It didn’t all change in March 2020. Not really. The UK high street has been in the throes of a gradual revolution for decades. From the rise of ecommerce, to the birth of mobile, social commerce, and a growing emphasis on experience, change has been underway for a while. In fact for many, the pandemic has acted as a wake-up call. Digital transformation was no longer a ‘nice to have’ but a matter of survival. Necessity sparked innovation and customers are enjoying more flexibility and conveni ...
…
continue reading
Content provided by O'Reilly Media. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by O'Reilly Media or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.
Similar to O'Reilly Security Podcast - O'Reilly Media Podcast
Custom Manufacturing Industry podcast is an entrepreneurship and motivational podcast on all platforms, hosted by Aaron Clippinger. Being CEO of multiple companies including the signage industry and the software industry, Aaron has over 20 years of consulting and business management. His software has grown internationally and with over a billion dollars annually going through the software. Using his Accounting degree, Aaron will be talking about his organizational ways to get things done. Hi ...
…
continue reading
Ever wondered what makes great go-to-market leaders grow, even when the going gets tough? We have, too. And we’re on a mission to uncover the magic that makes that growth happen. This is Go-to-Market Magic, the show where we talk to go-to-market leaders and visionaries about the “aha!” moments they experience and the pivotal decisions they’ve made, all in the name of growth. And we’re not just talking about revenue growth that goes up and to the right — we’ll also discuss how they improve th ...
…
continue reading
The Partnership Economy explores the power of partnerships through candid conversations and stories with industry leaders. Our hosts, David A. Yovanno, CEO and Todd Crawford, Co-founder, of impact.com, unpack the future of partnerships as a lever for scale and an opportunity to put the consumer first.
…
continue reading
Bitcoin groundbreakers share personal stories of how Bitcoin is changing lives for the better. Host Mauricio Di Bartolomeo, co-founder and CSO of Ledn, speaks with leading Bitcoin voices, entrepreneurs, and human rights advocates to hear their unique journey and practical real-world examples of how Bitcoin has made a positive impact in their lives. Brought to you by Ledn, a leading financial services company built for Bitcoin & digital assets. Ledn offers a suite of lending, saving and tradi ...
…
continue reading
Welcome to the What’s Next! Podcast. I’ve met so many brilliant people as I traveled the globe and have had some fascinating conversations that I’ve wished had been recorded so I could share them with you - this podcast was a way for me to recreate those moments and let you in on some fantastic insights. My current conversations center around one objective: what's next for companies and individuals as they look to innovate and grow. I hope these conversations inspire you as much as they have ...
…
continue reading
The award-winning WIRED UK Podcast with James Temperton and the rest of the team. Listen every week for the an informed and entertaining rundown of latest technology, science, business and culture news. New episodes every Friday.
…
continue reading
How do I start an online business? How do I build a brand online? How do I get traffic and attention to my online business? The biggest question is, can I start a business online and replace my current JOB? Welcome to The Rock Your Brand podcast show where we answer ALL of these questions and a ton MORE! Scott Voelker, the host will share with you everything you need to know and help you to build a Future Proof Business that will allow you the ultimate Freedom. Scott shares tips and strategi ...
…
continue reading
Show notes are at https://stevelitchfield.com/sshow/chat.html
…
continue reading
Wharton faculty and industry leaders discuss their latest research, books, and relevant business topics. Hosted on Acast. See acast.com/privacy for more information.
…
continue reading
Player FM - Podcast App
Go offline with the Player FM app!
Go offline with the Player FM app!
))
Kimber Dowsett on developing and maturing a vulnerability disclosure program
Manage episode 180671577 series 1211161
Content provided by O'Reilly Media. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by O'Reilly Media or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.
The O’Reilly Security Podcast: Key preparation before implementing a vulnerability disclosure policy, the crucial role of setting scope, and the benefits of collaborative relationships.
In this episode, I talk with Kimber Dowsett, security architect at 18F. We discuss how to prepare your organization for a vulnerability disclosure policy, the benefits of starting small, and how to apply lessons learned to build better defenses.
Here are some highlights:
Gauging readiness for a vulnerability policy or a bug bounty program
It’s critical to develop a response and remediation plan before you launch a disclosure policy. You should be asking, ‘Are we set up to respond to vulnerabilities as they come in?’ and ‘Do we have workflow in place for remediation?’ Organizations need to be sure they're not relying on a vulnerability disclosure policy to find bugs, vulnerabilities, or holes in their applications and code. It’s critical to ensure you have a mature, solid product in place before you open it up to the world and invite scrutiny. Additionally, vulnerability disclosure policies and bug bounty programs shouldn't be thought of as low-cost quality assurance. Code that hasn't been tested isn't viable for these programs. If your product hasn't been tested, torn apart, tested again, gone through pen tests, then it’s not ready, particularly for a bug bounty program. Even if you're ready for a vulnerability disclosure policy, there's a good chance you're not yet ready for a bug bounty program.
Start small and proceed with caution
If you don’t start small, there's a good chance you're going to get hit in ways that you're not prepared to handle, and probably with issues you'd never even considered. When we launched the 18F policy, we launched it with three sites and then rolled out additional sites as they were ready. If a team said to me, ‘Okay, we think we're good to go to be added to the disclosure policy,’ then we would review their pen test results, development, back end, and code reviews. It's a much slower process, but it returns better results. Going all in at the start and declaring that everything is in scope for your policy is shooting yourself in the foot. We have been cautious and we've had a very successful, slow rollout of vulnerability disclosure. We've proceeded with caution and that worked well for us.
The benefits of building collaborative relationships
When we confirm a vulnerability, our blue team explores how we would defended against it or ways we could defend it until remediation is complete. Then, our pen testers, security engineers, or developers look to add something about the vulnerability to their toolkits to test for similar insecurities as they are building apps. We really shoot for baked-in security, but there's always going to be a ‘gotcha.’ If researchers submit reports in meaningful ways, we are able to use that to save ourselves time and energy with the triage process, and move straight to determining the best defense and how to find and secure similar problems in the future. We’ve built a process that fosters collaborative relationships with researchers. When researchers make high-quality submissions, we ensure their discoveries are welcomed, and of course, responsibly disclosed. In a successful program, researchers have become part of the security process, as they’ve contributed in a meaningful way to the security of one of our applications. When researchers feel welcome, we all win.
43 episodes
Share
Manage episode 180671577 series 1211161
Content provided by O'Reilly Media. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by O'Reilly Media or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.
The O’Reilly Security Podcast: Key preparation before implementing a vulnerability disclosure policy, the crucial role of setting scope, and the benefits of collaborative relationships.
In this episode, I talk with Kimber Dowsett, security architect at 18F. We discuss how to prepare your organization for a vulnerability disclosure policy, the benefits of starting small, and how to apply lessons learned to build better defenses.
Here are some highlights:
Gauging readiness for a vulnerability policy or a bug bounty program
It’s critical to develop a response and remediation plan before you launch a disclosure policy. You should be asking, ‘Are we set up to respond to vulnerabilities as they come in?’ and ‘Do we have workflow in place for remediation?’ Organizations need to be sure they're not relying on a vulnerability disclosure policy to find bugs, vulnerabilities, or holes in their applications and code. It’s critical to ensure you have a mature, solid product in place before you open it up to the world and invite scrutiny. Additionally, vulnerability disclosure policies and bug bounty programs shouldn't be thought of as low-cost quality assurance. Code that hasn't been tested isn't viable for these programs. If your product hasn't been tested, torn apart, tested again, gone through pen tests, then it’s not ready, particularly for a bug bounty program. Even if you're ready for a vulnerability disclosure policy, there's a good chance you're not yet ready for a bug bounty program.
Start small and proceed with caution
If you don’t start small, there's a good chance you're going to get hit in ways that you're not prepared to handle, and probably with issues you'd never even considered. When we launched the 18F policy, we launched it with three sites and then rolled out additional sites as they were ready. If a team said to me, ‘Okay, we think we're good to go to be added to the disclosure policy,’ then we would review their pen test results, development, back end, and code reviews. It's a much slower process, but it returns better results. Going all in at the start and declaring that everything is in scope for your policy is shooting yourself in the foot. We have been cautious and we've had a very successful, slow rollout of vulnerability disclosure. We've proceeded with caution and that worked well for us.
The benefits of building collaborative relationships
When we confirm a vulnerability, our blue team explores how we would defended against it or ways we could defend it until remediation is complete. Then, our pen testers, security engineers, or developers look to add something about the vulnerability to their toolkits to test for similar insecurities as they are building apps. We really shoot for baked-in security, but there's always going to be a ‘gotcha.’ If researchers submit reports in meaningful ways, we are able to use that to save ourselves time and energy with the triage process, and move straight to determining the best defense and how to find and secure similar problems in the future. We’ve built a process that fosters collaborative relationships with researchers. When researchers make high-quality submissions, we ensure their discoveries are welcomed, and of course, responsibly disclosed. In a successful program, researchers have become part of the security process, as they’ve contributed in a meaningful way to the security of one of our applications. When researchers feel welcome, we all win.
43 episodes
All episodes
×
Welcome to Player FM!
Player FM is scanning the web for high-quality podcasts for you to enjoy right now. It's the best podcast app and works on Android, iPhone, and the web. Signup to sync subscriptions across devices.
Similar to O'Reilly Security Podcast - O'Reilly Media Podcast
It didn’t all change in March 2020. Not really. The UK high street has been in the throes of a gradual revolution for decades. From the rise of ecommerce, to the birth of mobile, social commerce, and a growing emphasis on experience, change has been underway for a while. In fact for many, the pandemic has acted as a wake-up call. Digital transformation was no longer a ‘nice to have’ but a matter of survival. Necessity sparked innovation and customers are enjoying more flexibility and conveni ...
…
continue reading
Custom Manufacturing Industry podcast is an entrepreneurship and motivational podcast on all platforms, hosted by Aaron Clippinger. Being CEO of multiple companies including the signage industry and the software industry, Aaron has over 20 years of consulting and business management. His software has grown internationally and with over a billion dollars annually going through the software. Using his Accounting degree, Aaron will be talking about his organizational ways to get things done. Hi ...
…
continue reading
Ever wondered what makes great go-to-market leaders grow, even when the going gets tough? We have, too. And we’re on a mission to uncover the magic that makes that growth happen. This is Go-to-Market Magic, the show where we talk to go-to-market leaders and visionaries about the “aha!” moments they experience and the pivotal decisions they’ve made, all in the name of growth. And we’re not just talking about revenue growth that goes up and to the right — we’ll also discuss how they improve th ...
…
continue reading
The Partnership Economy explores the power of partnerships through candid conversations and stories with industry leaders. Our hosts, David A. Yovanno, CEO and Todd Crawford, Co-founder, of impact.com, unpack the future of partnerships as a lever for scale and an opportunity to put the consumer first.
…
continue reading
Bitcoin groundbreakers share personal stories of how Bitcoin is changing lives for the better. Host Mauricio Di Bartolomeo, co-founder and CSO of Ledn, speaks with leading Bitcoin voices, entrepreneurs, and human rights advocates to hear their unique journey and practical real-world examples of how Bitcoin has made a positive impact in their lives. Brought to you by Ledn, a leading financial services company built for Bitcoin & digital assets. Ledn offers a suite of lending, saving and tradi ...
…
continue reading
Welcome to the What’s Next! Podcast. I’ve met so many brilliant people as I traveled the globe and have had some fascinating conversations that I’ve wished had been recorded so I could share them with you - this podcast was a way for me to recreate those moments and let you in on some fantastic insights. My current conversations center around one objective: what's next for companies and individuals as they look to innovate and grow. I hope these conversations inspire you as much as they have ...
…
continue reading
The award-winning WIRED UK Podcast with James Temperton and the rest of the team. Listen every week for the an informed and entertaining rundown of latest technology, science, business and culture news. New episodes every Friday.
…
continue reading
How do I start an online business? How do I build a brand online? How do I get traffic and attention to my online business? The biggest question is, can I start a business online and replace my current JOB? Welcome to The Rock Your Brand podcast show where we answer ALL of these questions and a ton MORE! Scott Voelker, the host will share with you everything you need to know and help you to build a Future Proof Business that will allow you the ultimate Freedom. Scott shares tips and strategi ...
…
continue reading
Show notes are at https://stevelitchfield.com/sshow/chat.html
…
continue reading
Wharton faculty and industry leaders discuss their latest research, books, and relevant business topics. Hosted on Acast. See acast.com/privacy for more information.
…
continue reading
Player FM - Podcast App
Go offline with the Player FM app!
Go offline with the Player FM app!
