Many of us kick off each new year enthusiastically brimming with more resolutions than a DNS server. We may resolve to get stronger, so we buy a new set of weights. Unfortunately, we neglect to set up a home gym, block off time in our day to exercise, find an accountability buddy to lift with, and track our progress. (Oh and, in a grand feat of overestimation, the lightest dumbbell we bought was 50 pounds.) As January fades into February the weights go untouched, and we still have twigs for arms. We begin to realize that we jumped straight into buying what seemed like a quick fix without laying any of the groundwork to set ourselves up for long-term success.
A similar scenario often plays out with vulnerability disclosure programs (VDPs) and bug bounties. When organizations reach the point of needing formal processes for handling vulnerabilities in their product and infrastructure, they often skip over the critical groundwork of solidifying their internal processes and operational capacity. Instead, they YOLO right into setting up a vulnerability disclosure or bug bounty program, inviting a flood of external researchers to poke at their systems without a clear, consistent path to remediation and a plan for successful management of these programs. In short order they’re sitting atop an ever-growing mountain of mundane and very expensive unresolved bugs, questioning their life choices.
So, if you’re thinking about pulling the VDP or bug bounty party popper cord in 2021, do you know what foundational steps you should take to build and mature a successful program for handling vulnerabilities?
Put on your party hats, ready the confetti cannons, and prepare to ring in 2021 with these 10 vulntastic resolutions:
Infosec yourself before you wreck yourself
1. Assess - Resolve to assess the maturity of your processes and operational capacity. Taking stock of your current state is crucial for informing your next steps.
2. Foundation - Resolve to use your maturity assessment to implement the foundational work needed to improve your overall security and vulnerability coordination before diving into a VDP or bug bounty program.
Adulting your way to improved security
3. Collaborate - Resolve to improve collaboration between security, engineering, and ops. (For those of you playing buzzword bingo, here’s where you scratch off “DevSecOps”.) Implementing a VDP or bug bounty program won’t fix gaps in communication and organizational alignment.
4. Processes - Resolve to improve your internal reporting and remediation process for vulnerabilities. Often the juiciest bugs are found by your own colleagues and customers, not external researchers.
5. SDL - Resolve to make it easier for your engineers to write code with fewer critical security bugs, by embedding security checks and balances at every stage of the software development lifecycle.
6. Patch - Resolve to enable engineering to fix and patch bugs in a timely manner. Vulnerability management programs, whether or not they include a VDP, are only successful when you have the capacity to properly assess and fix the bugs that come in.
7. Coverage - Resolve to train the right eyes on your software, not necessarily more eyes. Consider how the argument that “more eyes = better security” has not held up in the case of open-source software. Instead of “eyes, eyes, baby”, try “stop, collaborate, and listen”.
Please VDP responsibly
8. Economics - Resolve to understand the economics of the vulnerability market. Invest in maturing your vulnerability management capabilities rather than paying for every bug. It’s inaccurate to assume that if you don’t pay for your vulns, someone else will.
9. Policies - Resolve to revisit your policies and incentives for vulnerability disclosure. Bug bounty platforms have overly restrictive requirements around reporting (such as NDAs) that disincentivize researchers from reporting critical security bugs.
10. Balance - Resolve to treat VDPs and bug bounty programs as tools in your broader security journey – not as silver bullets, and not as starting points.
The new year brings new opportunities to take actions that truly improve security, providing a strong foundation for organization’s overall success and resilience. Rather than relying on a bug deluge-as-a-service company to fix communication breakdowns and insecure development practices, investing in your own people, processes, and tools are the keys to security success. Let’s actually follow through on the heavy lifting in 2021 to mature our internal vulnerability handling processes and end the new year in a stronger position than we started.
- Kat Sweet, Luta Security