SlideShare a Scribd company logo

Stopping Releases Due to Vulnerabilities

Priyanka Aash
Priyanka Aash

Software companies can have hundreds of software products in-market at any one time, all requiring support and security fixes with tight release timelines or no releases planned at all. At the same time, the velocity of open source vulnerabilities that rapidly become public or vulnerabilities found within internally written code can challenge the best intentions of any SDLC. How do you prioritize publicly known vulnerabilities against internally found vulnerabilities? When do you hold a release to update that library for a critical vulnerability fix when it's already slipped? How do you track unresolved vulnerabilities that are considered security debt? You ARE reviewing the security posture of your software releases, right? As a software developer, product owner, or business leader being able to prioritize software security fixes against revenue-generating features and customer expectations is a critical function of any development team. Dealing with the reality of increased security fix pressure and expectations of immediate security fixes on tight timelines are becoming the norm. This presentation looks at the real world process of the BlackBerry Product Security team. In partnership with product owners, developers, and senior leaders, they've spent many years developing and refining a software defect tracking system and a risk-based release evaluation process that provides an effective software 'security gate.' Working with readily available tools and longer-term solutions including automation, we will provide solutions attendees can take away and implement immediately. • Tips on how to document, prioritize, tag, and track security vulnerabilities, their fixes, and how to prioritize them into release targets • Features of common tools [JIRA, Bugzilla, and Excel] you may not know of and examples of simple automation you can use to verify ticket resolution. • A guide to building a release review process, when to escalate to gate a release, who to inform, and how to communicate.

Technology
1 of 25
Download to read offline
STOP THAT RELEASE, THERE'S A VULNERABILITY!
Christine Gadsby Director - Product Security Operations Diahann Gooden Senior Operations Program Manager Simran Sidhu Social Media Specialist Tyler Townes Manager – Product Security Response
Meet Lucy the Whoodle • Service for Dog Autism
Lucy needs maintenance
You are either here........... OR you are here...................... Why are software releases important?
Why is this important to BlackBerry?
Enterprise-scale Vulnerability Management • 100s products to manage • 100s of sources of threat intel • 1000s of vulnerabilities to investigate • ..and many strained relationships
Requirements Design Development Testing Deployment What DEV teams think ...... Threat Modeling+ Design Review Secure Architecture and Hardening requirements Security Testing + Code Review Static Analysis Guidance What Product and Software Security Does …... That’s it, right?. SDLC – Bringing a secure product to market
AND then.... Open hunting season begins It's Launch Day, YAY!
What should we be doing? Software Readiness Review Program Adding security review to release criteria • Mitigating risk on behalf of your customers • Multiple software versions of the same product are in market concurrently • Know the security posture of your products • Customers don't like upgrading! It's expensive and time consuming and is often a double-edged sword • Ensure you have a ship vehicle for all your patches! A FIX IN THE BUILD IS BETTER THAN TWO IN THE REPOSITORY!!!!!!!
So now what? ¯_( )_/¯
Step ONE: GET SUPPORT Step TWO: define a vulnerability • Define based on risk to your customers, stakeholders, partners and brand. • Assess risk level definitions – Agree on what "critical" really means. • Ensure security and development are able to agree with prioritization to fixes... and what happens when they don’t. (We fail them....!) Identify a Common language
Create your own Software Readiness Review Step THREE: Create standards • Establish leadership support to use a SRR program as a security control • Understand the security posture of each software release • Tag vulnerabilities for ease of identification and tracking • Define your risk threshold (SRR pass/fail criteria) • Outline exception process (waiver) • You need templates and standardization!
SWSI Calculator (Should We Ship It?)Case #: 2896478 Scoring Rating Base CVSS Score: 5.2 SWSI Score REVENUE IMPACT Tier 1 (< $100,000) Tier 2 ($100,000 - $9999,999) Tier 3 ($1MM+) 1 2 3 2 .52 EASE OF DISCOVERY Tier 1 (Hard - Requires complex reverse engineering) Tier 2 (Moderate – Pen tester would find during an audit) Tier 3 (Easy – Automated tools could find) 1 2 3 1 1.04 MEDIA / PUBLICITY Tier 1 (obscure blog/ twitter user) Tier 2 (industry website) Tier 3 (MSM, Direct inquiry) 1 2 3 1 2.08 IMPACT TO THE BUSINESS Tier 1 (customer loses confidence in the business) Tier 2 (Frustrates customer with high value contract) Tier 3 (Prevents deal from closing) 1 2 3 2 1.04 RESEARCH TRENDS Tier 1 (New focus on a subsystem that hasn’t faced rigorous testing) Tier 2 (new platform with research expected) Tier 3 (new area of research w/ high likelihood of further discovery) 1 2 3 2 1.04 Total SWSI Rating 5.2
SWSI Calculator (Should We Ship It?)Case #: 2896478 Scoring Rating Base CVSS Score: 5.2 SWSI Score REVENUE IMPACT Tier 1 (< $100,000) Tier 2 ($100,000 - $9999,999) Tier 3 ($1MM+) 1 2 3 2 .52 EASE OF DISCOVERY Tier 1 (Hard - Requires complex reverse engineering) Tier 2 (Moderate – Pen tester would find during an audit) Tier 3 (Easy – Automated tools could find) 1 2 3 1 1.04 MEDIA / PUBLICITY Tier 1 (obscure blog/ twitter user) Tier 2 (industry website) Tier 3 (MSM, Direct inquiry) 1 2 3 1 2.08 IMPACT TO THE BUSINESS Tier 1 (customer loses confidence in the business) Tier 2 (Frustrates customer with high value contract) Tier 3 (Prevents deal from closing) 1 2 3 2 1.04 RESEARCH TRENDS Tier 1 (New focus on a subsystem that hasn’t faced rigorous testing) Tier 2 (new platform with research expected) Tier 3 (new area of research w/ high likelihood of further discovery) 1 2 3 2 1.04 Total SWSI Rating 5.2
It's not that easy...! • Threat landscape is unpredictable – There's no Patch Tuesday for OSS! • Difficulties with multi-party disclosure • Weighing business priorities and technical risk • Who will own the liability? • Tracking fix commitments – keeping business units honest • Standardized Process between business units • Managing relationships So, what happens when you don't agree on what to release?
We need a plan to escalate!
Technical Assessment - Escalation - Issue ID Date created Severity Public (Y/N) Remediation schedule Missed release vehicles Risk level Additional details
Issue backlog characteristics 1. List unresolved issues by severity. 2. Highlight lingering issues based on issue filing date (making sure to flag any publicly known issue) 3. Provide details causing delays in mitigation. Technical reviews and recommendations 1. Provide remediation schedule as documented in the defect management system. 2. Highlight all missed release opportunities. 3. Summarize technical assessment findings and release recommendations. Release Escalation
Things to Remember!
But it's worth it. Risk landscape is ALWAYS changing Numbers from 2017: ü On average, 8 potential vulnerabilities investigated against our product versions daily ü Reviewed a total of 515 releases • Discovery rate / public announcements are unpredictable • This is an on-going process; don't get hung up on each release not being perfect • Focus on making progress • Be a good partner, you're here to support the business
Thanks for listening! Christine Gadsby • cgadsby@blackberry.com • @BBSIRT BlackBerry Careers - blackberry.com/company/careers Github - https://github.com/ProductSecurity BBSIRT - blackberry.com/enterprise/security/incident-response-team
Questions?

Recommended

Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Minded Security
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptxSAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptxhforhassan101
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...Simone Onofri
 
Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?Skybox Security
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development LifecycleRazi Rais
 
(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...
(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...
(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...Andrew O. Leeth
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 

Recommended

Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Minded Security
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptxSAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptxhforhassan101
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...Simone Onofri
 
Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?Skybox Security
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development LifecycleRazi Rais
 
(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...
(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...
(ISC)2 Security Congress 2015 - The Cloud Trust Conundrum- You’re Asking all ...Andrew O. Leeth
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021lior mazor
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesRyan Faircloth
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-SessionRyan Faircloth
 
How to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability ManagementHow to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability ManagementIvanti
 
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxIntroduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxMardhaniAR
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
How can a successful SOC2-compliant ISMS be built without power, money and a...
How can a successful SOC2-compliant ISMS be built without power, money and a...How can a successful SOC2-compliant ISMS be built without power, money and a...
How can a successful SOC2-compliant ISMS be built without power, money and a...Vsevolod Shabad
 
Root Cause and Corrective Action (RCCA) Workshop
Root Cause and Corrective Action (RCCA) WorkshopRoot Cause and Corrective Action (RCCA) Workshop
Root Cause and Corrective Action (RCCA) WorkshopAccendo Reliability
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial EmulationScott Sutherland
 
Technology Strategy for Early Stage Companies
Technology Strategy for Early Stage CompaniesTechnology Strategy for Early Stage Companies
Technology Strategy for Early Stage CompaniesMichael King
 
Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementResolver Inc.
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramMichael Davis
 
Webinar: Traceability Over the Entire Lifecycle in codeBeamer
Webinar: Traceability Over the Entire Lifecycle in codeBeamerWebinar: Traceability Over the Entire Lifecycle in codeBeamer
Webinar: Traceability Over the Entire Lifecycle in codeBeamerIntland Software GmbH
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.pptgealehegn
 
Vulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesVulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesSlideTeam
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure productMichael Furman
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Splunk
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 

More Related Content

Similar to Stopping Releases Due to Vulnerabilities

Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021lior mazor
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesRyan Faircloth
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-SessionRyan Faircloth
 
How to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability ManagementHow to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability ManagementIvanti
 
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxIntroduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxMardhaniAR
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
How can a successful SOC2-compliant ISMS be built without power, money and a...
How can a successful SOC2-compliant ISMS be built without power, money and a...How can a successful SOC2-compliant ISMS be built without power, money and a...
How can a successful SOC2-compliant ISMS be built without power, money and a...Vsevolod Shabad
 
Root Cause and Corrective Action (RCCA) Workshop
Root Cause and Corrective Action (RCCA) WorkshopRoot Cause and Corrective Action (RCCA) Workshop
Root Cause and Corrective Action (RCCA) WorkshopAccendo Reliability
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial EmulationScott Sutherland
 
Technology Strategy for Early Stage Companies
Technology Strategy for Early Stage CompaniesTechnology Strategy for Early Stage Companies
Technology Strategy for Early Stage CompaniesMichael King
 
Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementResolver Inc.
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramMichael Davis
 
Webinar: Traceability Over the Entire Lifecycle in codeBeamer
Webinar: Traceability Over the Entire Lifecycle in codeBeamerWebinar: Traceability Over the Entire Lifecycle in codeBeamer
Webinar: Traceability Over the Entire Lifecycle in codeBeamerIntland Software GmbH
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.pptgealehegn
 
Vulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesVulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesSlideTeam
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure productMichael Furman
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Splunk
 

Similar to Stopping Releases Due to Vulnerabilities (20)

Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use Cases
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session
 
How to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability ManagementHow to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability Management
 
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxIntroduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
 
How can a successful SOC2-compliant ISMS be built without power, money and a...
How can a successful SOC2-compliant ISMS be built without power, money and a...How can a successful SOC2-compliant ISMS be built without power, money and a...
How can a successful SOC2-compliant ISMS be built without power, money and a...
 
Root Cause and Corrective Action (RCCA) Workshop
Root Cause and Corrective Action (RCCA) WorkshopRoot Cause and Corrective Action (RCCA) Workshop
Root Cause and Corrective Action (RCCA) Workshop
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
 
Technology Strategy for Early Stage Companies
Technology Strategy for Early Stage CompaniesTechnology Strategy for Early Stage Companies
Technology Strategy for Early Stage Companies
 
Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability Management
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
 
Webinar: Traceability Over the Entire Lifecycle in codeBeamer
Webinar: Traceability Over the Entire Lifecycle in codeBeamerWebinar: Traceability Over the Entire Lifecycle in codeBeamer
Webinar: Traceability Over the Entire Lifecycle in codeBeamer
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
 
Vulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesVulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation Slides
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure product
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 

Recently uploaded (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 

Stopping Releases Due to Vulnerabilities

  • 1. STOP THAT RELEASE, THERE'S A VULNERABILITY!
  • 2. Christine Gadsby Director - Product Security Operations Diahann Gooden Senior Operations Program Manager Simran Sidhu Social Media Specialist Tyler Townes Manager – Product Security Response
  • 3.
  • 4. Meet Lucy the Whoodle • Service for Dog Autism
  • 6. You are either here........... OR you are here...................... Why are software releases important?
  • 7. Why is this important to BlackBerry?
  • 8. Enterprise-scale Vulnerability Management • 100s products to manage • 100s of sources of threat intel • 1000s of vulnerabilities to investigate • ..and many strained relationships
  • 9. Requirements Design Development Testing Deployment What DEV teams think ...... Threat Modeling+ Design Review Secure Architecture and Hardening requirements Security Testing + Code Review Static Analysis Guidance What Product and Software Security Does …... That’s it, right?. SDLC – Bringing a secure product to market
  • 10. AND then.... Open hunting season begins It's Launch Day, YAY!
  • 11. What should we be doing? Software Readiness Review Program Adding security review to release criteria • Mitigating risk on behalf of your customers • Multiple software versions of the same product are in market concurrently • Know the security posture of your products • Customers don't like upgrading! It's expensive and time consuming and is often a double-edged sword • Ensure you have a ship vehicle for all your patches! A FIX IN THE BUILD IS BETTER THAN TWO IN THE REPOSITORY!!!!!!!
  • 13. Step ONE: GET SUPPORT Step TWO: define a vulnerability • Define based on risk to your customers, stakeholders, partners and brand. • Assess risk level definitions – Agree on what "critical" really means. • Ensure security and development are able to agree with prioritization to fixes... and what happens when they don’t. (We fail them....!) Identify a Common language
  • 14. Create your own Software Readiness Review Step THREE: Create standards • Establish leadership support to use a SRR program as a security control • Understand the security posture of each software release • Tag vulnerabilities for ease of identification and tracking • Define your risk threshold (SRR pass/fail criteria) • Outline exception process (waiver) • You need templates and standardization!
  • 15.
  • 16. SWSI Calculator (Should We Ship It?)Case #: 2896478 Scoring Rating Base CVSS Score: 5.2 SWSI Score REVENUE IMPACT Tier 1 (< $100,000) Tier 2 ($100,000 - $9999,999) Tier 3 ($1MM+) 1 2 3 2 .52 EASE OF DISCOVERY Tier 1 (Hard - Requires complex reverse engineering) Tier 2 (Moderate – Pen tester would find during an audit) Tier 3 (Easy – Automated tools could find) 1 2 3 1 1.04 MEDIA / PUBLICITY Tier 1 (obscure blog/ twitter user) Tier 2 (industry website) Tier 3 (MSM, Direct inquiry) 1 2 3 1 2.08 IMPACT TO THE BUSINESS Tier 1 (customer loses confidence in the business) Tier 2 (Frustrates customer with high value contract) Tier 3 (Prevents deal from closing) 1 2 3 2 1.04 RESEARCH TRENDS Tier 1 (New focus on a subsystem that hasn’t faced rigorous testing) Tier 2 (new platform with research expected) Tier 3 (new area of research w/ high likelihood of further discovery) 1 2 3 2 1.04 Total SWSI Rating 5.2
  • 17. SWSI Calculator (Should We Ship It?)Case #: 2896478 Scoring Rating Base CVSS Score: 5.2 SWSI Score REVENUE IMPACT Tier 1 (< $100,000) Tier 2 ($100,000 - $9999,999) Tier 3 ($1MM+) 1 2 3 2 .52 EASE OF DISCOVERY Tier 1 (Hard - Requires complex reverse engineering) Tier 2 (Moderate – Pen tester would find during an audit) Tier 3 (Easy – Automated tools could find) 1 2 3 1 1.04 MEDIA / PUBLICITY Tier 1 (obscure blog/ twitter user) Tier 2 (industry website) Tier 3 (MSM, Direct inquiry) 1 2 3 1 2.08 IMPACT TO THE BUSINESS Tier 1 (customer loses confidence in the business) Tier 2 (Frustrates customer with high value contract) Tier 3 (Prevents deal from closing) 1 2 3 2 1.04 RESEARCH TRENDS Tier 1 (New focus on a subsystem that hasn’t faced rigorous testing) Tier 2 (new platform with research expected) Tier 3 (new area of research w/ high likelihood of further discovery) 1 2 3 2 1.04 Total SWSI Rating 5.2
  • 18. It's not that easy...! • Threat landscape is unpredictable – There's no Patch Tuesday for OSS! • Difficulties with multi-party disclosure • Weighing business priorities and technical risk • Who will own the liability? • Tracking fix commitments – keeping business units honest • Standardized Process between business units • Managing relationships So, what happens when you don't agree on what to release?
  • 19. We need a plan to escalate!
  • 20. Technical Assessment - Escalation - Issue ID Date created Severity Public (Y/N) Remediation schedule Missed release vehicles Risk level Additional details
  • 21. Issue backlog characteristics 1. List unresolved issues by severity. 2. Highlight lingering issues based on issue filing date (making sure to flag any publicly known issue) 3. Provide details causing delays in mitigation. Technical reviews and recommendations 1. Provide remediation schedule as documented in the defect management system. 2. Highlight all missed release opportunities. 3. Summarize technical assessment findings and release recommendations. Release Escalation
  • 23. But it's worth it. Risk landscape is ALWAYS changing Numbers from 2017: ü On average, 8 potential vulnerabilities investigated against our product versions daily ü Reviewed a total of 515 releases • Discovery rate / public announcements are unpredictable • This is an on-going process; don't get hung up on each release not being perfect • Focus on making progress • Be a good partner, you're here to support the business
  • 24. Thanks for listening! Christine Gadsby • cgadsby@blackberry.com • @BBSIRT BlackBerry Careers - blackberry.com/company/careers Github - https://github.com/ProductSecurity BBSIRT - blackberry.com/enterprise/security/incident-response-team