You've received vulnerability reports in your application or product, now what? As a positive, there is an abundance of incident response guidance for network security and a number of companies that have published their Product Security Incident Response Team (PSIRT) process for customers at a high level. Yet there is a dearth of detailed resources on how to implement PSIRT processes for organizations that have realized that Stage 7 of the SDL process (Response). To not only build but maintain secure products, organizations need to create mechanisms enabling their incident response teams to receive and respond to product incident reports, effectively partnering with development teams, customer support, and communications teams.
This session will be targeted at small to medium companies that have small or overstretched security teams, and will share content and best practices to support these teams' product incident response programs. Attendees will be provided with templates and actionable recommendations based on successful best practices from multiple mature security response organizations.
With over 13 years' experience in the information security industryspecializing in application security incident response and investigations,Kymberlee Price got her start by pioneering the first security researcheroutreach program in the software industry at Microsoft. Kymberlee was later aprincipal investigator in the Zotob criminal investigation, and analyzed APT'sat Microsoft. She then spent 4 years investigating product vulnerabilities inBlackBerry's Security Response Team. Today at Bugcrowd, she is responsible fordirecting the efforts of Bugcrowd's more than 28,000 Crowd members in webapplication, mobile application, IoT and host infrastructure penetrationtesting as well as optimizing vulnerability reporting performance forcustomers and researchers. Kymberlee co-chairs the Department of Commerce NTIAWorking Group on Multi-Party Vulnerability Disclosure and is speaks regularlyon vulnerability management and product incident response best practicesincluding Black Hat USA, RSA, Kaspersky Security Analyst Summit, Nullcon, andMetricon.