Download us-16-Price-Building-a-Product-Security-Incident

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
Document related concepts

Unix security wikipedia , lookup

Airport security wikipedia , lookup

Next-Generation Secure Computing Base wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Cross-site scripting wikipedia , lookup

Security-focused operating system wikipedia , lookup

Mobile security wikipedia , lookup

Security printing wikipedia , lookup

Computer security wikipedia , lookup

Transcript 
BUILDING A PRODUCT
SECURITY INCIDENT
RESPONSE TEAM: LEARNINGS
FROM THE HIVEMIND
KYMBERLEE PRICE
SENIOR DIRECTOR OF RESEARCHER OPERATIONS
WHOAMI?
• Senior Director of a Red Team
• PSIRT Case Manager
• Data Analyst
• Internet Crime Investigator
• Security Evangelist
• Behavioral Psychologist
• Lawful Good
@kym_possible
AGENDA
• People
• Process
• Infrastructure and Technology
• Pitfalls
• Free Resources
BUT WHAT ABOUT ISO STANDARDS!?
• In April 2016 ISO 29147 on Vulnerability Disclosure techniques was made free to the public. • This is awesome
• The related standard on vulnerability handling processes, ISO 30111 costs approx
$60 USD. PEOPLE
COMMON SIRT STRUCTURES
• Technology
•
Cloud/Service or Installed Software?
• Resources
•
User Action Required
$$$
User Action Not Required
Tech Program Manager
Tech Program Manager (optional)
Security Engineer
Security Engineer
Comms
(optional)
T YPICAL ROLE RESPONSIBILITIES
Tech Program Manager
Triage
Documentation
Prioritization
Reporting
Write Advisories
Security Engineer
Technical Repro
POC Exploit
Code Review & Variant Hunting
Validate Fix
Review Advisories
Comms
Review Advisories
Customer Support Liaison Press Releases & Response
PROCESS
SDL OVERVIEW
Training
Requirements
Design
Implementation
Verification
Release
Response
INCIDENT RESPONSE PROCESS
1
Identify Issue
2
Assess Impact
3
So you’re a software vendor…
Dev & Test Fix
4
Release w/ CVE 5
Post Release
1
Identify Issue
2
Assess Impact
3
Dev & Test Fix
4
Release fix (+advisory?)
5
Post Release
INTERNAL POLICY
• Define your Vulnerability Prioritization model •
•
CVSS or something else?
What are your acceptable business risks?
• What are your remediation SLAs? Escalation paths?
• When do you release a public advisory?
• When is emergency response indicated?
INFRASTRUCTURE & TECHNOLOGY
PUBLIC DOCUMENTATION
• Vulnerability Disclosure Policy •
•
Critical for expectation setting
Tells researchers how to report a vulnerability to you
• Security Advisory Knowledge Base
•
Where do customers go to quickly learn about security updates
• Researcher Acknowledgements
•
Recognize positive behavior and build community
TOOLKIT
• How do you want to receive external vulnerability reports?
• Unstructured: encrypted email
• Structured: secure web form
• How do you want to capture investigation details?
• Case management db (doesn’t have to be complicated, can be specific fields captured in Jira)
TOOLKIT
• Do you use third party code?
• Source code scanning tool to track what you use, where
• Vulnerability Intelligence sources
• HIGHLY RECOMMENDED: OSS SECURITY MATURITY: TIME TO PUT ON YOUR BIG BOY PANTS!
Jake Kouns & Christine Gadsby, Jasmine Ballroom, 2:30 pm
DATA MANAGEMENT FOR SIRTS
• What Developers need to know to fix vulnerability
• What Leadership needs to know about business risk • What Customers need to know about product security
• DOCUMENT at time of investigation even if you don’t use the data until much later
PITFALLS
PITFALLS
• Failure to thoroughly document vulnerability details during investigation, leading to re-­‐
investigation just prior to fix release to remember what the issue was
• Failure to prioritize effectively
•
•
Adopt a prioritization model that considers both technical and business impact
Define your acceptable business risks
• Failure to define clear stakeholders and roles in Incident Response Process
• Failure to communicate effectively with product development
PITFALLS
• Failure to communicate with external researchers about status of their vuln reports
•
Trust problems lead to conflict, conflict costs money
• Failure to prioritize effectively
•
Adopt a prioritization model that considers both technical and business impact
• Failure to define clear stakeholders and roles in Incident Response Process
•
Trust but verify
• Failure to communicate effectively with product development
FREE RESOURCES
• Disclosure policy basic template: • Investigative data collection checklist
• Advisory checklist
• ISO 29147 https://pages.bugcrowd.com/best-­‐practices-­‐for-­‐security-­‐incident-­‐
response-­‐teams
QUESTIONS
Thanks for attending!
@kym_possible
[email protected]
Related documents
Assessing vulnerability to climate change in South East Europe
Assessing vulnerability to climate change in South East Europe
GHG Inventory review - E-Learning Module
GHG Inventory review - E-Learning Module
Climate Change and Health A Framework for Discussion
Climate Change and Health A Framework for Discussion
Acronyms abbreviations
Acronyms abbreviations
Math Counting Numbers Unit Checklist_1
Math Counting Numbers Unit Checklist_1
This Article argues that intellectual property law stifles critical
This Article argues that intellectual property law stifles critical
Document 8513629
Document 8513629
South Africa
South Africa
Amanda Bourne_VA Overview Part 2
Amanda Bourne_VA Overview Part 2
Ms. Ma. Gerarda Asuncion D. Merilo - START
Ms. Ma. Gerarda Asuncion D. Merilo - START
D1S1_TSV404_Course_Intro_2011_v1
D1S1_TSV404_Course_Intro_2011_v1