement_CAST
Future of Software Analysis & Measurement_CASTCAST
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Cenzic
 
Extreme risk - how bad tech mgmt destroys firms
Extreme risk - how bad tech mgmt destroys firmsExtreme risk - how bad tech mgmt destroys firms
Extreme risk - how bad tech mgmt destroys firmsEric Tachibana
 
Establishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programEstablishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programPriyanka Aash
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 
A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREA Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREJames Wickett
 
Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Priyanka Aash
 
Rapid Threat Modeling Techniques
Rapid Threat Modeling TechniquesRapid Threat Modeling Techniques
Rapid Threat Modeling TechniquesPriyanka Aash
 
CAST HIGHLIGHT - Overview & Demos
CAST HIGHLIGHT - Overview & DemosCAST HIGHLIGHT - Overview & Demos
CAST HIGHLIGHT - Overview & DemosJean-Patrick Ascenci
 
insert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student Nainsert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student NaTatianaMajor22
 
insert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student Nainsert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student NaLaticiaGrissomzz
 
Linda l jenkins resume 8 4-2016
Linda l jenkins resume 8 4-2016Linda l jenkins resume 8 4-2016
Linda l jenkins resume 8 4-2016Linda Jenkins
 
Realizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsRealizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsPriyanka Aash
 
Make IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingMake IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingPriyanka Aash
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Eturnti Consulting Pvt Ltd
 
5 Steps to Get Precise SAP Impact-Based Testing
5 Steps to Get Precise SAP Impact-Based Testing5 Steps to Get Precise SAP Impact-Based Testing
5 Steps to Get Precise SAP Impact-Based TestingTurnKey Solutions
 
SAP-Basis-Support-for-Global-Technology-Distributor.pdf
SAP-Basis-Support-for-Global-Technology-Distributor.pdfSAP-Basis-Support-for-Global-Technology-Distributor.pdf
SAP-Basis-Support-for-Global-Technology-Distributor.pdfAnil
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresPriyanka Aash
 
Linda l jenkins resume 5 26-16
Linda l jenkins resume 5 26-16Linda l jenkins resume 5 26-16
Linda l jenkins resume 5 26-16Linda Jenkins
 
comspace technology profile
comspace technology profilecomspace technology profile
comspace technology profileWao Wamola
 
Rami AlHajbi-Resume
Rami AlHajbi-ResumeRami AlHajbi-Resume
Rami AlHajbi-ResumeRami Al-Hajbi
 
There’s No Such Thing as a Cyber-Risk
There’s No Such Thing as a Cyber-RiskThere’s No Such Thing as a Cyber-Risk
There’s No Such Thing as a Cyber-RiskPriyanka Aash
 
Balbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxBalbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxjjvdneut
 
Balbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxBalbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxjjvdneut
 
Introduction to CAST HIGHLIGHT - Rapid Application Portfolio Analysis
Introduction to CAST HIGHLIGHT - Rapid Application Portfolio AnalysisIntroduction to CAST HIGHLIGHT - Rapid Application Portfolio Analysis
Introduction to CAST HIGHLIGHT - Rapid Application Portfolio AnalysisCAST
 
Why Should Organizations Consider Extended Detection and Response (XDR)?
Why Should Organizations Consider Extended Detection and Response (XDR)?Why Should Organizations Consider Extended Detection and Response (XDR)?
Why Should Organizations Consider Extended Detection and Response (XDR)?Enterprise Management Associates
 
Treating Security Like a Product
Treating Security Like a ProductTreating Security Like a Product
Treating Security Like a ProductVMware Tanzu
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 

More Related Content

Similar to …But Now I See—A Vulnerability Disclosure Maturity Model

Rapid Threat Modeling Techniques
Rapid Threat Modeling TechniquesRapid Threat Modeling Techniques
Rapid Threat Modeling TechniquesPriyanka Aash
 
insert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student Nainsert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student NaTatianaMajor22
 
insert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student Nainsert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student NaLaticiaGrissomzz
 
Linda l jenkins resume 8 4-2016
Linda l jenkins resume 8 4-2016Linda l jenkins resume 8 4-2016
Linda l jenkins resume 8 4-2016Linda Jenkins
 
Realizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsRealizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsPriyanka Aash
 
Make IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingMake IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingPriyanka Aash
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Eturnti Consulting Pvt Ltd
 
5 Steps to Get Precise SAP Impact-Based Testing
5 Steps to Get Precise SAP Impact-Based Testing5 Steps to Get Precise SAP Impact-Based Testing
5 Steps to Get Precise SAP Impact-Based TestingTurnKey Solutions
 
SAP-Basis-Support-for-Global-Technology-Distributor.pdf
SAP-Basis-Support-for-Global-Technology-Distributor.pdfSAP-Basis-Support-for-Global-Technology-Distributor.pdf
SAP-Basis-Support-for-Global-Technology-Distributor.pdfAnil
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresPriyanka Aash
 
Linda l jenkins resume 5 26-16
Linda l jenkins resume 5 26-16Linda l jenkins resume 5 26-16
Linda l jenkins resume 5 26-16Linda Jenkins
 
comspace technology profile
comspace technology profilecomspace technology profile
comspace technology profileWao Wamola
 
There’s No Such Thing as a Cyber-Risk
There’s No Such Thing as a Cyber-RiskThere’s No Such Thing as a Cyber-Risk
There’s No Such Thing as a Cyber-RiskPriyanka Aash
 
Balbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxBalbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxjjvdneut
 
Balbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxBalbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxjjvdneut
 
Introduction to CAST HIGHLIGHT - Rapid Application Portfolio Analysis
Introduction to CAST HIGHLIGHT - Rapid Application Portfolio AnalysisIntroduction to CAST HIGHLIGHT - Rapid Application Portfolio Analysis
Introduction to CAST HIGHLIGHT - Rapid Application Portfolio AnalysisCAST
 
Why Should Organizations Consider Extended Detection and Response (XDR)?
Why Should Organizations Consider Extended Detection and Response (XDR)?Why Should Organizations Consider Extended Detection and Response (XDR)?
Why Should Organizations Consider Extended Detection and Response (XDR)?Enterprise Management Associates
 
Treating Security Like a Product
Treating Security Like a ProductTreating Security Like a Product
Treating Security Like a ProductVMware Tanzu
 

Similar to …But Now I See—A Vulnerability Disclosure Maturity Model (20)

Rapid Threat Modeling Techniques
Rapid Threat Modeling TechniquesRapid Threat Modeling Techniques
Rapid Threat Modeling Techniques
 
CAST HIGHLIGHT - Overview & Demos
CAST HIGHLIGHT - Overview & DemosCAST HIGHLIGHT - Overview & Demos
CAST HIGHLIGHT - Overview & Demos
 
insert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student Nainsert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student Na
 
insert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student Nainsert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student Na
 
Linda l jenkins resume 8 4-2016
Linda l jenkins resume 8 4-2016Linda l jenkins resume 8 4-2016
Linda l jenkins resume 8 4-2016
 
Realizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsRealizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and Gains
 
Make IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingMake IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and Reporting
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....
 
5 Steps to Get Precise SAP Impact-Based Testing
5 Steps to Get Precise SAP Impact-Based Testing5 Steps to Get Precise SAP Impact-Based Testing
5 Steps to Get Precise SAP Impact-Based Testing
 
SAP-Basis-Support-for-Global-Technology-Distributor.pdf
SAP-Basis-Support-for-Global-Technology-Distributor.pdfSAP-Basis-Support-for-Global-Technology-Distributor.pdf
SAP-Basis-Support-for-Global-Technology-Distributor.pdf
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructures
 
Linda l jenkins resume 5 26-16
Linda l jenkins resume 5 26-16Linda l jenkins resume 5 26-16
Linda l jenkins resume 5 26-16
 
comspace technology profile
comspace technology profilecomspace technology profile
comspace technology profile
 
Rami AlHajbi-Resume
Rami AlHajbi-ResumeRami AlHajbi-Resume
Rami AlHajbi-Resume
 
There’s No Such Thing as a Cyber-Risk
There’s No Such Thing as a Cyber-RiskThere’s No Such Thing as a Cyber-Risk
There’s No Such Thing as a Cyber-Risk
 
Balbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxBalbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptx
 
Balbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxBalbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptx
 
Introduction to CAST HIGHLIGHT - Rapid Application Portfolio Analysis
Introduction to CAST HIGHLIGHT - Rapid Application Portfolio AnalysisIntroduction to CAST HIGHLIGHT - Rapid Application Portfolio Analysis
Introduction to CAST HIGHLIGHT - Rapid Application Portfolio Analysis
 
Why Should Organizations Consider Extended Detection and Response (XDR)?
Why Should Organizations Consider Extended Detection and Response (XDR)?Why Should Organizations Consider Extended Detection and Response (XDR)?
Why Should Organizations Consider Extended Detection and Response (XDR)?
 
Treating Security Like a Product
Treating Security Like a ProductTreating Security Like a Product
Treating Security Like a Product
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Recently uploaded (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

…But Now I See—A Vulnerability Disclosure Maturity Model

  • 1. Presenter’s Company Logo – replace on master slide #RSAC SESSION ID: #RSAC …But Now I See - a Vulnerability Disclosure Maturity Model HT-R04F
  • 2. Presenter’s Company Logo – replace on master slide #RSAC Who the FSCK Are You? What is it you do here? 2 Chief Policy Officer, HackerOne Former Microsoft Security Strategist Former Hacker for Hire ISO Standards Editor New America Foundation Fellow MIT Sloan Visiting Scholar Harvard Belfer Affiliate
  • 3. Presenter’s Company Logo – replace on master slide #RSAC Measuring Our Maturity 3 How would you answer these questions? When someone emails security@mycompany, who responds? How quickly? Would my company’s legal department threaten a well-intentioned hacker who came to us with a valuable bug?
  • 4. Presenter’s Company Logo – replace on master slide #RSAC Measuring Our Maturity 4 Does engineering prioritize the importance of product features alongside security bugs that come in from the wild? If a reporter asked my CEO about a breach reported at our company, would she know what steps were taken to ensure user safety? Is $10,000 is too much, too little, or just right to offer a hacker for a bug?
  • 5. Presenter’s Company Logo – replace on master slide #RSAC#RSAC The 5 Key Elements of Vulnerability Coordination Maturity
  • 6. Presenter’s Company Logo – replace on master slide #RSAC Vulnerability Coordination Maturity Model 6 New model for organizations to assess maturity of their vulnerability coordination process Model guides how to organize and improve efforts inside and outside of an organization 5 Capability Areas: Organizational, Engineering, Communications, Analytics and Incentives 3 Maturity Levels for each Capability: Basic, Advanced or Expert Companies can benchmark their capabilities against the industry Analytics Communications EngineeringIncentives Organizational
  • 7. Presenter’s Company Logo – replace on master slide #RSAC Organizational 7 Level Capability Basic Executive support to respond to vulnerability reports and a commitment to security and quality as core organizational values. Advanced Policy and process for addressing vulnerabilities according to ISO 29147 and ISO 30111, or a comparable framework. Expert You have executive support, processes, budget and dedicated personnel for handling vulnerability reports. People, process, and resources to handle potential vulnerabilities
  • 8. Presenter’s Company Logo – replace on master slide #RSAC 8
  • 9. Presenter’s Company Logo – replace on master slide #RSAC Engineering 9 Level Capability Basic Clear way to receive vulnerability reports, and an internal bug database to track them to resolution. See ISO 29147. Advanced Dedicated security bug tracking and documentation of security decisions, deferrals, and trade-offs. Expert Use vulnerability trends and root cause analysis to eliminate entire classes of vulnerabilities. See ISOs 29147, 30111, 27034. Capabilities to evaluate and remediate security holes, and improve software development lifecycle
  • 10. Presenter’s Company Logo – replace on master slide #RSAC 10
  • 11. Presenter’s Company Logo – replace on master slide #RSAC Communications 11 Level Capability Basic Ability to receive vulnerability reports and a verifiable channel to distribute advisories to affected parties. See ISO 29147. Advanced Tailored, repeatable communications for each audience, including security researchers, partners, customers, and media. Expert Structured information sharing programs with coordinated distribution of remediation. Ability to communicate to audiences internally and externally about vulnerabilities.
  • 12. Presenter’s Company Logo – replace on master slide #RSAC 12
  • 13. Presenter’s Company Logo – replace on master slide #RSAC Analytics 13 Level Capability Basic Track the number and severity of vulnerabilities over time to measure improvements in code quality. Advanced Use root causes analysis to feed back into your software development lifecycle. See ISOs 29147, 30111, 27034. Expert Track real-time telemetry of active exploitation to drive dynamic pivots of remediation strategy. Data analysis of vulnerabilities to identify trends and improve processes.
  • 14. Presenter’s Company Logo – replace on master slide #RSAC 14
  • 15. Presenter’s Company Logo – replace on master slide #RSAC Incentives 15 Level Capability Basic Show thanks or give swag. Clearly state that no legal action will be taken against researchers who report bugs. Advanced Give financial rewards or bug bounties to encourage reporting the most serious vulnerabilities. Expert Understand adversary behavior and vulnerability markets, and structure advanced incentives to disrupt them. Ability to encourage security researchers to report vulnerabilities directly.
  • 16. Presenter’s Company Logo – replace on master slide #RSAC 16
  • 17. Presenter’s Company Logo – replace on master slide #RSAC#RSAC Measuring Success in Vulnerability Disclosure A look at 100+ Companies
  • 18. Presenter’s Company Logo – replace on master slide #RSAC Measuring Success in Vulnerability Disclosure 18 Survey Data N=194 IT/Security Professionals Collected between Sept. 2015 – Jan. 2016 via online survey
  • 19. Presenter’s Company Logo – replace on master slide #RSAC Measuring Success in Vulnerability Disclosure 19 Capability Mean Score Analytics 1.52 Communications 1.38 Engineering 1.49 Incentives 1.09 Organizational 1.59 Analytics Communications EngineeringIncentives Organizational
  • 20. Presenter’s Company Logo – replace on master slide #RSAC Avg. By Industry (min. 10 respondents) 20 Industry Sample Size Analytics Communications Engineering Incentives Organizational Education 15 1.27 1.27 1.40 0.67 1.53 Finance 15 2.07 1.47 2.20 1.53 2.00 Government 10 1.50 1.20 1.20 0.40 1.60 Healthcare 13 1.54 1.46 1.54 0.92 1.54 Manufacturing 21 1.52 1.52 1.62 1.14 1.67 Other 15 1.13 1.20 1.00 0.93 1.73 Technology - B2B 37 1.62 1.49 1.54 1.30 1.70 Technology - B2C 17 1.24 1.18 1.24 1.06 1.24 Technology - Mobile Apps 10 1.90 1.90 1.90 1.60 2.10 Unknown 10 1.40 1.50 1.30 1.00 1.40 163 1.52 1.42 1.50 1.10 1.65 Green = 1 𝛔𝛔 above Red = 1 𝛔𝛔 below Bold = 2𝛔𝛔 above or below
  • 21. Presenter’s Company Logo – replace on master slide #RSAC Measuring Success in Vulnerability Disclosure 21 Analytics Comms Engineering Incentives Organizational Finance 1 5 1 2 2 Technology - Mobile Apps 2 1 2 1 1 Technology - B2B 3 4 4 3 4 Healthcare 4 6 5 8 7 Manufacturing 5 2 3 4 5 Government 6 8 9 10 6 Unknown 7 3 7 6 9 Education 8 7 6 9 8 Technology - B2C 9 10 8 5 10 Other 10 9 10 7 3 Rank of Industry by Capability, min. 10 respondents (1 = best, 10 = worst)
  • 22. Presenter’s Company Logo – replace on master slide #RSAC Technology – B2B vs Overall Average 22 Analytics Communications EngineeringIncentives Organizational Overall Average Technology - B2B
  • 23. Presenter’s Company Logo – replace on master slide #RSAC Government vs Overall Average 23 Analytics Communications EngineeringIncentives Organizational Overall Average Government
  • 24. Presenter’s Company Logo – replace on master slide #RSAC Finance vs Overall Average 24 Analytics Communications EngineeringIncentives Organizational Overall Average Finance
  • 25. Presenter’s Company Logo – replace on master slide #RSAC Sample Company – Riot 25 Capability Average Riot Analytics 1.52 2 Comms 1.38 2 Engineering 1.49 3 Incentives 1.09 3 Org. 1.59 3 Analytics Comms EngineeringIncentives Organizational Riot vs. VCMM Average Average Riot
  • 26. Presenter’s Company Logo – replace on master slide #RSAC Sample Company – Adobe 26 Capability Average Adobe Analytics 1.52 2 Comms 1.38 2 Engineering 1.49 3 Incentives 1.09 1 Org. 1.59 3 Analytics Comms EngineeringIncentives Organizational Adobe vs. VCMM Average Average Adobe
  • 27. Presenter’s Company Logo – replace on master slide #RSAC Sample Company – ToyTalk 27 Capability Average ToyTalk Analytics 1.52 2 Comms 1.38 2 Engineering 1.49 3 Incentives 1.09 3 Org. 1.59 3 Analytics Comms EngineeringIncentives Organizational ToyTalk vs. VCMM Average ToyTalk Average
  • 28. Presenter’s Company Logo – replace on master slide #RSAC Next Steps 28 Continue to gather data Non self-reported Larger sample size Multi-vendor coordination is needed
  • 29. Presenter’s Company Logo – replace on master slide #RSAC#RSAC Put Your Organization To The Test – Where Do You Rank
  • 30. Presenter’s Company Logo – replace on master slide #RSAC “Apply” 30 Take the free maturity assessment within minutes at hackerone.com/vulnerability-coordination-maturity-model
  • 31. Presenter’s Company Logo – replace on master slide #RSAC Appendix 31