Next-Gen Application Security

Similar documents
Running a Bug Bounty Program

2016 Bug Bounty Hacker Report

HEAD TO HEAD. Bug Bounties vs. Penetration Testing. How the crowdsourced model is disrupting traditional penetration testing.

Crowdsourced Security at the Government Level: It Takes a Nation (of Hackers)

How to Succeed with Your Bug Bounty Program

Bug Bounty programs in Switzerland? Florian Badertscher, C1 - public

Penetration Testing Is Dead! (Long Live Penetration Testing!)

CWE TM COMPATIBILITY ENFORCEMENT

Task Force Innovation Working Groups

SPOK MESSENGER. Improving Staff Efficiency and Patient Care With Timely Communications and Critical Connectivity

City of Vancouver Digital Strategy. April 9, 2013

Tribal Health. Integrated Tribal Health Center Solutions Five Steps to Better Tribal Health Outcomes

Midmark White Paper Building Your Connected Point of Care Ecosystem. Point Of Care Ecosystem Series Part Four

BUG BOUNTY BUZZWORD BINGO DEEP DIVE UNDER A JUMPED SHARK

Technical Charter (the Charter ) for. ONAP Project a Series of LF Projects, LLC

A MOBILE MAKEOVER for Recruiters and Hiring Team Collaboration

Driving Business Value for Healthcare Through Unified Communications

End-to-end infusion safety. Safely manage infusions from order to administration

Recent Veterans of Major EMR Launches Share Insights on Keys to a Robust Go-Live Command Center

The creative sourcing solution that finds, tracks, and manages talent to keep you ahead of the game.

Outsourcing Non-core Activities A strategy for SMBs that actually works

Population Health Management Tools and Strategies to Support Care Coordination An InfoMC White Paper April 2016

Technical Charter (the Charter ) for. OpenDaylight Project a Series of LF Projects, LLC

NASCIO Recognition Award Submission. egrants - Automating and Creating a Grants Management System. Recognition Award Submission

Co-Sourcing Lab Services Maximizing Service Partners in a Lab Environment

Jobvite and GroupM Team Up to Create Recruiting Success

NEW PHASE, NEW LOGO, NEW NEWSLETTER FOR THE EPIC IMPLEMENTATION

The Point of Care Ecosystem Four Benefits of a Fully Connected Outpatient Experience

CASE STUDY. Denton County s Smooth Transition to Paper-Ballot Elections

SEVEN SEVEN. Credentialing tips designed to help keep costs down and ensure a healthier bottom line.

Security Evolution - Bug Bounty Programs for Web Applications OWASP. The OWASP Foundation Michael Coates - Mozilla

The future of patient care. 6 ways workflow automation will transform the healthcare experience

FriKomPort: Sharing code, costs, and benefits. Introduction

THE STATE OF BUG BOUNTY

Vacancy Announcement

TELEHEALTH FOR HEALTH SYSTEMS: GUIDE TO BEST PRACTICES

bd.com Pyxis Enterprise Server

Delivering ROI. The Case for an Output Management Solution for Hospitals

Hospital Readmissions

NINE TIPS TO BRING ORDER TO HOSPITAL COMMUNICATION CHAOS

WHITE PAPER. The Shift to Value-Based Care: 9 Steps to Readiness.

EMR vendor consideration checklist for home health and hospice agencies

Nurse Call Communication System

The EU Open Access Policies in support of Open Science. Open data in science. Challenges and opportunities for Europe ICSU Brussels

How to Improve HEDIS Reporting Among Providers and Improve Your Health Plan Rankings

PLANNING DRILLS FOR HEALTHCARE EMERGENCY AND INCIDENT PREPAREDNESS AND TRAINING

Integrated Offshore Outsourcing Solution

The Single-Purpose App.

Sage Nonprofit Solutions I White Paper. Utilizing Technology to Manage and Win Grants. For the Nonprofit and Government Sectors

ebook How to Recruit for Local Government in the Digital Age

THE ULTIMATE GUIDE TO CROWDFUNDING YOUR STARTUP

10 Things To Know About

The Value of Creating Simple and Seamless Collaboration

Lean Startup as the Innovation Engine for the Digital Agency at AXA

FOUR TIPS: THE INVISIBLE IMPACT OF CREDENTIALING

RTLS and the Built Environment by Nelson E. Lee 10 December 2010

GATEWAY TO SILICON VALLEY SAMPLE SCHEDULE *

NEW CORE INFRASTRUCTURE STREAMLINES CARE

WHITE PAPER. The four big waves of contact center technology: From Insourcing Technology to Transformational Customer Experience.

Saving Lives in Real-time

A Market-based Approach to Software Evolution

EVERGREEN IV: STRATEGIC NEEDS

Wolf EMR. Enhanced Patient Care with Electronic Medical Record.

The Fintech Revolution: Innovate at the Speed of Technology

2017 RFP External Reviewer Guide

Technical Charter (the Charter ) for. Acumos AI Project a Series of LF Projects, LLC

Talent Crowdsourcing: The Quick Guide

OnDemand as a solution for common customer challenges

UNCLASSIFIED R-1 ITEM NOMENCLATURE

Recruiting Game- Changing Talent

EHR Implementation Best Practices. EHR White Paper

SMS in Hospitals. Communicate with all your stakeholders to improve the efficiency and effectiveness of the care you provide

Technical Charter (the Charter ) for LinuxBoot a Series of LF Projects, LLC. Adopted January 25, 2018

Clinical Application Lead, Electronic Medical Record (EMR) Program Monash Health

Small business Big ambitions

Patient Payment Check-Up

Increasing security and convenience at Epic health systems

The Importance of Being Entrepreneurial in Today s Changing University Environment

Saint Francis Cancer Center Combines MOSAIQ, Epic and Palabra for a Perfect Documentation Workflow ONCOLOGISTS PALABRA: THE SOFTWARE ACTUALLY LOVE

Customer Situation Solution Benefits

A better source of truth: Accurate provider data for physician recruitment cuts costs and improves outreach

U.S. Air Force Electronic Systems Center

Are You Undermining Your Patient Experience Strategy?

Defense Travel Management Office

Deputy Director, C5 Integration

WHITE PAPER. Transforming the Healthcare Organization through Process Improvement

Igniting Innovation in Pakistan Through 4IR Wave Tech

Project Request and Approval Process

Competition Guidelines Competition Overview Artificial Intelligence Grand Challenges

Confronting the Challenges of Rare Disease:

Follow the Money: Security Researchers, Disclosure, Confidence and Profit

40,000 Covered Lives: Improving Performance on ACO MSSP Metrics

Aging Services of Minnesota GUIDING PRINCIPLES FOR DEMENTIA CARE WORKBOOK

Security Champions 2.0. OWASP Bucharest AppSec 2017 Alexander Antukh

Medicine Reconciliation FREQUENTLY ASKED QUESTIONS NATIONAL MEDICATION SAFETY PROGRAMME

page 30 MGMA Connexion April MGMA-ACMPE. All rights reserved.

GLOBAL INFORMATION GRID NETOPS TASKING ORDERS (GNTO) WHITE PAPER.

1. When will physicians who are not "meaningful" EHR users start to see a reduction in payments?

3. Does the institution have a dedicated hospital-wide committee geared towards the improvement of laboratory test stewardship? a. Yes b.

Lessons Learned from Scotland s Electronic Health Record Programme. Greater China e-health Forum 7 th October 2011

Transcription:

Next-Gen Application Security Launch Effective Agile Security for Agile Development Improve your application security by following these words of advice on how to incorporate bug bounties and crowdsourced pen tests into your DevOps pipeline.

Many companies are trying to keep up with DevOps practices while keeping their applications secure. It s a tall order to say the least. Bug bounties and crowdsourced penetration tests allow you to continually test your applications for security bugs. It lets you tap into the minds of many expert researchers to reduce the risk of a breach and help you make more secure software. But before we dive into how to get started using this tool, let s discuss why security and agile development can seem to be at odds. Challenges of Securing DevOps/Continuous Delivery Environments Speed is the name of the game. In today s fast-paced world, developers are under pressure to deliver new features as quickly as possible. When you look at the popular terms of the day, such as continuous integration, continuous delivery, and continuous deployment, you see the common thread of ready-to-deploy software. There are pipelines pumping out code, sometimes on a daily basis. Continuous delivery environments make use of exciting new tools and types of software. Containers allow applications to be delivered in pieces, with small, lightweight packages of software that are easily deployed. Unfortunately, the speed of innovation can be dangerous. Using new tools before their security implications are fully understood can lead an organization down a dangerous path. Securing software at the speed of delivery is a challenge. Traditional security practices bog down development, frustrating development teams and causing unnecessary friction. Securing software in the world of DevOps requires proactive, not reactive, measures. One such proactive security tool is hacker-powered security. Hacker-powered security refers to any technique that utilizes the external hacker community to find unknown security vulnerabilities and reduce cyber risk. Common examples include private bug bounty programs, public bug bounty programs, time-bound bug bounty programs and vulnerability disclosure policies. The benefits of bug bounties are many, but how do you get started with bug bounties and where do they fit in a DevOps workflow? HACKERONE 2

How to Effectively Use Hacker-Powered Security in Your Secure SDLC Humans make mistakes. Humans write code. Even our most robust scanning and vulnerability management processes are proven to miss things, even big things. There is no such thing as perfectly secure software, and the juiciest bugs require creative, intellectual humans to uncover them. This section will review how you can leverage the power of the diverse hacker community to uncover critical vulnerabilities before they can be exploited. We ll start with vulnerability management best practices, take a look at the Agile and DevOps workflow, and wrap up with how to deploy a bug bounty program, fully integrated into your security program for maximum effectiveness. HACKERONE 3

Hacker-Powered Security Step One: Good Vulnerability Management Practices Vulnerabilities will always exist in all but the most basic software. Today s world features complex applications with many moving parts. Your software will have vulnerabilities. Since we know vulnerabilities will occur, it s essential to have a system in place to properly handle them. Vulnerability management encompasses all of the activities and workflows triggered by the discovery of a vulnerability. What does a mature vulnerability management workflow look like? Once a vulnerability is reported, a triage takes place where the vulnerability is verified by the security team. Verification by a human gives you confidence that the vulnerability is real and possibly exploitable by an attacker. Once verified, a prioritization process is essential. You may not be able to immediately remediate every vulnerability, but try your best not to let them hang around too long. GETTING YOUR DEVELOPMENT TEAMS ON BOARD WITH SLAS What timelines make sense when deciding levels of priority? Priority can often be in the eye of the beholder and each organization will need to decide what makes sense for it. In general, you should balance your risk tolerance with the ability of the development team to make the required fixes. A legacy application with longer release cycles may not be able to create fixes in only 3 days, so be realistic. If your infrastructure is built on technologies that enable fast delivery, then fix vulnerabilities as soon as possible. Every day a vulnerability goes without a fix is another day an attacker has to find it and exploit it. Example Fix SLA's Critical: 1-7 Days Medium: 8-30 Days Low: 31-45 Days Once you decide the timetables for fixing, clearly communicate these Service Level Agreements (SLAs) to the product teams and hold them accountable for them. The time should start once the correct product team has been officially notified of the vulnerability. HACKERONE 4

Verify Fix Deliver Fix Vulnerability Reported Verify Report Develop Fix Prioritize A mature vulnerability management process is essential to giving your bug bounty program a good start. Once a vulnerability is prioritized, the appropriate product team is notified and the time begins to tick on the SLA for the risk level of the vulnerability. The notification usually takes the form of a ticket in a bug tracking system such as Jira. The development team creates a fix under the guidance of a security champion or security SME provided for the development team. Once the fix is complete, a round of testing ensues to make sure the vulnerability is no longer present. This usually occurs in a testing environment. Then the fix is delivered into production and everyone can feel a little safer. As we will see, having a vulnerability management process in place will make it much easier to integrate a bug bounty into your overall software development lifecycle. Let s take a look at that piece of the puzzle next. HACKERONE 5

Hacker-Powered Security Step Two: The Agile and DevOps Workflow Let s take a look at the typical workflow for an agile or DevOps development team from the lens of security testing. Once we see what tools development teams have used in the past, we can begin to see where bug bounty programs fit into the development lifecycle to create more secure software. Bug Report Test Driven Development Static Analysis Penetration Test Deploy Software Dynamic Analysis The DevOps workflow depends largely on several passes of automation to help find and fix security vulnerabilities. Can manual tests be incorporated more effectively? HACKERONE 6

The software development industry has continued to adopt new tools and techniques to help prevent vulnerabilities and find them before they reach production. Developer training is usually the first step taken. However, training developers can be quite expensive, both in money and time. Therefore, it tends to happen infrequently and covers only the basics of software security, Test Driven Development (TDD) has emerged to help developers test their code as it s being written. The focus is usually on functional testing, with little emphasis on security. Some basic security needs can be tested for using TDD, but the ability to do so is limited. Static analysis takes over after a developer checks code into a code repository. Scanners comb through the source code looking for patterns that may lead to vulnerable software. Unfortunately, these scanners tend to find many false positives, and time is again taken away to validate what is found. Dynamic analysis runs a series of complex tests against software running in a test environment. The idea is to try to emulate what a human attacker would do to gain illicit access to a system. Dynamic analysis can find issues that static analysis cannot. However, it can be difficult and time consuming to find the root cause and impact of the problems found. Don t assume that these analysis programs are useless. They have a place in the DevSecOps workflow. In fact, about 40% of vulnerabilities can be detected using automation. Therefore, it makes sense to eliminate the low-hanging fruit of vulnerabilities using these tools. But more is needed. Once an application is in a usable state, or even deployed to production, a penetration test is run to find more complicated issues that require a human touch. These are important to help find the 60% of vulnerabilities that can t be found using automation. Penetration tests tend to take much longer to perform and require a lot of work to prepare for. This begs the question: Is there a way to incorporate the human intuition and value of penetration tests with the continuous coverage provided by automated tools? HACKERONE 7

Hacker-powered Security: How to Incorporate Bug Bounty Hacker-powered security brings the power of human hackers to the DevSecOps workflow. Hacker-powered security means having external ethical hackers always testing your applications against the latest vulnerabilities. It takes time for new exploits and techniques to be incorporated into automated tools. Humans can learn the details of a new attack quickly and use it to test your software right away. With a mature vulnerability management process in place, you ll be better equipped to add bug bounty into your security workflow. Security in the DevOps world needs to remain non-blocking, or not hamper your developers ability to deliver software on time. Bug bounties are a natural fit, as hackers will always be working behind the scenes to keep your software safe. The Roles of People The increase of administration and management a bug bounty suggests may seem daunting to an already over-extended security team. Let s now take a quick look at what people you ll need and some strategies to help ease bug bounty into the DevOps workflow. The organizational design of your security team can help or hurt your ability to incorporate bug bounty smoothly. Security teams should be focused on providing services to the development team, not ordering them around as code cops. Some examples of services provided by the security team include code reviews, design reviews, security testing, vulnerability management, or research on behalf of the development team. A team set up with a service-first mindset will be able to find a place for bug bounty within the vulnerability management service. The security team also has many decisions to make. What is the scope of your program? How will communication happen with the hackers who submit bugs to you? Will your program be public or private? What metrics do you need to be effective? These questions are more easily answered when a mature vulnerability management program already exists, but there still are items unique to bug bounty programs. HACKERONE 8

HERE IS WHAT YOU NEED TO START YOUR BUG BOUNTY PROGRAM: 1. A vulnerability disclosure policy and clear rules of engagement so the hackers know what to test and how to report vulnerabilities. 2. A mature vulnerability management program that can handle the vulnerabilities a new bug bounty program will generate. 3. Decide if your bug bounty program is public or private. It s usually best to begin with a private program. Decide whether or not to disclose your vulnerabilities to help the hacking community expand their skills. 4. Determine which metrics are the most valuable for your program s continued health. Signal-to-noise ratio is a key metric you should measure to determine the effectiveness of your program. Product teams are the downstream consumers of the vulnerability management process, and therefore shouldn t be in contact with hackers from your bug bounty. The security team should handle triage, verification, and publication of vulnerabilities to the product teams (or you can work with HackerOne to handle everything, read on for more). In turn, the product team is responsible for provided fixes in a timely manner and reporting these back to the security team. The security team can then provide a formal disclosure of the vulnerability to interested parties or customers of your product. HACKERONE 9

The Role of Automation One of the many enablers of DevOps is automation. The ability to do things with computers previously only possible with human intervention has been a game changer. Security scanning tools are an example of the types of automation that can help secure DevOps. Automation fits well into bug bounty programs as well. HackerOne s platform is built to help hackers report possible vulnerabilities to you. But we know you likely have other systems built to manage vulnerabilities from your existing sources. HackerOne s API make integration and automation easy so you can incorporate bug bounty reports into your vulnerability management workflow. HackerOne API PM Tool (Jira, Asana) Vulnerability Database (Archer, DefectDojo) Asset CMDB Applicant Owner Email HackerOne s API allows easy integration with your existing tools. This is what a vulnerability management toolchain may look like with HackerOne included. HACKERONE 10

It s important to first know what all of your assets are and their configuration. A Configuration Management Database (CMDB) stores all of your assets in one location. You may also have a vulnerability management database such as Archer or DefectDojo to store vulnerabilities tied to those assets. HackerOne s API allows you to search HackerOne s platform for new vulnerabilities related to your assets on a regular basis. New vulnerabilities found are then placed into the vulnerability database of choice, kicking off a triage workflow for the security team. Once the bug report is verified, emails can be sent to application owners and the vulnerabilities can be sent to a bug tracking tool such as Jira or a project management tool like Asana. Using automation helps to keep human intervention to a minimum and keeps the product team flowing smoothly. The product team has no huge chances in their process. A new bug report is created and handled like any other, regardless of the source. Adding the Expertise of HackerOne Not all organizations have the resources to completely own the bug bounty process. Communicating with hackers and performing triage on new vulnerabilities may be unrealistic at this time. If you re in this situation, HackerOne can help you get your bug bounty off the ground with a fully managed bug bounty program. HackerOne s experienced security analysts will communicate with hackers and validate all submissions made through the bug bounty platform. Your security team will get only valid, well-documented vulnerability reports. If you feel you re ready to take over the triage duties, you can still use HackerOne s platform and manage the bug bounty yourself. The choice is yours. Whether HackerOne manages it or you do, all organizations can make their software more secure with hacker-powered security. HACKERONE 11

Let Hacker-Powered Security Augment Your Security Team Adding security to a DevOps program takes many steps and many tools. But not every tool is the most effective way to secure your applications. Automated scanning and unit testing are great first steps, but they usually aren t enough for companies to have complete confidence in the security of their applications. Bug bounty programs put many eyes on your application and feature a unique way of testing your applications. The testing is continuous, ongoing, and mirrors the development itself. It fits in well with the spirit of DevOps and agile development methodologies. Bug Report Test Driven Development Penetration Test Bug Bounty Program DevSecOps Vulnerability Management Static Analysis Deploy Software Dynamic Analysis HACKERONE 12

BUG BOUNTY AND THE SDLC Hacker-powered security works hand-in-hand with your existing DevOps workflow. The bug bounty program becomes a source for your vulnerability management program. The vulnerabilities are handed to the product teams who build a fix, test it, and deploy. Why bug bounty fits with the DevOps workflow Bug bounty acts as a continuous penetration test Hackers understand, and test, the latest exploits faster than automated scanners Bug bounty scales your application security efforts to keep up with the growing number of applications security teams are responsible for. What s needed for hacker-powered security? A mature vulnerability management program A service-focused security team A flexible platform with access to top hackers and service expertise you can rely on You can achieve maximum security of your applications by completing your secure SDLC with a bug bounty program. HackerOne is here to guide you through the entire process.there s a community of thousands of ready to test your applications and ensure maximum security. HACKERONE 13

About HackerOne HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be exploited. More Fortune 500 and Forbes Global 1000 companies trust HackerOne than any other hacker-powered security alternative. The U.S. Department of Defense, General Motors, Google, Twitter, GitHub, Nintendo, Lufthansa, Panasonic Avionics, Qualcomm, Starbucks, Dropbox, Intel, the CERT Coordination Center and over 1,200 other organizations have partnered with HackerOne to resolve over 90,000 vulnerabilities and award over $42M in bug bounties. HackerOne is headquartered in San Francisco with offices in London, New York, the Netherlands, and Singapore. Learn more by visiting our website or contacting us today. HACKERONE 14 WWW.HACKERONE.COM / SALES@HACKERONE.COM / +1 (415) 891-0777

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback