Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vulnerability Reporting Process

Published byสุจิต พันธุเมธา Modified over 5 years ago

Similar presentations

Presentation on theme: "Vulnerability Reporting Process"— Presentation transcript:

1 Vulnerability Reporting Process
David Coffey Principal Security Architect

2 What is a vulnerability Types of vulnerability Finders
May 6, 2019 Overview 30,000 foot view What is a vulnerability Types of vulnerability Finders Types of process Full Disclosure Responsible Disclosure Organization for Internet Safety (OIS) Establishing process Wrap-up

3 Vulnerability gets reported Vulnerability is validated
May 6, 2019 30,000 foot view (good) Vulnerability gets reported Vulnerability is validated Vulnerability gets fixed Code proceeds through QA and testing Update released Customers are safe and happy

4 Vulnerability gets reported (if possible)
May 6, 2019 30,000 foot view (bad) Vulnerability gets reported (if possible) Vulnerability gets ignored/mis-handled Finder goes public with exploit Customers are un-safe and un-happy So are share-holders, employees, management…

5 Security Vulnerability
May 6, 2019 Security Vulnerability Typical development process Clearly defined Widely adopted Everyone has their role Everyone has bugs A security flaw is a special bug Some people make the distinction between flaw and bug A security vulnerability is an exploitable security flaw/bug Security vulnerabilities will be discovered

6 S.T.R.I.D.E. (Microsoft’s model)
May 6, 2019 Vulnerability types S.T.R.I.D.E. (Microsoft’s model) Spoofing Identity Tampering with data Repudiation Information Disclosure Denial of Service Elevation of Privilege Any one of these can be bad if reported and not handled

7 Types of Finders Internal External Employee of the company
May 6, 2019 Types of Finders Internal Employee of the company Hired security firm External Security researcher Partner Knowledgeable end-user

8 Developer, architect, QA, hired security hand
May 6, 2019 Internal Finders Developer, architect, QA, hired security hand Usually can be trust worthy it is their job contracts Has several motivations Curiosity Prestige Mission Job

9 External Security Researcher
May 6, 2019 External Security Researcher Someone who finds security flaws in applications Unknown trust level They will usually communicate their intentions Has several motivations Money Prestige Curiosity Mission Malice

10 Business partner who is exposed to more IP Usually can be trustworthy
May 6, 2019 External Partner Business partner who is exposed to more IP Usually can be trustworthy You are in business together Has several motivations Risk Assessment Business improvement Customer acquisition

11 Someone who discovered the flaw by chance Unknown trust level
May 6, 2019 External Customer Someone who discovered the flaw by chance Unknown trust level Usually do not understand implications They are a customer Has several motivations Be safer Curiosity

12 Guidelines published by RFP
May 6, 2019 Full Disclosure Definition: disclose all known information about a security vulnerability Alt: direct opposite of security through obscurity Theory: company will fix flaws faster by threatening full public disclosure Guidelines published by RFP 5 days for company to answer report Company coordinate publication of flaw with reporter Company gives reporter full credit for discovery Company usually has 30 days before disclosure This is difficult for large organizations

13 Responsible Disclosure
May 6, 2019 Responsible Disclosure Similar to Full Disclosure except: Not required to publish flaw information Not required to publish all information Timeline can be flexible Allow a fix to be in place before disclosure occurs

14 Organization for Internet Safety
May 6, 2019 Organization for Internet Safety Created guidelines for handling the reporting of security vulnerabilities Formalizes the good 30,000 foot view 5 phases Discovery Notification Investigation Resolution Release 30 day time period is the starting point for negotiations

15 Process Infrastructure
May 6, 2019 Process Infrastructure Need to post process so people understand Need to have a reporting infrastructure / repository Website ( Possibly anonymous Need to have formalized vulnerability reports Need to have a tracking system in place Need to have established roles/responsibilities

16 Formal Report Structure
May 6, 2019 Formal Report Structure You want all the information up-front Who are you? Contact information? What product? what OS? What tools did you use? What are your intentions? Proof of Concept code? Steps for re-production?

17 Communication is your friend
May 6, 2019 Communication is your friend Finder locates your published process Finder submits report Format established in process Vendor sends an acknowledgement Establish rough dates Vendor sends weekly status mail to finder Encourage open communication and relationship Track all communication, dates, etc. (legal backup)

18 Establish process and communicate publicly Establish infrastructure
May 6, 2019 Wrap-up Establish process and communicate publicly Establish infrastructure Establish roles / responsibilities Foster communication Track everything Remember, people generally want to do the right thing

19 May 6, 2019 Questions?

Download ppt "Vulnerability Reporting Process"

Similar presentations

Sachin Rawat Crypsis SDL Threat Modeling.

Sachin Rawat Crypsis SDL Threat Modeling.
ISO 29147 How to leverage Dick Hacking Cornerstones of Trust 2014.

ISO How to leverage Dick Hacking Cornerstones of Trust 2014.
11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 

11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 
1 CHAPTER 1 POLITICS. 2 Definitions Of The Word Hacker Hacker – someone who has achieved some level of expertise with a computer Hacker – someone who.

1 CHAPTER 1 POLITICS. 2 Definitions Of The Word Hacker Hacker – someone who has achieved some level of expertise with a computer Hacker – someone who.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
Network security policy: best practices

Network security policy: best practices
External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.

External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.
Architecting secure software systems

Architecting secure software systems
1 Threat Modeling at Symantec OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec Edward Bonver Principal Software Engineer, Symantec Product.

1 Threat Modeling at Symantec OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec Edward Bonver Principal Software Engineer, Symantec Product.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
1 1 Vulnerability Assessment of Grid Software Jim Kupsch Associate Researcher, Dept. of Computer Sciences University of Wisconsin-Madison Condor Week 2006.

1 1 Vulnerability Assessment of Grid Software Jim Kupsch Associate Researcher, Dept. of Computer Sciences University of Wisconsin-Madison Condor Week 2006.
1 Vulnerability Assessment of Grid Software James A. Kupsch Computer Sciences Department University of Wisconsin Condor Week 2007 May 2, 2007.

1 Vulnerability Assessment of Grid Software James A. Kupsch Computer Sciences Department University of Wisconsin Condor Week 2007 May 2, 2007.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.

APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
General Security Advice CS5493(7493). 1. Dispel Your Pride Assume there is someone out there that is smarter, more knowledgeable, more capable, and with.

General Security Advice CS5493(7493). 1. Dispel Your Pride Assume there is someone out there that is smarter, more knowledgeable, more capable, and with.
Chapter 1 COMPUTER AND NETWORK SECURITY PRINCIPLES.

Chapter 1 COMPUTER AND NETWORK SECURITY PRINCIPLES.
The Digital Crime Scene: A Software Perspective Written By: David Aucsmith Presented By: Maria Baron.

The Digital Crime Scene: A Software Perspective Written By: David Aucsmith Presented By: Maria Baron.
Lesson Title: Media Interface Threats, Risks, and Mitigation Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Media Interface Threats, Risks, and Mitigation Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
Module 7: Designing Security for Accounts and Services.

Module 7: Designing Security for Accounts and Services.
Full Disclosure: Is It Beneficial? Project Based Information Systems Tim Schultz 12/02/02.

Full Disclosure: Is It Beneficial? Project Based Information Systems Tim Schultz 12/02/02.

Similar presentations

Ads by Google