One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 1719304 |
| Date de publication | 2020-05-19 18:03:23 (vue: 2020-05-19 22:08:31) |
| Titre | Securing work-at-home apps |
| Texte | In today's post, I answer the following question:Our customer's employees are now using our corporate application while working from home. They are concerned about security, protecting their trade secrets. What security feature can we add for these customers?The tl;dr answer is this: don't add gimmicky features, but instead, take this opportunity to do security things you should already be doing, starting with a "vulnerability disclosure program" or "vuln program".GimmicksFirst of all, I'd like to discourage you from adding security gimmicks to your product. You are no more likely to come up with an exciting new security feature on your own as you are a miracle cure for the covid. Your sales and marketing people may get excited about the feature, and they may get the customer excited about it too, but the excitement won't last.Eventually, the customer's IT and cybersecurity teams will be brought in. They'll quickly identify your gimmick as snake oil, and you'll have made an enemy of them. They are already involved in securing the server side, the work-at-home desktop, the VPN, and all the other network essentials. You don't want them as your enemy, you want them as your friend. You don't want to send your salesperson into the maw of a technical meeting at the customer's site trying to defend the gimmick.You want to take the opposite approach: do something that the decision maker on the customer side won't necessarily understand, but which their IT/cybersecurity people will get excited about. You want them in the background as your champion rather than as your opposition.Vulnerability disclosure programTo accomplish this goal described above, the thing you want is known as a vulnerability disclosure program. If there's one thing that the entire cybersecurity industry is agreed about (other than hating the term cybersecurity, preferring "infosec" instead) is that you need this vulnerability disclosure program. Everything else you might want to do to add security features in your product come after you have this thing.Your product has security bugs, known as vulnerabilities. This is true of everyone, no matter how good you are. Apple, Microsoft, and Google employ the brightest minds in cybersecurity and they have vulnerabilities. Every month you update their products with the latest fixes for these vulnerabilities. I just bought a new MacBook Air and it's already telling me I need to update the operating system to fix the bugs found after it shipped.These bugs come mostly from outsiders. These companies have internal people searching for such bugs, as well as consultants, and do a good job quietly fixing what they find. But this goes only so far. Outsiders have a wider set of skills and perspectives than the companies could ever hope to control themselves, so find things that the companies miss.These outsiders are often not customers.This has been a chronic problem throughout the history of computers. Somebody calls up your support line and tells you there's an obvious bug that hackers can easily exploit. The customer support representative then ignores this because they aren't a customer. It's foolish wasting time adding features to a product that no customer is asking for.But then this bug leaks out to the public, hackers widely exploit it damaging customers, and angry customers now demand why you did nothing to fix the bug despite having been notified about it.The problem here is that nobody has the job of responding to such problems. The reason your company dropped the ball was that nobody was assigned to pick it up. All a vulnerability disclosure program means that at least one person within the company has the responsibility of dealing with it.How to set up vulnerability disclosure program |
| Envoyé | Oui |
| Condensat | $100 000 1880s able about above accept acceptance/hope accepted access accomplish account accustomed actively actual actually add added adding address addresses admit admitting adversely affected after agile agreed ahead air algorithm algorithmic algorithms all allies along already also analyze anger angry another answer any anybody anything anyway apis app appear apple application applications apply approach: apps architecture are area aren around arrive arrives ask asked asking asserts assign assigned assume assumption attempt attention authentication authentication/login avoid avoided back background bad ball bargaining base because become been before believe best between beyond big biggest/best binary bite blame blind blindingly both bought bounties bounty break brightest brilliant broken brought bug bugcrowd bugs bunch business but buying buzzword bypass calls can case cause ceo certain champion change changes channel checked checking chronic cited claim claiming claims clear client closing clue code com come comes commercial common communicating communication communications community companies company compensation competitor competitors completely computer computers concept concerned conclusionsomebody confidently confirm consider consultants contacts continues control convince convinced corporate could cousin cover covering covid create credit critic cryptographer cryptography cure custom customer customers cybersecurity cycles damaging danger data day days deal dealing dealt decades decision defend defense demand demanding denial denial: denialwhen deny denying department depression describe described design desktop despite detailed details developed development did difference different difficult direction disbelief disclose disclosed disclosing disclosure disclosurei discourage discover discoverer discovering disorders doctors documentation documents does doesn doing don done down dropped easier easily easy effort either else email emails emotional employ employees encourage encouraged encrypt encryption enemy engagement engineer engineering engineers english enough entire especially essentially essentials estimate even eventually ever every everyone everything evil evolve example excited excitement exciting excuse exercise exist expect experience experienced expertise exploit exploited express extortion extremely fact fairly far fashion feature features fiction figure filtered filtering filters final find finding first fix fixes fixing flab flaws fold follow following foolish form forms found frameworks free friend friends from full fully fumble functioning future garbage gems general germans get gets getting gimmick gimmicks gimmicksfirst gimmicky given giving glance glaring goal goes going good google googling gotten grandfather guesswork guilt guy hacker hackerone hackers had handle happen happened happily hard has hate hating have having havoc hefty help helping here hide hiding high him his history hoc home honestly hope how hunting idea ideally ideas identify idiot idiots ignore ignores ignoring illegitimate illness immature impossible impression improperly inbox include includes incoming increase industry information infosec injection insecure installed instead integrate integrating intercept internal involved iphones irresponsible isn issue issues it/cybersecurity it/infosec its job just keep kerckhoff kinds kinks know knowledgeable known labeled lack last latest lead leads leaks least legitimate legitimately less let level life light like likely line list listed lists little live long longer looking lot lots macbook made magic mailbox make maker makes making malicious management manner many marketing match matter maw may mean means meeting mere microsoft might minds minutes miracle miss mistake mitigate model modeling money month months more most mostly motivation movement much name narrow native necessarily need needs negative nerdy network never new next nobody noise non nonetheless nonsense norm normal not nothing notification notifications notified notifies notifying now obvious off offer offering |
| Tags | Spam Vulnerability Threat Guideline |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.