How to build a vulnerability response plan: 6 tips

Cybersecurity vulnerabilities continue to increase, and automated scanners can't always detect the most critical ones, according to Bugcrowd.

5 reasons to start a bug bounty program Why invite people to look into your code and try to find flaws? Here are five good reasons.

The total number of security vulnerabilities reported increased 92% over the last year, according to Bugcrowd's report Priority One: The State of Crowdsourced Security in 2019, released Thursday. 

The top five vulnerabilities discovered by security researchers were broken access control, sensitive data exposure, server security misconfiguration, broken authentication and session management, and cross-site scripting—most of which are difficult or impossible to be detected by machines. 

SEE: You've been breached: Eight steps to take within the next 48 hours (free PDF) (TechRepublic)

While automated security scanners can detect bugs such as XSS, CSRF, and SSI, security professionals and researchers are often needed to find more critical issues, the report stated. Many companies are also turning to bug bounty programs to help detect major vulnerabilities before cybercriminals do. 

"We often refer to a vulnerability disclosure program as a neighborhood watch for the internet," the report stated. "Still, having a channel to receive vulnerability submissions from external researchers also requires a way to respond to these submissions."

Here are six tips for building out an incident response program, according to Bugcrowd: 

1. Take all reports seriously

Security teams must pay attention to researcher security reports and alerts from both inside and outside the company. "Take all reports seriously until you're 100% clear on impact," the report stated. "There have been no shortage of misunderstood findings that take a while to understand—be open and willing to have a conversation to completely understand what's being reported, and why."

2. Think beyond filing a ticket

Once a critical issue has been identified, IT and security professionals must make sure it is remediated in a timely manner. "Critical findings should never get lost in the backlog, and security is no place for politics to endanger the trust of your end users," the report stated. "This is another valuable place where proper security training comes into play. If the entire organization is aware of the risk and is onboard with security being a priority, then it makes a lot easier to get things fixed more quickly."

3. Show appreciation

Thank and reward the person who reported the vulnerability, and communicate to them that they are valued. 

4. Validate the fix

Engineers often don't fully understand what they are fixing. "Be sure the fix is sufficient, try to break it, review the code, and send it back if it's incomplete," the report recommended. 

5. Inform the researcher

Once an issue is fixed, let the researcher know, as they may find a way to do it in a more effective manner that your team hadn't considered. 

6. Increase your scope and rewards

If you've avoided a major issue thanks to the work of a security researcher or bug bounty program, consider investing more in crowdsourced programs to help identify problems before they are exploited in the wild. 

For more, check out Incident response: What needs to be in a good policy on ZDNet. 

Also see 

Business internet security concept

Image: iStockphoto/grapestock

By Alison DeNisco Rayome

Alison DeNisco Rayome is a Senior Editor for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.