Thursday, July 11, 2013

Bay Area OWASP Meeting - July 11th

OWASP Bay Area Meeting - Thursday, July 11th
6:00 - 6:15 An Empirical Study of Vulnerability Rewards Programs, Devdatta Akhawe
6:15 - 7:15 "Putting Your Robots to Work", Twitter Security Team

When: Thursday, July 11, 2013 from 5:30 PM to 8:30 PM (PST)
Location: Room 150, University Hall, UC Berkeley.
The room is to the immediate left after entering the building from Addison street at ground level (not basement level).
For driving/public-transit directions, look up: 2199 Addison St., Berkeley, CA, 94720
No RSVP Required
Details:
5:30 - 5:45 Social gathering
5:45 - 6:00 Welcome (Cory Scott) / OWASP Update (Sarah Baso)
6:00 - 6:15 An Empirical Study of Vulnerability Rewards Programs, Devdatta Akhawe
6:15 - 7:15 "Putting Your Robots to Work", Twitter Security Team
Getting There:
BART: The "Downtown Berkeley" BART station is two blocks away.
Parking: It's Summer, and metered street parking is available nearby.
Paid off-street parking is also available. One street south on Center street, the Bank of America lot is cheap but small, and there is a large lot on Alston street between Shattuck and Milvia.


-Michael Coates - @_mwc

Wednesday, July 10, 2013

Study Confirms - Bug Bounties Provide Cost Effective Value

Bug bounties are all the rage today. Mozilla started the first major bounty program in 2004 for Firefox and later added critical websites in 2010, Chrome joined in 2010, Facebook in 2011 and even Microsoft has come around recently in June, 2013.


In addition to bounties offered directly through a specific company there are other programs like HP's ZDI and also a new on-demand approach to bug bounties for any company offered from BugCrowd

But, are bug bounties worth the time to manage, foster the research community, and the cost of the rewards? As someone who has been deeply involved in Mozilla's bounty program my answer has always been a resounding yes.

My opinion aside, I'm happy to now also draw attention to a Berkeley Study from Matthew Finifter, Devdatta Akhawe, and David Wagner titled An Empirical Study of Vulnerability Rewards Programs.

A few select quotes from the study:

On cost & value:

Both programs appear economically efficient, comparing favorably to thecost of hiring full-time security researchers. (pg 1)
 We find that VRPs appear to provide an economically efficient mechanism for finding vulnerabilities, with a reasonable cost/benefit trade-off (Sections 4.1.1 and 4.1.6). (pg 6)
 Benefits of a bug bounty program:
VRPs offer a number of potential attractions to software vendors. Offering adequate incentives entices security researchers to look for vulnerabilities, and this increased attention improves the likelihood of finding latent vulnerabilities.

Second, coordinating with security researchers allows vendors to more effectively manage vulnerability disclosures, reducing the likelihood of unexpected and costly zero-day disclosures. Monetary rewards provide an incentive for security researchers not to sell their research results to malicious actors in the underground economy or the gray world of vulnerability markets.

Third, VRPs may make it more difficult for black hats to find vulnerabilities to exploit. Patching vulnerabilities found through a VRP increases the difficulty and therefore cost for malicious actors to find zero-days because the pool of latent vulnerabilities has been diminished. Additionally, experience gained from VRPs (and exploit bounties [23,28]) can yield improvements to mitigation techniques and help identify other related vulnerabilities and sources of bugs.
Finally, VRPs often engender goodwill amongst the community of security researchers. Taken together, VRPs provide an attractive tool for increasing product security and protecting customer.  (pg 1)

Lastly, I presented on bug bounty programs for websites a few years back at OWASP AppSecUSA. My slides from that talk can be found on slideshare.
 



-Michael Coates - @_mwc

Tuesday, July 9, 2013

The Cost of a Data Breach

The 2013 Cost of Data Breach Study (pdf report) was just recently released from Ponemon and Symantec. There's lots of interesting data within the report.

Here's my initial impressions from the report:

Cost per Record Breached - $42 - $199
That's quite a range, but certainly a good number to use when considering the potential costs of a breached data store versus the cost of implementing defensive/mitigating controls.

Strong Security Posture, CISO, and Incident Management Plans drive down costs
The correlation between maturity of security program, presence of c-level commitment to security (via a CISO) and good incident planing intuitively makes sense to result in lower breach costs. It's good to see this captured within the report with data points to defend.

Human Error, Malicious Attacks and IT System Glitches represent nearly equal threats for data loss
Although the report states "Malicious or criminal attacks are most often the cause of data breach globally", the numbers show the three root causes to be close to evenly distributed.
  • Human factor - 35%
  • System glitch - 29%
  • Malicious or criminal attack - 37%
From my perspective it seems the highest ROI may be to first address the human factor and the somewhat nebulous category of "system glitch". I of course wouldn't discount addressing the malicious attacker too, but walk before you run. If you are disclosing data due to employee and system errors then that's a good place to start first.


I hope to dive deeper into the report over the coming days and also compare the findings with other recent benchmarks and studies from this year.




-Michael Coates - @_mwc