Youve Got Your Nice List of Bugs, Now What? Vulnerability Discovery - - PowerPoint PPT Presentation

you ve got your nice list of bugs now what vulnerability
SMART_READER_LITE
LIVE PREVIEW

Youve Got Your Nice List of Bugs, Now What? Vulnerability Discovery - - PowerPoint PPT Presentation

Apr 03, 2023 448 likes •688 views

Youve Got Your Nice List of Bugs, Now What? Vulnerability Discovery and Management Processes in the Wild Noura Alomar, Primal Wijesekera, Edward Qiu, and Serge Egelman University of California (Berkeley) and ICSI Motivation Many

slide-1
SLIDE 1

“You’ve Got Your Nice List of Bugs, Now What?” Vulnerability Discovery and Management Processes in the Wild

Noura Alomar, Primal Wijesekera, Edward Qiu, and Serge Egelman

University of California (Berkeley) and ICSI

slide-2
SLIDE 2

Motivation

  • Many testing strategies

○ Penetration testing ○ Blue/ red and purple teams ○ Bug bounty programs ○ Quality assurance teams

2

slide-3
SLIDE 3

Motivation

  • Many testing strategies

○ Penetration testing ○ Blue/ red and purple teams ○ Bug bounty programs ○ Quality assurance teams

  • Many advanced vulnerability detection techniques
  • Standards: ISO/IEC 29147 and ISO/IEC 30111

3

slide-4
SLIDE 4

4

What decision makers expect from the various testing strategies? How do different teams fit in vulnerability discovery processes?

slide-5
SLIDE 5

Methodology

  • Interviews with 53 security practitioners
  • Roles

○ CISOs, CTOs, security managers ○ Pen testers, bug bounty hunters, red/blue/purple teamers, internal security testers

  • Countries

○ Bangladesh, Canada, Germany, India, Israel, Serbia, Singapore, Brazil, UK and US

5

slide-6
SLIDE 6

Vulnerability Management Pipeline

6

Strategic Decision Making Vulnerability Discovery Vulnerability Remediation

slide-7
SLIDE 7

Vulnerability Management Pipeline

7

Strategic Decision Making Vulnerability Discovery Vulnerability Remediation

When to create a bug bounty program? When to employ what testing strategy? When to create an internal team vs hire a testing firm?

slide-8
SLIDE 8

Vulnerability Management Pipeline

8

Strategic Decision Making Vulnerability Discovery Vulnerability Remediation

What are the activities of each team? What managers expect from each team?

Strategic Decision Making Vulnerability Discovery

When to create a bug bounty program? When to employ what testing strategy? When to create an internal team vs hire a testing firm?

slide-9
SLIDE 9

Vulnerability Management Pipeline

9

Strategic Decision Making Vulnerability Discovery Vulnerability Remediation

What are the activities of each team? What managers expect from each team? When to create a bug bounty program? When to employ what testing strategy? When to create an internal team vs hire a testing firm? How to fix uncovered vulnerabilities? How to prioritize remediation tasks? How to triage vulnerability reports received from external researchers?

Vulnerability Remediation

slide-10
SLIDE 10

Main themes

1. Trust: internal vs external testers

10

slide-11
SLIDE 11

Main themes

1. Trust: internal vs external testers 2. Communication & information sharing

11

slide-12
SLIDE 12

Main themes

1. Trust: internal vs external testers 2. Communication & information sharing 3. Uncertainty around who is responsible for what

12

slide-13
SLIDE 13

Main themes

1. Trust: internal vs external testers 2. Communication & information sharing 3. Uncertainty around who is responsible for what 4. Compliance-oriented approaches

13

slide-14
SLIDE 14

Strategic Decision Making

  • Uncertainty around what to expect from each team

“I have had clients that have suffered a breach in the past and immediately they are like, ‘Hey, we want to get a penetration test or a red team to figure out how the attacker broke in’” (P37)

14

slide-15
SLIDE 15

Strategic Decision Making

  • Uncertainty around what to expect from each team

“I have had clients that have suffered a breach in the past and immediately they are like, ‘Hey, we want to get a penetration test or a red team to figure out how the attacker broke in’” (P37)

  • Bug bounty programs might be used as replacement to internal testing

“My CISO likes to be able to tell customers we have a bug bounty program; therefore we are very secure” (P41)

15

slide-16
SLIDE 16

Pen testing

  • Compliance requirements

“Pen tests are kind of a reproducible formula for getting the engagement done whether it is to get that compliance checkbox checked or they are just kind of going through the motions to make sure that basic security structures are in place” (P10)

16

slide-17
SLIDE 17

Pen testing

  • Compliance requirements

“Pen tests are kind of a reproducible formula for getting the engagement done whether it is to get that compliance checkbox checked or they are just kind of going through the motions to make sure that basic security structures are in place” (P10)

  • Accountability

“..the quality of that report you get from pen testing companies is much much

  • higher. It can also hold people who did the pen test accountable” (P32)

17

slide-18
SLIDE 18

Red teaming

  • Exposure to legal liability

“You don’t know when someone is in the network, you don’t know what he is

  • reading. I know that there are NDAs, but sometimes there is a code of ethic, that

says if you find something illegal during a penetration test, you have to report it. And in red teaming, let’s be honest not many companies are in regulations with the law” (P24).

18

slide-19
SLIDE 19

Bug Bounty Programs

  • Sensitivity of data stored in organizations’ systems

“...trying to convince any government agency to try to offer people a reward to try to break into their financial data, I think we would have a very bad reaction to that, whereas saying, ‘it’s an audit’ would be a much easier sell” (P44)

19

slide-20
SLIDE 20

Trust

  • Organizations → scoping decisions

“..everybody is talking about they want a red team, they want a red team, but at the end of the day, they want to put a bunch of rules around it, just like regular penetration tests" (P38)

20

slide-21
SLIDE 21

Trust

  • Organizations → scoping decisions

“..everybody is talking about they want a red team, they want a red team, but at the end of the day, they want to put a bunch of rules around it, just like regular penetration tests" (P38)

  • Bug bounty hunters → legal concerns

“I was looking around and I saw this, what looked like financial data and I started freaking out because it was a public company. But that was kind of scary that I had even looked at it and what if they saw that I looked at it” (P25)

21

slide-22
SLIDE 22

Compliance vs. Security

  • External pen testers are asked to:

○ downplay severity ratings ○ take some vulnerabilities out of reports “We’ve been told we don’t want you to actually solve this problem, we just want you to make the check box go away” (P9)

22

slide-23
SLIDE 23

➔ Issues impacting effective vulnerability management:

◆ Trust ◆ Communication ◆ Staffing & funding ◆ Misalignment between business & security priorities

➔ Need to pay more attention to vulnerability remediation!

Thank you!

nnalomar@berkeley.edu @Noura_7N

“You’ve Got Your Nice List of Bugs, Now What?” Vulnerability Discovery and Management Processes in the Wild

Noura Alomar, Primal Wijesekera, Edward Qiu, and Serge Egelman