Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Building Security in Maturity Model Includes Bug-Bounty Programs

    By
    Sean Michael Kerner
    -
    October 30, 2013
    Share
    Facebook
    Twitter
    Linkedin
      security

      How do some of the best organizations in the world deliver and provide security for their own enterprises? That’s a question that the annual Building Security in Maturity Model (BSIMM) aims to answer. The fifth iteration of the model is now out and adds just a single new practice to what last year’s BSIMM advocated.

      Jacob West, CTO for enterprise security products at Hewlett-Packard, is a co-author of the 2013 BSIMM and explained to eWEEK that the new 2013 model includes 112 best-practice activities for security. The single new activity added this year is a recommendation for organizations to have a bug-bounty program. These bug-bounty programs encourage security researchers to responsibly disclose software vulnerabilities, and in return, vendors provide rewards.

      HP is no stranger to the world of bug-bounty programs as it runs the Zero-Day Initiative (ZDI), which buys vulnerabilities from researchers. ZDI also runs the annual Pwn2own competition, which rewards researchers for demonstrated zero-day flaws during a live event.

      While the ZDI effort is vendor-agnostic, internal vendor programs are a complementary effort, West said, adding that the real challenge is the large gray market in which vulnerabilities are not responsibly disclosed to vendors and instead are sold on the open market.

      “Vendor-led bug-bounty programs are an important counter-balance to the gray market,” West said. “As an industry, we need to keep as many unknown vulnerabilities out of the hands of the potential bad guys as possible.”

      The BSIMM isn’t just a checklist of security items that an organization should have, it also attempts to measure the maturity level of security practices. West said that simply having a bug-bounty program is a relatively mature practice to begin with.

      “The purview of the bug-bounty program is one sign of maturity,” West said. “Some vendors will create a bug-bounty program for a single product and don’t apply the program to other programs, so scope is a key indicator of maturity.”

      Another key attribute of a mature bug-bounty program is that it is well-funded. Researchers are spending a lot of time to find vulnerabilities, and it’s important that they are rewarded properly, West said.

      Yahoo recently was publicly berated for offering security researchers T-shirts as a reward for vulnerability disclosures. Yahoo is now moving toward a fully funded bug-bounty program.

      It’s also important for organizations to have an internal ability to actually understand and analyze the submissions that are coming in from security researchers.

      “You really need to have folks on your team that are used to reverse-engineering and vulnerability discovery,” West said. “Having the internal expertise to fill in the other half of the equation for the security researchers is critical, or else you won’t get the maximum value out of the bug-bounty program.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×