AiTLE Supporting : PISA Cloud Security Event ~ Developing a responsible disclosure program for SaaS CSPs

2015-01-14 - Developing a responsible disclosure program for SaaS CSPs

Organizer : Professional Information Security Association (PISA) – (ISC)2 Hong Kong Chapter
Topic : Developing a responsible disclosure program for SaaS CSPs
Date : 22 January 2015 (Thursday)
Time : 19:00 – 20:30
Venue : Rm 204, 2/F, Admiralty Centre, 18 Harcourt Road, Hong Kong
(access via the shopping arcade escalators through Exit A, Admiralty MTR Station).
Registration : https://www.eventbrite.com/e/developing-a-responsible-disclosure-program-for-saas-csps-tickets-15302836195

Outline
How will your organization respond when a 3rd party discovers a security vulnerability in your website or SaaS application? Is this a case for the legal department or should it be handed over to IT operations? You might be worried about reputation loss if the 3rd party decides to release details of the vulnerability to the public. Every organization offering SaaS services should have policies and processes in place to effectively resolve security vulnerability reports. Developing a responsible disclosure program will help you achieve that goal.
Once established, organizations can mature their responsible disclosure policy and procedures by setting up a bug bounty program to invite 3rd parties to discover and report vulnerabilities in your service. This presentation describes how to develop a responsible disclosure program and explains the best practices of working with often very young security researchers.

Speaker bio
Since the end of 2012 Erik is working as a security team lead for an innovative Hong Kong based company offering cloud SaaS services. Before his relocation to Hong Kong Erik worked for Cisco Systems, Shell, and various government agencies as a Unix and security contractor.