Saturday, June 3, 2023
News 21 AV
  • Home
  • Tech News
    Ban predictive policing systems in EU AI Act, says civil society

    Insights on Nordic artificial intelligence strategies

    Unionised contract workers who train Google’s AI win pay rise

    Unionised contract workers who train Google’s AI win pay rise

    Government given until autumn 2023 to create technology roadmap to support net-zero strategy

    Government given until autumn 2023 to create technology roadmap to support net-zero strategy

    Ellison-founded sailing league SailGP plumps for Oracle NetSuite to expand

    Ellison-founded sailing league SailGP plumps for Oracle NetSuite to expand

    Cabinet Office looks to expand public data sharing for digital ID

    Cabinet Office looks to expand public data sharing for digital ID

    A pandemic retail trend that’s here to stay?

    LockBit cartel suspected of Royal Mail cyber attack

    Umbrella firm Parasol confirms ‘malicious activity’ as root cause of ongoing systems outage

    Government accused of leaving umbrella company regulation in limbo by shelving enforcement body

    UK government completes trials of age estimation technology

    UK government completes trials of age estimation technology

    Cyber insurance: The good, the bad and the ugly

    Companies warned to step up cyber security to become ‘insurable’

  • Virtual reality
    The other DWI: Driving while immersed

    The other DWI: Driving while immersed

    We tried out Canon's VR calling app Kokomo

    We tried out Canon’s VR calling app Kokomo

    Peacock subscribers can now stream content on Meta Quest devices

    Peacock subscribers can now stream content on Meta Quest devices

    A decade later, this VR treadmill is finally ready to ship

    A decade later, this VR treadmill is finally ready to ship

    How XR Technologies Are Making Design Reviews Immersive | NVIDIA Blog

    How XR Technologies Are Making Design Reviews Immersive | NVIDIA Blog

    Review: PlayStation VR2 is a huge leap that still can't escape its niche

    Review: PlayStation VR2 is a huge leap that still can’t escape its niche

    Meta Quest users can now tap and swipe in VR without controllers

    Meta Quest users can now tap and swipe in VR without controllers

    Former Salesforce exec Bret Taylor is teaming up with Google AR/VR vet Clay Bavor on mystery startup

    Former Salesforce exec Bret Taylor is teaming up with Google AR/VR vet Clay Bavor on mystery startup

    Google’s GV backs SideQuest, an unofficial Meta Quest app store

    Meta’s Reality Labs lost $13.7 billion on VR and AR last year

  • Lifestyle
    JUNTOSO 3 Pieces Recliner Sofa Sets

    How To Choose The Right Velvet Chesterfield Sofa For Your Living Room

    High-End Strollers

    Luxury Redefined: 6 Most Innovative Features in High-End Strollers

    Tips for Caregivers and Inter-abled Partners

    Top Tips for Choosing the Best Senior Living Facilities for You or Your Loved Ones

    Pros and Cons of No-Fault Insurance

    What are Medigap Plans? – Morning Lazziness

    Organizer1

    Organize Your Workspace With Industrial Storage Systems

    coffee

    Caffeine and Beyond: Natural Energy-Boosting Alternatives to Fight Fatigue

    How to Save Money as an Expat

    Staying out of Debt While Living With a Chronic Illness

    CapCut Online Editor

    Powerful Product Demos: Utilizing CapCut Online Editor for Your Business

    hair serum woman

    How To Use Redensyl Hair Growth Serum

  • Beauty
    Water Flosser

    This Bestselling Waterpik Is On Sale Right Now

    Proud To Be Pink Bobbi Brown Gloss Duo

    Proud To Be Pink Bobbi Brown Gloss Duo

    ColourPop x Snitchery Collection Swatches (Eyes & Cheeks)

    ColourPop x Snitchery Collection Swatches (Eyes & Cheeks)

    Image may contain Clothing Apparel Human Person Lingerie and Underwear

    Period Care Ads Are Woefully Lacking in Disability Representation

    mileys new years eve party

    Who Is Maxx Morando? – All About Miley Cyrus’s New Boyfriend

    Dior Cosmic Eyes (359) Eyeshadow Palette

    Dior Holiday 2022 Collection Swatches

    preview for How Emma Stone Became an Oscar-Winning Actress

    Who Is Dave McCary? Meet Emma Stone’s Husband and Baby Girl’s Dad

    Coloured Raine Sunset Chic Eyeshadow Palette Review & Swatches

    Coloured Raine Sunset Chic Eyeshadow Palette Review & Swatches

    Mila Kunis Criticizes Celebs Who Gave Will Smith a Standing Ovation at the Oscars After The Slap

    Mila Kunis Criticizes Celebs Who Gave Will Smith a Standing Ovation at the Oscars After The Slap

  • Health & Fitness
    2023 CrossFit North America West Semifinal Results — Alex Gazan, Patrick Vellner Notch Wins

    2023 CrossFit North America West Semifinal Results — Alex Gazan, Patrick Vellner Notch Wins

    Q&A With Ann Partridge, MD, MPH

    Are Psoriasis and Allergies Linked?

    Lucy Underdown Sets Kratos Bar Deadlift World Record of 305 Kilograms (672.4 Pounds)

    Lucy Underdown Sets Kratos Bar Deadlift World Record of 305 Kilograms (672.4 Pounds)

    Q&A With Ann Partridge, MD, MPH

    Can Statins Cause Brain Fog?

    The 10 Best Medicine Ball Exercises for Power, Conditioning, and More

    The 10 Best Medicine Ball Exercises for Power, Conditioning, and More

    WebMD: Better information. Better health.

    The Nuances of Treating Vitiligo in People of Color

    WebMD: Better information. Better health.

    Build a Care Team You Trust

    Hi-Tech Implant Helps Paralyzed Man Walk More Naturally

    Hi-Tech Implant Helps Paralyzed Man Walk More Naturally

    How to Do the Incline Dumbbell Bench Press for Upper Pec Muscle and Pressing Strength

    How to Do the Incline Dumbbell Bench Press for Upper Pec Muscle and Pressing Strength

  • Equipment
  • Login
No Result
View All Result
News 21 AV
Home Tech News

How CISOs should approach responsible disclosure

News 21 AV by News 21 AV
October 19, 2021
in Tech News
0
No easy fix for vulnerability exploitation, so be prepared
0
SHARES
1
VIEWS
FacebookTwitter


The debate on what constitutes responsible disclosure has been running for some 20 years, with no end in sight. It’s not difficult to see why, with passionate researchers always on the hunt for bugs, big variances from vendors when it comes to fixing issues, and reputations to build and preserve on both sides.

Related posts

Ban predictive policing systems in EU AI Act, says civil society

Insights on Nordic artificial intelligence strategies

January 14, 2023
Unionised contract workers who train Google’s AI win pay rise

Unionised contract workers who train Google’s AI win pay rise

January 14, 2023

To understand the best approach to responsible disclosure, it is important for CISOs to first appreciate how controversy arises. The most common cause is where technical details of a vulnerability are published before a fix is available or widely adopted, particularly when accompanied by easily reusable proof-of-concept exploit code.

On the one side are those who consider the researchers to be acting irresponsibly by enabling real attackers and drawing attention to issues. On the other side are those who consider such disclosure to be in the public interest – helping product users to make informed decisions and implement their own detections and mitigations in the absence of a vendor patch or fix.

The most mature software providers face a lot of public scrutiny around how responsive and responsible their disclosure and remediation efforts are.

This debate will no doubt continue to rage on. But when you look at many of the controversial full disclosures that have happened over the years, communication, or lack of it, is at the root. Clearly setting out the rules of engagement goes a long way to improving things.

For example, although 90-120 days is considered by many a reasonable maximum timeframe to remediate or face public disclosure, according to Project Zero: policy and disclosure: 2021 edition, we have seen numerous cases where it has taken a year or more for an organisation to provide a full fix for a reported bug.

This is particularly the case with less mature companies, especially those deploying internet of things (IoT) devices that are hard to update and rely heavily on third-party component or software providers to provide a fix that can then be integrated into their product.

The good news is that things are much clearer than they used to be for the typical CISO, especially those working for firms not engaged primarily in software development.

There is a wide range of good practice guidance and standards available, such as the NCSC’s Vulnerability Disclosure Toolkit – NCSC.gov.uk and ISO – ISO/IEC 29147:2018 – Information technology – Security techniques – Vulnerability disclosure. These provide CISOs and security managers with clear advice on how to establish communication channels and set expectations. CISOs can broadcast these through their organisation’s website, or make it easier to find by adopting the emergent security.txt standard (security.txt: Proposed standard for defining security policies (securitytxt.org)).

Bug bounties also make it simple for organisations to proactively solicit bug submissions from public researchers. However, they are intended to supplement, rather than replace, a well-organised and structured security assurance programme. They should also be accompanied by investment into teams to triage and promptly resolve inbound bugs.

Adopting the above points should make it easy for a security researcher to find out where to report vulnerabilities and help to reduce the chance that vulnerability reports will end up lost in an unmonitored mailbox. They would also set expectations around how long a fix will take and whether the researcher can expect a reward or acknowledgement for reporting an issue.

Most researchers will wait before publicising vulnerabilities if the organisation can be contacted, is responsive and provides regular updates signifying that it is progressing with a fix.

Alongside this, CISOs and security teams are well advised to keep a close eye on high-profile public disclosures and industry news, so they are aware of the latest unpatched or actively exploited vulnerabilities and can respond quickly when something beyond the standard patch management cycle is needed.

In summary, there are now plenty of tools and guidance available to equip CISOs to handle vulnerability disclosure well. Most people reporting genuine vulnerabilities have good intentions – clear communication and good administration of any disclosure programme is the key to minimising issues. Anything that helps strengthen security and protects companies from real malicious hackers must be a good thing and should be embraced by CISOs.



Source link

Tags: approachCISOsdisclosureresponsible
Previous Post

3 TRX® Suspension Trainer™ Moves to Train Like a Tour De France Pro

Next Post

Education First office in Denver takes cues from city’s “outdoorsy culture”

Next Post
Education First office in Denver takes cues from city’s “outdoorsy culture”

Education First office in Denver takes cues from city's "outdoorsy culture"

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

RECOMMENDED NEWS

CHANEL Chance Eau Tendre Scented Bath Tablets

CHANEL Chance Eau Tendre Scented Bath Tablets

12 months ago
10 Best Portable DVD Players for 2022

10 Best Portable DVD Players for 2022

1 year ago
Rhianon Lovelace Sets U64 Atlas Stone World Record of 146.8 Kilograms (324 Pounds)

Rhianon Lovelace Sets U64 Atlas Stone World Record of 146.8 Kilograms (324 Pounds)

3 months ago
Deck of Scarlet Solid Lip Oil New Shades

Deck of Scarlet Solid Lip Oil New Shades

12 months ago

BROWSE BY CATEGORIES

  • Beauty
  • Equipment
  • Health & Fitness
  • Lifestyle
  • Tech News
  • Virtual reality

BROWSE BY TOPICS

Beauty Equipment Health & Fitness Lifestyle Tech News Virtual reality

POPULAR NEWS

  • The 20 Best Leg Exercises for Size and Strength

    The 20 Best Leg Exercises for Size and Strength

    0 shares
    Share 0 Tweet 0
  • Who Is Dalton Gomez – Meet Ariana Grande’s Husband

    0 shares
    Share 0 Tweet 0
  • 14 Best Sanitary Napkins To Provide Comfort During Periods

    0 shares
    Share 0 Tweet 0
  • 10 Best CD Players in 2021

    0 shares
    Share 0 Tweet 0
  • Why Power Dressing is Important at Workplace For Women

    0 shares
    Share 0 Tweet 0
News 21 AV

We bring you the best of latest news articles with an emphasis. We offers an original take on the latest in Lifestyle, fashion, high tech and health & fitness informations and guides.

Follow us on social media:

Recent News

  • Anxiety, Your Brain, and Long COVID: What the Research Says
  • Black and Gray Decor Spiced With Hot Red Accents & Lush Terrariums
  • Blessing Awodibu Set to Compete in 2023 Chicago Pro 

Category

  • Beauty
  • Equipment
  • Health & Fitness
  • Lifestyle
  • Tech News
  • Virtual reality

Recent News

2023 CrossFit North America West Semifinal Results — Alex Gazan, Patrick Vellner Notch Wins

2023 CrossFit North America West Semifinal Results — Alex Gazan, Patrick Vellner Notch Wins

May 31, 2023
An Exercise in Repurposing and Design

An Exercise in Repurposing and Design

May 31, 2023
  • Blog
  • Privacy Policy
  • Disclaimer
  • Terms and Conditions
  • Contact us

© 2021 News.21av - Popular News & magazine powred by Get solutions.

No Result
View All Result
  • Home
  • Tech News
  • Virtual reality
  • Lifestyle
  • Beauty
  • Health & Fitness
  • Equipment

© 2021 News.21av - Popular News & magazine powred by Get solutions.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In