Written by Judit Szőcs
A company has to be mature enough to implement a responsible disclosure policy – or at least mature enough to implement its own tailor-made program. Implementing a responsible disclosure policy can show your security consciousness, yet if you do it wrong, the effects can be detrimental.
In our latest responsible disclosure blogpost we have examined the topic of bug hunting from an ethical hacker’s point of view. Now, it is time to take a look at the other side, the things companies need to think about before letting white hat hackers test their services.
Prepare your team for a responsible disclosure policy program
We need to emphasize that responsible disclosure policies and bug bounty programs are great initiatives if a company is mature enough. They make security and the work of companies more transparent while encouraging talented researchers to engage with security. At the same time, bug bounty programs can significantly reduce the cost of vulnerability discovery. No system is perfect, however, and companies need to provide a systematic way for researchers to report vulnerabilities.
This systematic way is what we call a vulnerability disclosure policy or VDP.
A VDP has to define a communication process by which ethical hackers can reach the organization and report potential vulnerabilities.
But not necessarily all companies
There are a few more elements a good vulnerability disclosure policy must contain. First and foremost, one has to assess if the company and the software engineering teams are ready to work together with ethical hackers. Maturity and proper security training culture are key. Do you have enough resources?
Do you have enough resources?
Once you have encouraged third-party participants to test your website or services – you have to timely process with the incoming reports and fix the reported issues. Once a vulnerability is reported – finders usually wait for the reply and would like to see that your company is taking the issue seriously. Before releasing a vulnerability disclosure policy you need to make sure that there are adequate processes and responsible people to handle incoming issues.
There has to be a responsible team member who should follow-up on issues and prioritize the reported bugs. They have to identify if a vulnerability is relevant or not (already solved, not an issue or existing at all) and have to be able to escalate the important problems to technical experts.
Yet, solving the issue is not enough. After fixing the bug the contact person has to update the finder and coordinate the publication of the issue. In bigger corporations, an internal action plan details the aforementioned process containing responsibilities, deadlines, and best practices – and the company has to be sure that all the impacted colleagues are aware of their role.
The team needs people with good communication and project management skills as well as technical expertise to rate and evaluate the reported issues.
Is your team skilled enough?
Security in often lacking in higher education According to a 2016 research of CloudPassage a software engineering student can graduate from the top 10 US-based universities without having had a security course. Moreover, three of those universities did not even provide an elective course in the field.
The skill set needed to handle security issues differs from the skill set of a developer. Implementing a responsible vulnerability disclosure policy also requires the team to have the expertise to understand the reports and fix the relevant bugs.
Even if you have a dedicated security team – you have to build up a security mindset inside the whole company. Security is everybody’s responsibility and training engineers allows them to handle vulnerability reports and release a fix for security issues.
We, at Avatao are creating a platform to educate developers in security. Avatao offers a rich library of hands-on IT security exercises for software engineers to teach secure programming from design to deployment in a fun and intuitive way. Topics cover web security, secure coding in Java, C/C++, Python and also include hot topics like GDPR, payment systems, secure API design, DevSecOps and more.
Reading Time: 9 minutes Security champions play a vital role in establishing and maintaining a security culture in an engineering organization. See how to turn your developers into security champions!
Reading Time: 6 minutes As the company grows the leadership wants to establish a security program to ensure the solid and undisrupted operation of the business. Security at this point is essential, especially when calculating the loss from a halted business, even for a few hours.
Reading Time: 9 minutes OWASP Top 10 Vulnerabilities in 2021 based on the non-official proposal of Phillippe De Ryck. Here is what we know.
Reading Time: 7 minutes Security champions represent an essential part of any security programs. They lead their teams on security projects, ensure internal security and help keeping security on the top of your mind. But how exactly they operate in a business? We asked Alexander Antukh, Director of Security at Glovo for professional insights.
Reading Time: 6 minutes For most companies, security is considered a side quest, which is partly related to the daily processes. In reality, security ought to be a strong foundation of any organization. To ensure the defense of the enterprise, the relevant teams need strong security knowledge and abilities.