Building Security in Maturity Model Includes Bug-Bounty Programs

The fifth iteration of these best practices for security frameworks adds a critical new component that few organizations have today.


How do some of the best organizations in the world deliver and provide security for their own enterprises? That's a question that the annual Building Security in Maturity Model (BSIMM) aims to answer. The fifth iteration of the model is now out and adds just a single new practice to what last year's BSIMM advocated.

Jacob West, CTO for enterprise security products at Hewlett-Packard, is a co-author of the 2013 BSIMM and explained to eWEEK that the new 2013 model includes 112 best-practice activities for security. The single new activity added this year is a recommendation for organizations to have a bug-bounty program. These bug-bounty programs encourage security researchers to responsibly disclose software vulnerabilities, and in return, vendors provide rewards.

HP is no stranger to the world of bug-bounty programs as it runs the Zero-Day Initiative (ZDI), which buys vulnerabilities from researchers. ZDI also runs the annual Pwn2own competition, which rewards researchers for demonstrated zero-day flaws during a live event.

While the ZDI effort is vendor-agnostic, internal vendor programs are a complementary effort, West said, adding that the real challenge is the large gray market in which vulnerabilities are not responsibly disclosed to vendors and instead are sold on the open market.

"Vendor-led bug-bounty programs are an important counter-balance to the gray market," West said. "As an industry, we need to keep as many unknown vulnerabilities out of the hands of the potential bad guys as possible."

The BSIMM isn't just a checklist of security items that an organization should have, it also attempts to measure the maturity level of security practices. West said that simply having a bug-bounty program is a relatively mature practice to begin with.

"The purview of the bug-bounty program is one sign of maturity," West said. "Some vendors will create a bug-bounty program for a single product and don't apply the program to other programs, so scope is a key indicator of maturity."

Another key attribute of a mature bug-bounty program is that it is well-funded. Researchers are spending a lot of time to find vulnerabilities, and it's important that they are rewarded properly, West said.

Yahoo recently was publicly berated for offering security researchers T-shirts as a reward for vulnerability disclosures. Yahoo is now moving toward a fully funded bug-bounty program.

It's also important for organizations to have an internal ability to actually understand and analyze the submissions that are coming in from security researchers.

"You really need to have folks on your team that are used to reverse-engineering and vulnerability discovery," West said. "Having the internal expertise to fill in the other half of the equation for the security researchers is critical, or else you won't get the maximum value out of the bug-bounty program."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.