you ve got your nice list of bugs now what vulnerability
play

Youve Got Your Nice List of Bugs, Now What? Vulnerability Discovery - PowerPoint PPT Presentation

Apr 03, 2023 •448 likes •688 views

Youve Got Your Nice List of Bugs, Now What? Vulnerability Discovery and Management Processes in the Wild Noura Alomar, Primal Wijesekera, Edward Qiu, and Serge Egelman University of California (Berkeley) and ICSI Motivation Many

  1. “You’ve Got Your Nice List of Bugs, Now What?” Vulnerability Discovery and Management Processes in the Wild Noura Alomar, Primal Wijesekera, Edward Qiu, and Serge Egelman University of California (Berkeley) and ICSI

  2. Motivation ● Many testing strategies ○ Penetration testing ○ Blue/ red and purple teams ○ Bug bounty programs ○ Quality assurance teams 2

  3. Motivation ● Many testing strategies ○ Penetration testing ○ Blue/ red and purple teams ○ Bug bounty programs ○ Quality assurance teams ● Many advanced vulnerability detection techniques ● Standards: ISO/IEC 29147 and ISO/IEC 30111 3

  4. What decision makers expect from the various testing strategies? How do different teams fit in vulnerability discovery processes? 4

  5. Methodology ● Interviews with 53 security practitioners ● Roles ○ CISOs, CTOs, security managers ○ Pen testers, bug bounty hunters, red/blue/purple teamers, internal security testers ● Countries ○ Bangladesh, Canada, Germany, India, Israel, Serbia, Singapore, Brazil, UK and US 5

  6. Vulnerability Management Pipeline Vulnerability Strategic Decision Vulnerability Making Discovery Remediation 6

  7. Vulnerability Management Pipeline Vulnerability Strategic Decision Vulnerability Making Discovery Remediation When to create a bug bounty program? When to employ what testing strategy? When to create an internal team vs hire a testing firm? 7

  8. Vulnerability Management Pipeline Vulnerability Strategic Decision Strategic Vulnerability Vulnerability Decision Making Making Discovery Discovery Remediation When to create a bug What are the activities of bounty program? each team? When to employ what What managers expect testing strategy? from each team? When to create an internal team vs hire a testing firm? 8

  9. Vulnerability Management Pipeline Vulnerability Vulnerability Strategic Decision Vulnerability Making Discovery Remediation Remediation When to create a bug What are the activities of How to fix uncovered bounty program? each team? vulnerabilities? When to employ what What managers expect How to prioritize remediation testing strategy? from each team? tasks? When to create an internal How to triage vulnerability team vs hire a testing firm? reports received from external researchers? 9

  10. Main themes 1. Trust: internal vs external testers 10

  11. Main themes 1. Trust: internal vs external testers 2. Communication & information sharing 11

  12. Main themes 1. Trust: internal vs external testers 2. Communication & information sharing 3. Uncertainty around who is responsible for what 12

  13. Main themes 1. Trust: internal vs external testers 2. Communication & information sharing 3. Uncertainty around who is responsible for what 4. Compliance-oriented approaches 13

  14. Strategic Decision Making ● Uncertainty around what to expect from each team “I have had clients that have suffered a breach in the past and immediately they are like, ‘Hey, we want to get a penetration test or a red team to figure out how the attacker broke in’” (P37) 14

  15. Strategic Decision Making ● Uncertainty around what to expect from each team “I have had clients that have suffered a breach in the past and immediately they are like, ‘Hey, we want to get a penetration test or a red team to figure out how the attacker broke in’” (P37) ● Bug bounty programs might be used as replacement to internal testing “My CISO likes to be able to tell customers we have a bug bounty program; therefore we are very secure” (P41) 15

  16. Pen testing ● Compliance requirements “Pen tests are kind of a reproducible formula for getting the engagement done whether it is to get that compliance checkbox checked or they are just kind of going through the motions to make sure that basic security structures are in place” (P10) 16

  17. Pen testing ● Compliance requirements “Pen tests are kind of a reproducible formula for getting the engagement done whether it is to get that compliance checkbox checked or they are just kind of going through the motions to make sure that basic security structures are in place” (P10) ● Accountability “..the quality of that report you get from pen testing companies is much much higher. It can also hold people who did the pen test accountable” (P32) 17

  18. Red teaming ● Exposure to legal liability “You don’t know when someone is in the network, you don’t know what he is reading. I know that there are NDAs, but sometimes there is a code of ethic, that says if you find something illegal during a penetration test, you have to report it. And in red teaming, let’s be honest not many companies are in regulations with the law” (P24). 18

  19. Bug Bounty Programs ● Sensitivity of data stored in organizations’ systems “...trying to convince any government agency to try to offer people a reward to try to break into their financial data, I think we would have a very bad reaction to that, whereas saying, ‘it’s an audit’ would be a much easier sell” (P44) 19

  20. Trust ● Organizations → scoping decisions “..everybody is talking about they want a red team, they want a red team, but at the end of the day, they want to put a bunch of rules around it, just like regular penetration tests" (P38) 20

  21. Trust ● Organizations → scoping decisions “..everybody is talking about they want a red team, they want a red team, but at the end of the day, they want to put a bunch of rules around it, just like regular penetration tests" (P38) ● Bug bounty hunters → legal concerns “I was looking around and I saw this, what looked like financial data and I started freaking out because it was a public company. But that was kind of scary that I had even looked at it and what if they saw that I looked at it” (P25) 21

  22. Compliance vs. Security ● External pen testers are asked to: ○ downplay severity ratings ○ take some vulnerabilities out of reports “We’ve been told we don’t want you to actually solve this problem, we just want you to make the check box go away” (P9) 22

  23. “You’ve Got Your Nice List of Bugs, Now What?” Vulnerability Discovery and Management Processes in the Wild Noura Alomar, Primal Wijesekera, Edward Qiu, and Serge Egelman Issues impacting effective vulnerability management: ➔ ◆ Trust Communication ◆ ◆ Staffing & funding Misalignment between business & security priorities ◆ Need to pay more attention to vulnerability remediation ! ➔ Thank you! nnalomar@berkeley.edu @Noura_7N

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

LIST OF SLIDES 1. DOG 10. AIR 19. RABBITS 2. CAR 11. IT GROWS 20. BUGS 3. TREES 12. IT

LIST OF SLIDES 1. DOG 10. AIR 19. RABBITS 2. CAR 11. IT GROWS 20. BUGS 3. TREES 12. IT

LIST OF SLIDES 1. DOG 10. AIR 19. RABBITS 2. CAR 11. IT GROWS 20. BUGS 3. TREES 12. IT MOVES 21. BIRDS 4. FLOWERS 13. IT REPRODUCES 22. GRASS 5. BOOKS 14. SUNLIGHT 23. STONE 6. WORLD 15. SUNFLOWERS 24. TOYS 7. CAT 16. SUN 25.

601 views • 28 slides
Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs Facts on Debugging Software bugs are

840 views • 63 slides
Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Failure is not an option * A journey through software bugs Philippe Biondi Nov 20 th 2015 / GreHack Failure is not an option * Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?! 4 Living with bugs

966 views • 63 slides
Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a cybersecurity flaw in a system that leave it open to attack. A vulnerability may also refer to any type of weakness in a computer system

407 views • 16 slides
BED BUGS HOW TO HELP SOLVE THE PROBLEM WHAT ARE BED BUGS? Bed bugs are parasites that feed on

BED BUGS HOW TO HELP SOLVE THE PROBLEM WHAT ARE BED BUGS? Bed bugs are parasites that feed on

BED BUGS HOW TO HELP SOLVE THE PROBLEM WHAT ARE BED BUGS? Bed bugs are parasites that feed on blood They are reddish-brown in colour An adult bed bug is approximately the size of an apple seed An egg is approximately the size of a

163 views • 15 slides
at BalCCon2k17 METHODOLOGY FOR VULNERABILITY RESEARCH AND EXPLOIT DEVELOPMENT Presenter m-r

at BalCCon2k17 METHODOLOGY FOR VULNERABILITY RESEARCH AND EXPLOIT DEVELOPMENT Presenter m-r

at BalCCon2k17 METHODOLOGY FOR VULNERABILITY RESEARCH AND EXPLOIT DEVELOPMENT Presenter m-r Mane Piperevski BalCCon2k17 Novi Sad, Serbia 2017 WORLD OF BUGS BalCCon2k17 Novi Sad, Serbia 2017 HOW DIFFICULT IS VULNERABILITY RESEARCH? Learning

938 views • 19 slides
Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a

Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a

Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a significant shock that brings welfare below a socially accepted level (Khl, 2003) Vulnerability increases when there is uncertainty with respect to

529 views • 21 slides
Contents What is vulnerability? Why conduct vulnerability assessments? Defining

Contents What is vulnerability? Why conduct vulnerability assessments? Defining

6/19/2015 Vulnerability and Capacity Assessment Index (VCAI) for Climate Change Adaptation SVRK Prabhakar USAID ADAPT Asia-Pacific Presented at NABARD Training Workshop, Mumbai on 18 June 2015 Contents What is vulnerability? Why

705 views • 21 slides
From LNK to RCE Finding bugs in Windows Shell Link Parser Lays Who am I - Lays Senior

From LNK to RCE Finding bugs in Windows Shell Link Parser Lays Who am I - Lays Senior

From LNK to RCE Finding bugs in Windows Shell Link Parser Lays Who am I - Lays Senior Researcher at TeamT5 Focus on Reverse Engineering / Vulnerability Research MSRC Most Valuable Security Researcher 2019 / 2020 Acknowledged by

1.31k views • 103 slides
Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1

Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1

Vulnerability Analysis and Food Aid W orking Group Chaired by W FP/ VAM Unit Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1 Overview 1 . Methodology of the VA 2 0 0 4 2 . Highlights of

703 views • 28 slides
1 Bug Triage Regression Testing Decide which bugs to fix Good: rerun the test that failed

1 Bug Triage Regression Testing Decide which bugs to fix Good: rerun the test that failed

What is a bug? Formally, a software defect A Bugs life SUT fails to perform to spec SUT causes something else to fail SUT functions, but does not satisfy Finding and Managing Bugs usability criteria CSE 403 If the

643 views • 3 slides
Vulnerability Screening Tool Identifying and addressing vulnerability: A tool for asylum and

Vulnerability Screening Tool Identifying and addressing vulnerability: A tool for asylum and

Vulnerability Screening Tool Identifying and addressing vulnerability: A tool for asylum and migration systems Purpose Intended to guide & inform frontline workers & decision makers on the relevance of vulnerability factors to

507 views • 19 slides
Earthquake Vulnerability Earthquake Vulnerability Vulnerability Assessment & EVR measures

Earthquake Vulnerability Earthquake Vulnerability Vulnerability Assessment & EVR measures

Earthquake Vulnerability Earthquake Vulnerability Vulnerability Assessment & EVR measures Islamabad Pakistan Assessment and Vulnerability Assessment and Vulnerability Reduction Measures Reduction Measures adpc Asian Disaster

702 views • 46 slides
Bugs, Bugs, Bugs Uwe Schindler Apache Lucene Committer & PMC Member uschindler@apache.org

Bugs, Bugs, Bugs Uwe Schindler Apache Lucene Committer & PMC Member uschindler@apache.org

Testing Lucene and Solr with various JVMs: Bugs, Bugs, Bugs Uwe Schindler Apache Lucene Committer & PMC Member uschindler@apache.org http://www.thetaphi.de, http://blog.thetaphi.de @ThetaPh1 SD DataSolutions GmbH , Wtjenstr. 49, 28213

1.13k views • 71 slides
Security Bugs in Protocols are Really Bad! Marsh Ray PhoneFactor Protocol Bugs Objectives

Security Bugs in Protocols are Really Bad! Marsh Ray PhoneFactor Protocol Bugs Objectives

Security Bugs in Protocols are Really Bad! Marsh Ray PhoneFactor Protocol Bugs Objectives Discuss the complexities in mitigating security bugs occurring in network protocols. Describe some current issues. Leave time for Q&A.

631 views • 50 slides
Finding Bugs the Rube-Goldberg Way Ruxcon 2014 mark.brand@datacom.com.au/c01db33f@gmail.com Me

Finding Bugs the Rube-Goldberg Way Ruxcon 2014 mark.brand@datacom.com.au/c01db33f@gmail.com Me

Finding Bugs the Rube-Goldberg Way Ruxcon 2014 mark.brand@datacom.com.au/c01db33f@gmail.com Me Work - Datacom TSS - pentesting/code auditing/research Play - Same as last year :-P - When I have time, its nice to try and break things.

469 views • 21 slides
Running a bug bounty Crowdsourcing security Collin Greene Also known as.. What is a bug bounty

Running a bug bounty Crowdsourcing security Collin Greene Also known as.. What is a bug bounty

Running a bug bounty Crowdsourcing security Collin Greene Also known as.. What is a bug bounty program Essentially bribing strangers to tell us their facebook 0days Sometimes blows up in our face, most of time works pretty well

841 views • 25 slides
IKT STTTET SAMARBEJDE IKT i Byggeprocessen Cand. Scient. Byggeledelse. Semester 1, 2009.

IKT STTTET SAMARBEJDE IKT i Byggeprocessen Cand. Scient. Byggeledelse. Semester 1, 2009.

ICT Enhanced Buildings Potentials IKT STTTET SAMARBEJDE IKT i Byggeprocessen Cand. Scient. Byggeledelse. Semester 1, 2009. 16.4.2009 PC/KS CONTENT Samarbejdsvrktjer og deres egenskaber. Eksempler: Projektwebs, video konferens,

864 views • 23 slides
Global Early Warning System (GEWS) with Global University System (GUS) Takeshi Utsumi, Ph.D.,

Global Early Warning System (GEWS) with Global University System (GUS) Takeshi Utsumi, Ph.D.,

Global Early Warning System (GEWS) with Global University System (GUS) Takeshi Utsumi, Ph.D., P.E. Chairman, GLObal Systems Analysis and Simulation Association in the U.S.A. (GLOSAS/USA) takutsumi0@gmail.com

608 views • 49 slides
Floating Car Data from Smartphones: What Google And Waze Know About You and How Hackers Can

Floating Car Data from Smartphones: What Google And Waze Know About You and How Hackers Can

Floating Car Data from Smartphones: What Google And Waze Know About You and How Hackers Can Control Traffic Black Hat | Europe March 12-15, 2013 Tobias Jeske Institute for Security in Distributed Applications TU Hamburg-Harburg

951 views • 53 slides
Organizing a BUG Bounty program GetClouder Marian Marinov < mm@1h.com > GetClouder

Organizing a BUG Bounty program GetClouder Marian Marinov < mm@1h.com > GetClouder

Organizing a BUG Bounty program GetClouder Marian Marinov < mm@1h.com > GetClouder Organizing a BUG Bounty program What will I tell you? Why? How? The most interesting thing by now GetClouder Organizing a BUG Bounty program Why?

382 views • 7 slides
Drinking From The CVE Firehose Or How To Ensure Your Open Source Product Survives the Onslaught

Drinking From The CVE Firehose Or How To Ensure Your Open Source Product Survives the Onslaught

Drinking From The CVE Firehose Or How To Ensure Your Open Source Product Survives the Onslaught of Publicly Known Security Vulnerabilities Ryan Ware Intel Corporation What is a security vulnerability? No! Really! Im Not Joking! What Is

529 views • 26 slides
The Rules of Engagement for Bug Bounty Programs Aron Laszka 1 , Mingyi Zhao 2 , Akash Malbari

The Rules of Engagement for Bug Bounty Programs Aron Laszka 1 , Mingyi Zhao 2 , Akash Malbari

The Rules of Engagement for Bug Bounty Programs Aron Laszka 1 , Mingyi Zhao 2 , Akash Malbari 3 , and Jens Grossklags 4 1 University of Houston 2 Snap Inc. 3 Pennsylvania State University 4 Technical University of Munich 1 Bug-Bounty

553 views • 23 slides
PRIVATISED FUNDING: BOUNTY HUNTERS AGAIN? CFAs, contingency fees, and third party funders in

PRIVATISED FUNDING: BOUNTY HUNTERS AGAIN? CFAs, contingency fees, and third party funders in

PRIVATISED FUNDING: BOUNTY HUNTERS AGAIN? CFAs, contingency fees, and third party funders in civil litigation Christopher Hodges Head of the CMS Research Programme on Civil Justice Systems Centre for Socio-Legal Studies, University of Oxford

635 views • 25 slides

More recommend