Building a Product Security Incident Response Team: Learnings from the Hivemind

Presented at Black Hat USA 2016, Aug. 3, 2016, 5:30 p.m. (30 minutes).

You've received vulnerability reports in your application or product, now what? As a positive, there is an abundance of incident response guidance for network security and a number of companies that have published their Product Security Incident Response Team (PSIRT) process for customers at a high level. Yet there is a dearth of detailed resources on how to implement PSIRT processes for organizations that have realized that Stage 7 of the SDL process (Response). To not only build but maintain secure products, organizations need to create mechanisms enabling their incident response teams to receive and respond to product incident reports, effectively partnering with development teams, customer support, and communications teams. This session will be targeted at small to medium companies that have small or overstretched security teams, and will share content and best practices to support these teams' product incident response programs. Attendees will be provided with templates and actionable recommendations based on successful best practices from multiple mature security response organizations.

Presenters:

  • Kymberlee Price - Bugcrowd
    With over 13 years' experience in the information security industry specializing in application security incident response and investigations, Kymberlee Price got her start by pioneering the first security researcher outreach program in the software industry at Microsoft. Kymberlee was later a principal investigator in the Zotob criminal investigation, and analyzed APT's at Microsoft. She then spent 4 years investigating product vulnerabilities in BlackBerry's Security Response Team. Today at Bugcrowd, she is responsible for directing the efforts of Bugcrowd's more than 28,000 Crowd members in web application, mobile application, IoT and host infrastructure penetration testing as well as optimizing vulnerability reporting performance for customers and researchers. Kymberlee co-chairs the Department of Commerce NTIA Working Group on Multi-Party Vulnerability Disclosure and is speaks regularly on vulnerability management and product incident response best practices including Black Hat USA, RSA, Kaspersky Security Analyst Summit, Nullcon, and Metricon.

Links:

Similar Presentations: