Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/22/2015
05:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Free Tool Helps Companies Measure And Map Their Bug Reporting Programs

The new Vulnerability Coordination Maturity Model (VCMM) created by HackerOne's Katie Moussouris, includes an assessment tool, key elements, and best practices in a vulnerability coordination program.

More often than not when a security researcher discovers a bug in a piece of software, the vendor in question doesn't even have an email address or a Web page for receiving reports of vulnerabilities.

Katie Moussouris, chief policy officer at HackerOne, says providing a point of contact or mechanism for reporting bugs should be a given. "What we consider a basic no-brainer is setting up an email address or some kind of form" for vulnerability reports, Moussouris says. "But that is a huge challenge for hackers today. Just finding the right contact is not trivial," she says.

That's one obstacle Moussouris hopes will be solved with a new (and free) tool she developed for organizations that provides a simple guide for vulnerability response programs and a way to determine how they measure up with other organizations.

"The new normal, which is long overdue, is for every organization on the Internet to accept the fact that eventually someone will report a vulnerability to them, and be prepared with an easy way for security researchers to contact them," she says.

The new Vulnerability Coordination Maturity Model (VCMM), released today by HackerOne, includes an assessment tool and maps out the key elements to a vulnerability coordination program. The VCMM was in part inspired by software development lifecycle roadmaps and benchmarking tools such as the Building Security In Maturity Model (BSIMM) study and Microsoft's Security Development Lifecycle (SDLC), and Threat and Vulnerability Management (TVM) Maturity Model. It's the first of its kind for organizations to measure and evolve how they handle things when a hacker reports a security bug in their software to them.

Moussouris, who led a once-reluctant Microsoft to create a bug bounty program after years of resistance by the software giant, says the VCMM also draws from her experiences with Microsoft Research's vulnerability coordination work, as well as during her tenure with Symantec's research team.

VCMM consists of five basic areas -- organizational (people, process, resources); engineering (evaluation, remediation of bugs); communications (interacting with researchers, customers, etc.); analytics (analyzing bug trends or process issues); and incentives (compensation and encouragement of researchers). Each area includes what entails a Basic, Advanced, and Expert level of that discipline.

"It's very simple" such that it should be easy for industries without much security or software experience to understand and use it, she says. "Honestly, it's meant for everybody: for organizations that are well-established in vulnerability coordination who can use it to see where there's room for improvement," and for less- or not-experienced firms, a roadmap for getting started.

One obvious category of products lacking in vulnerability disclosure knowledge and sophistication is the Internet of Things. As security researchers have set their sights on finding flaws in increasingly networked consumer products such as cars, home automation systems, and baby monitors, that gap has often been painfully obvious.

[By 2020 there will be 25 billion Internet of Things devices...all full of vulnerabilities. What can we do to solve the problem now? Don't miss the next episode of Dark Reading Radio, "Fixing IoT Security," this Wednesday, Sep. 23 at 1 p.m. Eastern Time.]

Take Rapid7's recent study of the security of Internet-enabled video baby monitors that found holes that could expose not only a family's privacy but also the security of businesses with home workers. Only one of the half-dozen baby monitor vendors alerted by Rapid7 about major security holes in their consumer devices responded: Philips Electronics.

Tod Beardsley, security research manager for Rapid7, says there are plenty of cases where researchers must interface with firms that have never experienced vulnerability disclosure before. There's often no way to find the right person--if there even is someone--to report it to. And when you reach them, it can be painful. "For companies that haven't run into it before, it's a startling event," he says.

"Some get a little angry or emotional response to our disclosures," he says.

"It's definitely the time for something like this," Beardsley says of the VCMM, which with its "clear and concise" explanation of each element and maturity phase sets the appropriate tone, he says.

Source: HackerOne
Source: HackerOne

Gary McGraw, CTO of Cigital and one of the creators of the BSIMM, says only a few firms in the BSIMM study so far offer bug bounties. "It's a real trend, but not hugely common," he says. Unlike the VCCM, BSIMM built a model around what organizations were already doing, so it was first and foremost a study that evolved into a model, he notes.

HackerOne, as part of VCCM, will gather data and then provide more case study-type information on real-world vulnerability coordination within companies.

The reality is that most organizations today are still working on launching the first phase of a vulnerability coordination process -- the so-called Basic level. "That first step is the a big first step: recognizing that there's going to be a problem" and starting the process, Beardsley says. "If I run into a company that's at the Basic [level], I'm delighted."

In the organizational element of the VCCM, for example, Basic level is where an organization has the executive support to receive and process bug reports from the outside. In the Advanced level, the organization has policy and process for it, and in the Expert level, there's a dedicated budget and personnel to handle vulnerability coordination.

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GaryM2712105
50%
50%
GaryM2712105,
User Rank: Strategist
9/23/2015 | 11:04:49 AM
About the BSIMM
You can learn all about the BSIMM and download a copy for free at

bsimm.com 

BSIMM is published under the creative commons.

gem
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
9/23/2015 | 9:55:31 AM
Good Framework
This is a very good framework for VCMM. As of now, I know of Google and Microsoft that perform bug bounties but is this more prevalent than that? This article leads me to believe that it is not as unique as I had thought.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17123
PUBLISHED: 2019-12-13
The eGain Web Email API 11+ allows spoofed messages because the fromName and message fields (to /system/ws/v11/ss/email) are mishandled, as demonstrated by fromName header injection with a %0a or %0d character. (Also, the message parameter can have initial HTML comment characters.)
CVE-2019-19774
PUBLISHED: 2019-12-13
An issue was discovered in Zoho ManageEngine EventLog Analyzer 10.0 SP1 before Build 12110. By running "select hostdetails from hostdetails" at the /event/runquery.do endpoint, it is possible to bypass the security restrictions that prevent even administrative users from viewing credential...
CVE-2019-19790
PUBLISHED: 2019-12-13
Path traversal in RadChart in Telerik UI for ASP.NET AJAX allows a remote attacker to read and delete an image with extension .BMP, .EXIF, .GIF, .ICON, .JPEG, .PNG, .TIFF, or .WMF on the server through a specially crafted request. NOTE: RadChart was discontinued in 2014 in favor of RadHtmlChart. All...
CVE-2019-19793
PUBLISHED: 2019-12-13
In Cyxtera AppGate SDP Client 4.1.x through 4.3.x before 4.3.2 on Windows, a local or remote user from the same domain can gain privileges.
CVE-2019-19722
PUBLISHED: 2019-12-13
In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient.