The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Vulnerability Testing

  • From Vol. 4 No.37 (Nov. 7, 2018)

    WhiteHat Report on the Software Lifecycle and Visa Bug Bounty Program Demonstrate the Need for Greater App Security

    Security programs need to be aligned closely with the software development cycle, WhiteHat Security’s 2018 Application Security Statistics Report reveals. Software is reused 70 percent of the time and vulnerabilities in reused software persist in the new application. Penetration testing to detect and mitigate the risk of these vulnerabilities would be beneficial but difficult. However, a carefully managed bug bounty program can provide flexibility of scope that allows for testing on all of those applications so companies can get as close as possible to complete asset coverage. The Cybersecurity Law Report analyzes the results of the statistics report and discusses Visa’s experience using a private bug bounty program as covered in a recent webinar. See also “Proactive Steps to Prevent Legal Pitfalls in Bug Bounty Programs” (Apr. 5, 2017) and “How to Establish and Manage a Successful Bug Bounty Program” (Mar. 22, 2017).

    Read Full Article …
  • From Vol. 4 No.4 (Feb. 28, 2018)

    Financial Firms Must Supervise Their IT Providers to Avoid CFTC Enforcement Action

    The CFTC recently announced a settlement with futures firm AMP Global Clearing LLC (AMP), which had tens of thousands of client records compromised after its IT vendor unknowingly installed a backup drive on AMP’s network that included an unsecured port. The settlement order requires AMP to cease and desist from future violations, pay a civil penalty of $100,000 and report to the CFTC for the next year on its efforts to improve its digital security. “As this case shows, the CFTC will work hard to ensure regulated entities live up to that responsibility, which has taken on increasing importance as cyber threats extend across our financial system,” said CFTC Director of Enforcement James McDonald. In particular, it is a reminder of the importance of monitoring third-party service providers. In this article, we analyze the case and relevant remedial steps AMP agreed to take. For more from the CFTC, see “Virtual Currencies Present Significant Risk and Opportunity, Demanding Focus From Regulators, According to CFTC Chair” (Feb. 14, 2018).

    Read Full Article …
  • From Vol. 3 No.21 (Oct. 25, 2017)

    How to Outsource Vulnerability Assessments to Hackers

    Outsourcing certain cyber problems to the very individuals who are capable of exploiting them might be the most cost-effective way for an organization to protect its network. Hiring hackers can be a delicate process, however, and determining whether their intentions are good even more so. Crowdsourcing platforms can set up bug bounties for clients and provide various levels of screening and oversight to make sure these sorts of sensitive projects proceed smoothly. The Cybersecurity Law Report spoke to Lisa Wiswell, an advisor to San Francisco crowdsourcing platform, HackerOne, about using hackers in this way and about her experience leading the Hack the Pentagon project. See also “How to Establish and Manage a Successful Bug Bounty Program” (Mar. 22, 2017).

    Read Full Article …
  • From Vol. 3 No.19 (Sep. 27, 2017)

    Audit of Websites’ Security, Privacy and Consumer Practices Reveals Deficiencies Despite Overall Progress

    Email authentication and adequate privacy are among key challenges for the financial sector, according to a recent audit by the Online Trust Alliance. Its 2017 Online Trust Audit & Honor Roll, an annual benchmarking analysis about security standards, privacy practices, and consumer protection, evaluates approximately 1,000 websites with over 60 criteria taking into consideration the evolving threat landscape, regulatory environment and globally accepted practices. With its goal of pushing companies past compliance to “stewardship,” the Audit results serve as a benchmarking tool for companies to compare their own practices against OTA’s list of best practices, Jeff Wilbur, Director of the Online Trust Alliance Initiative at the Internet Society, told The Cybersecurity Law Report. With commentary from Wilbur, we explore the Audit’s results and recommended best practices. See also “Surveys Show Cyber Risk Remains High for Financial Services Despite Preventative Steps” (Jun. 28, 2017).

    Read Full Article …
  • From Vol. 3 No.6 (Mar. 22, 2017)

    How to Establish and Manage a Successful Bug Bounty Program 

    Bug bounty programs – paying a researcher who has found a “bug” in a company’s system – can be effective at mitigating cybersecurity risk, but they must be implemented and managed carefully lest they be abused and backfire. Cassio Goldschmidt, vice president in Stroz Friedberg’s cyber resilience practice, spoke to The Cybersecurity Law Report about the steps to take to establish a bug bounty program, including the measures that should be in place prior to launching it, and how to best manage a successful program. See also “Tech Meets Legal Spotlight: What to Do When IT and Legal Slow the Retention of a Third-Party Vendor” (Nov. 30, 2016).

    Read Full Article …