Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
BUILDING A PRODUCT
SECURITY INCIDENT
RESPONSE TEAM: LEARNINGS
FROM THE HIVEMIND
	
	
KYMBERLEE PRICE
SENIOR DIRECTOR OF RES...
WHOAMI?
•  Senior Director of a Red Team
•  PSIRT Case Manager
•  Data Analyst
•  Internet Crime Inves<gator
•  Security E...
AGENDA
•  People
•  Process
•  Infrastructure and Technology
•  PiEalls
•  Free Resources
BUT WHAT ABOUT ISO STANDARDS!? 
•  In April 2016 ISO 29147 on Vulnerability Disclosure techniques was made free to the
pub...
PEOPLE
COMMON SIRT STRUCTURES
•  Technology
•  Cloud/Service or Installed SoYware?
•  Resources
•  $$$
COMMON SIRT STRUCTURES
•  Technology
•  Cloud/Service or Installed SoYware?
•  Resources
•  $$$
User	Ac(on	
Required	
Tech...
TYPICAL ROLE RESPONSIBILITIES
Tech	
Program	
Manager	
Triage	 Documenta(on	 Priori(za(on	 Repor(ng	
Write	
Advisories	
Sec...
PROCESS
SDL OVERVIEW
Training	 Requirements	 Design	 Implementa(on	 Verifica(on	 Release	 Response
INCIDENT RESPONSE PROCESS
Iden1fy	
Issue	1	 Assess	
Impact	2	 Dev	&	Test	
Fix	3	 Release		
w/	CVE		4	 Post	
Release	5	
So	...
INCIDENT RESPONSE PROCESS
Iden1fy	
Issue	1	 Assess	
Impact	2	 Dev	&	Test	
Fix	3	 Release		
w/	CVE		4	 Post	
Release	5	
So	...
INCIDENT RESPONSE PROCESS
Iden1fy	
Issue	1	 Assess	
Impact	2	 Dev	&	Test	
Fix	3	 Release		
w/	CVE		4	 Post	
Release	5	
Ide...
INTERNAL POLICY
•  Define your Vulnerability Priori<za<on model 
•  CVSS or something else?
•  What are your acceptable bus...
INFRASTRUCTURE & TECHNOLOGY
PUBLIC DOCUMENTATION
•  Vulnerability Disclosure Policy 
•  Cri<cal for expecta<on se_ng
•  Tells researchers how to repor...
TOOLKIT
•  How do you want to receive external vulnerability reports?
•  Unstructured: encrypted email
•  Structured: secu...
TOOLKIT
•  Do you use third party code?
•  Source code scanning tool to track what you use, where
•  Vulnerability Intelli...
DATA MANAGEMENT FOR SIRTS
•  What Developers need to know to fix vulnerability
•  What Leadership needs to know about busin...
PITFALLS
PITFALLS
•  Failure to thoroughly document vulnerability details during inves<ga<on, leading to re-
inves<ga<on just prior...
FREE RESOURCES
•  Disclosure policy basic template: 
•  Inves<ga<ve data collec<on checklist
•  Advisory checklist
•  ISO ...
QUESTIONS
Thanks for anending!
	
	
	
@kym_possible	
kymberlee@bugcrowd.com
[Webinar] Building a Product Security Incident Response Team: Learnings from the Hivemind
Próxima SlideShare
Cargando en…5
×
Próximo SlideShare
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алексей Лукацкий, бизнес-консультант по безопасности, Cisco Systems
Siguiente
Descargar para leer sin conexión y ver en pantalla completa.

Compartir

[Webinar] Building a Product Security Incident Response Team: Learnings from the Hivemind

Descargar para leer sin conexión

Kymberlee Price's Black Hat 2016 talk in a live webcast. This presentation will address some best practices and templates to help security teams build or scale their incident response practices.

  • Sé el primero en recomendar esto

[Webinar] Building a Product Security Incident Response Team: Learnings from the Hivemind

  1. 1. BUILDING A PRODUCT SECURITY INCIDENT RESPONSE TEAM: LEARNINGS FROM THE HIVEMIND KYMBERLEE PRICE SENIOR DIRECTOR OF RESEARCHER OPERATIONS
  2. 2. WHOAMI? •  Senior Director of a Red Team •  PSIRT Case Manager •  Data Analyst •  Internet Crime Inves<gator •  Security Evangelist •  Behavioral Psychologist •  Lawful Good @kym_possible
  3. 3. AGENDA •  People •  Process •  Infrastructure and Technology •  PiEalls •  Free Resources
  4. 4. BUT WHAT ABOUT ISO STANDARDS!? •  In April 2016 ISO 29147 on Vulnerability Disclosure techniques was made free to the public. •  This is awesome •  The related standard on vulnerability handling processes, ISO 30111 costs approx $60 USD.
  5. 5. PEOPLE
  6. 6. COMMON SIRT STRUCTURES •  Technology •  Cloud/Service or Installed SoYware? •  Resources •  $$$
  7. 7. COMMON SIRT STRUCTURES •  Technology •  Cloud/Service or Installed SoYware? •  Resources •  $$$ User Ac(on Required Tech Program Manager Security Engineer Comms (op(onal) User Ac(on Not Required Tech Program Manager (op(onal) Security Engineer
  8. 8. TYPICAL ROLE RESPONSIBILITIES Tech Program Manager Triage Documenta(on Priori(za(on Repor(ng Write Advisories Security Engineer Technical Repro POC Exploit Code Review & Variant Hun(ng Validate Fix Review Advisories Comms Review Advisories Customer Support Liaison Press Releases & Response
  9. 9. PROCESS
  10. 10. SDL OVERVIEW Training Requirements Design Implementa(on Verifica(on Release Response
  11. 11. INCIDENT RESPONSE PROCESS Iden1fy Issue 1 Assess Impact 2 Dev & Test Fix 3 Release w/ CVE 4 Post Release 5 So you’re a soHware vendor…
  12. 12. INCIDENT RESPONSE PROCESS Iden1fy Issue 1 Assess Impact 2 Dev & Test Fix 3 Release w/ CVE 4 Post Release 5 So you’re a soHware vendor… But wait! The vulnerability was in a third party library!
  13. 13. INCIDENT RESPONSE PROCESS Iden1fy Issue 1 Assess Impact 2 Dev & Test Fix 3 Release w/ CVE 4 Post Release 5 Iden1fy Issue 1 Assess Impact 2 Dev & Test Fix 3 Release fix (+advisory?) 4 Post Release 5 So you’re a soHware vendor… But wait! The vulnerability was in a third party library!
  14. 14. INTERNAL POLICY •  Define your Vulnerability Priori<za<on model •  CVSS or something else? •  What are your acceptable business risks? •  What are your remedia<on SLAs? Escala<on paths? •  When do you release a public advisory? •  When is emergency response indicated?
  15. 15. INFRASTRUCTURE & TECHNOLOGY
  16. 16. PUBLIC DOCUMENTATION •  Vulnerability Disclosure Policy •  Cri<cal for expecta<on se_ng •  Tells researchers how to report a vulnerability to you •  Security Advisory Knowledge Base •  Where do customers go to quickly learn about security updates •  Researcher Acknowledgements •  Recognize posi<ve behavior and build community
  17. 17. TOOLKIT •  How do you want to receive external vulnerability reports? •  Unstructured: encrypted email •  Structured: secure web form •  How do you want to capture inves<ga<on details? •  Case management db (doesn’t have to be complicated, can be specific fields captured in Jira)
  18. 18. TOOLKIT •  Do you use third party code? •  Source code scanning tool to track what you use, where •  Vulnerability Intelligence sources •  HIGHLY RECOMMENDED: OSS SECURITY MATURITY: TIME TO PUT ON YOUR BIG BOY PANTS! Jake Kouns & Chris<ne Gadsby, Jasmine Ballroom, 2:30 pm
  19. 19. DATA MANAGEMENT FOR SIRTS •  What Developers need to know to fix vulnerability •  What Leadership needs to know about business risk •  What Customers need to know about product security •  DOCUMENT at <me of inves<ga<on even if you don’t use the data un<l much later
  20. 20. PITFALLS
  21. 21. PITFALLS •  Failure to thoroughly document vulnerability details during inves<ga<on, leading to re- inves<ga<on just prior to fix release to remember what the issue was •  Failure to priori<ze effec<vely •  Adopt a priori<za<on model that considers both technical and business impact •  Define your acceptable business risks •  Failure to define clear stakeholders and roles in Incident Response Process •  Failure to communicate effec<vely with product development •  Failure to communicate effec<vely with external researchers
  22. 22. FREE RESOURCES •  Disclosure policy basic template: •  Inves<ga<ve data collec<on checklist •  Advisory checklist •  ISO 29147 hTps://pages.bugcrowd.com/best-prac(ces-for-security-incident- response-teams
  23. 23. QUESTIONS Thanks for anending! @kym_possible kymberlee@bugcrowd.com

Kymberlee Price's Black Hat 2016 talk in a live webcast. This presentation will address some best practices and templates to help security teams build or scale their incident response practices.

Vistas

Total de vistas

866

En Slideshare

0

De embebidos

0

Número de embebidos

1

Acciones

Descargas

58

Compartidos

0

Comentarios

0

Me gusta

0

×