Public security incidents continue to plague software companies, and each public event brings with it a loss of reputation, customer confidence, and even market cap. We've all read headline after headline about vulnerabilities found in products with a PR quote from the software vendor saying they will issue a software update; but what happens leading up to the public disclosure? Who is working at the software vendor ensuring customers are safe?
We will go behind the scenes of a Product Security Incident Response Team (PSIRT) including definition of a PSIRT, its responsibilities, vulnerability lifecycles, emergency response events, customer support, researcher outreach, and other PSIRT duties. The talk will provide examples of the type of reports that PSIRT teams deal with on a daily basis, including reports from traditional end users, enterprise customers, researchers, and other sources.
The value of a PSIRT will be highlighted with recommendations for how to get started if your organization is looking to build a PSIRT, and thoughts on the various struggles associated with the endeavor
Tyler works at BlackBerry Product Security as a Security Program Manager. His focus areas include SDLC and sustained engineering, vulnerability and risk management across multiple operating systems. Tyler is currently researching pre-acquisition and post-acquisition security processes. In the past, Tyler has been responsible for vetting malware being submitted to mobile app stores, and ensuring that users are properly informed of the privacy risks posed by mobile applications and mobile ad packages, including issuing industry first Privacy notices for users of an app store.