Connect with us

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website. .

Top Stories

COALITION LAUNCHES SURVEYS TO INVESTIGATE PERSPECTIVES ON VULNERABILITY DISCLOSURE AND HANDLING

coalition

Calls for Public Participation from Technology Providers, Operators, and Security Researchers 

Issued by Rapid7 on behalf of Awareness and Adoption Group – A coalition of cybersecurity experts participating in a program to promote greater understanding and adoption of best practices for security vulnerability disclosure and handling today launched two surveys to investigate awareness of and perspectives on the issue. The coalition is made up of members of the “Awareness and Adoption Group” participating in a multistakeholder process on vulnerability disclosure and handling, which is being convened by the National Telecommunications and Information Administration (NTIA).

As software and technology systems become more advanced and complex, their potential to contain issues that negatively impact users increases. Such issues, known as vulnerabilities, may also create opportunities for malicious attackers. Vulnerabilities are often found and addressed during the development, and prior to the market release, of software and technology systems, but testing for everything is impossible. As a result, vulnerabilities may still be found in products and online services, either through intentional investigation or accidental discovery. In both situations, a clear path for security researchers or discoverers to disclose their findings to technology developers, manufacturers, and service providers helps to resolve issues without exposing users to undue risk. A clear path is often part of a “vulnerability handling” policy, process, or program.

While much work has previously been undertaken to develop best practices for vulnerability disclosure and handling – resulting in two International Standards Organization (ISO) standards, ISO/IEC 29147 and ISO/IEC 30111 – adoption of these practices is not yet widespread. The Awareness and Adoption Group wants to understand how broad adoption of vulnerability disclosure and handling policies and practices is, including in various industry sectors and among researchers and organizations in different working contexts. Where there are barriers to adoption, the Group seeks to identify what they may be and to develop responsive guidance.

The Group is investigating these issues by surveying the main stakeholder groups involved: technology providers and operators, who may receive reports about potential vulnerabilities; and security researchers, who may report potential vulnerabilities to technology providers and operators. Anonymized information will be gathered through two short (less than 10 questions each) surveys online. The resulting data will be aggregated and analysed for a report that will be issued to the public later in 2016. Based on the findings, the report will recommend actions to increase adoption of vulnerability disclosure and handling best practices.

“Ultimately our goal is to help make everyone safer; given the trust we place in technology in every area of our lives, it’s important to understand that vulnerabilities can have a negative impact on people’s safety and identity, as well as reaching a scale of national security or economic stability,” said Jen Ellis, Vice President of Community and Public Affairs at Rapid7, and co-chair of the Awareness and Adoption Group. “Addressing this requires open collaboration between researchers and technology providers and operators, and we believe that a strategic and thoughtful approach to vulnerability disclosure and handling is a very important element of this.”

“We hope that people will approach these surveys in a spirit of openness so we can understand real world perspectives and make appropriate recommendations,” said Amanda Craig, Senior Cybersecurity Strategist at Microsoft, and co-chair of the Awareness and Adoption Group. “There has traditionally been a perception of a somewhat adversarial relationship between researchers and technology providers and operators. We want to move past this, and the common assumptions it engenders, to understand current experience with, and perspectives on, vulnerability disclosure and handling. It’s only by understanding what’s really happening that we can make meaningful recommendations for increasing adoption of best practices.”

The surveys can be accessed as follows:

Technology providers and operators: https://www.surveymonkey.com/r/techprovider
Security researchers: https://www.surveymonkey.com/r/securityresearcher
The surveys, which were developed by stakeholders not NTIA, are live now and will be available online until April 30th 2016.

The Awareness and Adoption Group includes representatives from technology providers, the security research community, civil liberties groups, and others involved or interested in the vulnerability disclosure and handling lifecycle. Members include: The Center for Democracy and Technology, CERT Coordination Center, Dino Dai Zovi (security researcher), HackerOne, Katie Moussouris (co-editor of ISO 29147 & ISO 30111), Microsoft, Neal Krawetz (security researcher), New America’s Cybersecurity Initiative, Rapid7, and SAP.

Global Banking & Finance Review

 

Why waste money on news and opinions when you can access them for free?

Take advantage of our newsletter subscription and stay informed on the go!


By submitting this form, you are consenting to receive marketing emails from: Global Banking & Finance Review │ Banking │ Finance │ Technology. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Post