More Than Just Security: 451 Research Webinar Recap

Sep 22 2017
luke

On Tuesday, Scott Crawford, Research Director of Information Security at 451 Research, joined us for a 1-hour webinar on bug bounties and the path to secure software.

451 Research Scott Crawford HackeOne Webinar

 

We’ve highlighted some of Scott’s points below but you can also watch the full recording and view the slides on slideshare.

Stay tuned to the end for a recap of some great Q&A, where HackerOne co-founder Michiel Prins joined for a lively discussion (click here to skip straight to the Q&A).

Having a Vulnerability Disclosure Policy means not being in the dark

It’s more than just security, Scott says. There are positive effects to safety, proper operations, reliability, customer confidence, and visibility. Also, knowing what’s there is the first step to fixing the vulnerabilities.

“Today, not having a Vulnerability disclosure policy means you choose to stay in the dark.” - Scott Crawford

What does Scott recommend? Well, for first step, create a vulnerability disclosure policy and make it easy to find (see slide 11).

Vulnerability Disclosure Policy Templates

Scott points to the free international standard, ISO 30111 and 29147, for direction on VDP best practices. Also included, is a link to the NTIA template, one that Scott says should be appropriate for nearly every industry.

You can read about this and more in our Ebook on the 5 critical components of a VDP.

Tips on Choosing a Bug Bounty Platform

At the 27-minute mark, Scott goes into more detail on how to evaluate a bug bounty platform provider and how to plan for, launch, and expand your program.

Scott reviews some of the common reasons to choose a bug bounty platform including the guidance and assistance on set up, triage support, scalable platform with automation and workflow integration, access to a massive talent pool, and more.

See slide 22 for Scott’s recommendations on launching a private program first, then consider a public bug bounty launch as your program matures.

The Equifax Breach and Bug Bounty Blockers

We’ve summarized some of the Q&A that Scott and Michiel discussed with the live attendees. You can listen to the full 20 minute Q&A or scan through their responses to a few of the questions below:

  • The Equifax breach has been top news for several weeks now, amongst their myriad of sins, it turns out that they did not have a Vulnerability Disclosure Policy in place. Scott, you talk about that as “table stakes”. Can you spend some time going over the virtues of VDP’s from your perspective?

    <ul><li dir="ltr">
    	<p dir="ltr"><b id="docs-internal-guid-28635e12-a902-39dc-6ee5-f6b06be58019">SCOTT - Someone friendly could have noticed the vulnerability and notified them, then internal teams could have escalated the issue.</b></p>
    
    	<ul><li dir="ltr">
    		<p dir="ltr"><b id="docs-internal-guid-28635e12-a902-39dc-6ee5-f6b06be58019">It’s a big business, and updates take time, getting approvals take time. But a disclosure could have added importance. </b></p>
    		</li>
    	</ul></li>
    	<li dir="ltr">
    	<p dir="ltr"><b id="docs-internal-guid-28635e12-a902-39dc-6ee5-f6b06be58019">MICHIEL - additionally some bad security practices were surfaced after the fact - admin/admin credentials. Hackers could have easily exposed that sort of vulnerability… but they don’t have a VDP.</b></p>
    	</li>
    </ul></li>
    <li dir="ltr">
    <p dir="ltr"><strong>Let’s focus on the “feedback loops” that a continuous bug bug bounty program provides. How have you seen companies maximize the benefit of bug bounties? </strong></p>
    
    <ul><li dir="ltr">
    	<p dir="ltr"><b id="docs-internal-guid-28635e12-a902-39dc-6ee5-f6b06be58019">MICHIEL - software is continuously developed these days, not waterfall. That asks for continuous security as well. It can’t be quarterly, it has to be constant. If you deploy software daily or weekly or even monthly, you’re releasing untested code. Can also use bounty reports as guide to where to focus efforts internally. Ask: Are there many reports associated with a specific technology or product or area? That can help you find bigger issues and reprioritize internal teams to prevent future issues.</b></p>
    	</li>
    	<li dir="ltr">
    	<p dir="ltr"><b id="docs-internal-guid-28635e12-a902-39dc-6ee5-f6b06be58019">SCOTT - BBP gives continuous feedback for your continuous development process, and benefits of these insights go further into prioritization and allocation of internal resources. </b></p>
    	</li>
    </ul></li>
    <li dir="ltr">
    <p dir="ltr"><strong>In your experiences, what are the typical blockers for purchasers of bug bounties and what do you tell CISO's or security teams that have their doubts?</strong></p>
    
    <ul><li dir="ltr">
    	<p dir="ltr"><b id="docs-internal-guid-28635e12-a902-39dc-6ee5-f6b06be58019">SCOTT - biggest is “security through obscurity”. Basically, “if we don’t know who’s picking the locks on our doors, then we’re pretty confident that no one has broken in.”</b></p>
    
    	<ul><li dir="ltr">
    		<p dir="ltr"><b id="docs-internal-guid-28635e12-a902-39dc-6ee5-f6b06be58019">Do we really want to open ourselves up to these hackers? We know people are looking and tinkering, but do we want to throw the doors open. There’s notoriety there that we might not want. That leads to a bigger volume of reports coming in that we probably can’t handle. </b></p>
    		</li>
    		<li dir="ltr">
    		<p dir="ltr"><b id="docs-internal-guid-28635e12-a902-39dc-6ee5-f6b06be58019">In reality, you’re not doing either. Either they are already looking or you can limit what doors you’re throwing open. </b></p>
    		</li>
    	</ul></li>
    	<li dir="ltr">
    	<p dir="ltr"><b id="docs-internal-guid-28635e12-a902-39dc-6ee5-f6b06be58019">MICHIEL- new/fresh CISOs are looking at BBPP to help establish their programs. But they are also afraid that they don't’ have resources to handle reports that come in. But HackerOne can provide those services. Either way, it’s better to know than not know. </b></p>
    	</li>
    </ul></li>
    

Related Posts