Presented at
Kiwicon 7: Cyberfriends (2013),
Nov. 9, 2013, 2:45 p.m.
(30 minutes).
Disclosing security vulnerabilities can be a dangerous business. While there are systems in place for handling disclosures to most major software companies, the process for disclosing vulnerabilities to local organisations is a lot less discussed.
As the discloser, there is always the chance that you are accused of hacking and get a visit from the police merely for identifying an issue. As an organisation, you can find yourself on the front page of the news when someone goes public with an issue.
This talk outlines the dilemmas faced when stumbling across that SQL injection in the local shopping site and proposes mechanisms to safely get the right people told about it. It also discusses how organisations can make it more likely that security vulnerabilities are reported to them directly, rather than through the press, and what the NZITF is currently doing to try and make things better.
Presenters:
-
Nick von Dadelszen
Nick von Dadelszen is the technical director at Lateral Security. Nick has been performing professional penetration testing for over 12 years and has managed several successful penetration testing teams. He has worked with the majority of large corporates and Government agencies in New Zealand and is a regular presenter at OWASP and Kiwicon conferences.
-
Ben Creet
Ben Creet is a senior policy analyst in the Department of Internal Affairs' information and technology policy team. Ben has worked in the health, justice, and information technology portfolios and joined the New Zealand Internet Task Force in 2012. He is studying towards a Masters in Strategic Studies and leads the NZITFs Responsible Disclosure Working Group
Links:
Similar Presentations: