The total number of security vulnerabilities reported increased 92% over the last year, according to Bugcrowd’s report Priority One: The State of Crowdsourced Security in 2019, released Thursday.
The top five vulnerabilities discovered by security researchers were broken access control, sensitive data exposure, server security misconfiguration, broken authentication and session management, and cross-site scripting—most of which are difficult or impossible to be detected by machines.
SEE: You’ve been breached: Eight steps to take within the next 48 hours (free PDF) (TechRepublic)
While automated security scanners can detect bugs such as XSS, CSRF, and SSI, security professionals and researchers are often needed to find more critical issues, the report stated. Many companies are also turning to bug bounty programs to help detect major vulnerabilities before cybercriminals do.
“We often refer to a vulnerability disclosure program as a neighborhood watch for the internet,” the report stated. “Still, having a channel to receive vulnerability submissions from external researchers also requires a way to respond to these submissions.”
Here are six tips for building out an incident response program, according to Bugcrowd. (Note: This article about building a vulnerability response plan is available as a free PDF download.)
1. Take all reports seriously
Security teams must pay attention to researcher security reports and alerts from both inside and outside the company. “Take all reports seriously until you’re 100% clear on impact,” the report stated. “There have been no shortage of misunderstood findings that take a while to understand—be open and willing to have a conversation to completely understand what’s being reported, and why.”
2. Think beyond filing a ticket
Once a critical issue has been identified, IT and security professionals must make sure it is remediated in a timely manner. “Critical findings should never get lost in the backlog, and security is no place for politics to endanger the trust of your end users,” the report stated. “This is another valuable place where proper security training comes into play. If the entire organization is aware of the risk and is onboard with security being a priority, then it makes a lot easier to get things fixed more quickly.”
3. Show appreciation
Thank and reward the person who reported the vulnerability, and communicate to them that they are valued.
4. Validate the fix
Engineers often don’t fully understand what they are fixing. “Be sure the fix is sufficient, try to break it, review the code, and send it back if it’s incomplete,” the report recommended.
5. Inform the researcher
Once an issue is fixed, let the researcher know, as they may find a way to do it in a more effective manner that your team hadn’t considered.
6. Increase your scope and rewards
If you’ve avoided a major issue thanks to the work of a security researcher or bug bounty program, consider investing more in crowdsourced programs to help identify problems before they are exploited in the wild.
For more, check out Incident response: What needs to be in a good policy on ZDNet.
How to become a cybersecurity pro: A cheat sheet (TechRepublic)
10 dangerous app vulnerabilities to watch out for (TechRepublic download)
Windows 10 security: A guide for business leaders (TechRepublic Premium)
Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)