Do your company have a website? Or, is your company involved in online services? If yes, then this article is just for you.
Nowadays, we all know the importance of a website for any business. In fact, in today's cyber world as an entrepreneur, we can't make distance with the digital applications for our business or organization. It serves countless benefits.
But everything has a dark side. What if YOUR WEBSITE GOT HACKED! Black Hat Hackers target websites with security loopholes. In fact, many a time they don't have any definite purpose. They might do it for fun or maybe for showoff purpose.
They might do it just to showoff but, this may lead to database loss and security breaches. So, after getting your own customized website, you need to start with security audit as your next step.
WHAT IS THE SECURITY AUDIT?
Security audit is the process of testing applications against security issues which can compromise the security of an application in the form of database loss or execution of unauthentic commands.
If you own a startup or a business, you should get your website audited from cybersecurity researchers.
A security audit is done by cybersecurity researchers who have knowledge of bugs and vulnerabilities. They might be a freelancer like me or may have a company setup. They will do a deep scan for vulnerabilities and report you the same so that you can get them fixed by your developer.
Developer and hackers are 2 different persons for different tasks. Detection of vulnerabilities will be done by a hacker but the patch will be managed by developers. So, the auditors will confirm the vulnerability and guide the developer for its patch work.
However, nowadays some companies are providing both the services under one roof but the charges are quite high. I would suggest you go with freelancers instead of a company.
You don't need to be panic. Here, I'll discuss a step by step procedure to make your website safe for its user.
STEP BY STEP PROCEDURE
Now, I hope you have understood very well that why security is important. So, here is the time to take quick action for the same. Read this step by step guide to implement the security on your digital assets.
#1: ANALYSING YOUR VIRTUAL ASSETS
Before approaching the security researchers, you need to analyze your virtual assets which include your website, mobile application or any other network you are using. These are some basic assets. You could also include anything which requires user interaction.
Here, With the word 'analyzing' I mean to set priorities and determine if you really need that service to be tested? Many times, service isn't worthy and it won't cost anything for the company even if the service is compromised. So exclude them from the list as they will increase your budget.
It's also possible that you might not aware of some assets which are in the hidden form. They might be some subdomains or form fields etc. The list is quite huge. But you don't need to be a worry as an entrepreneur. This job will be done by Ethical Hackers.
#2: SEARCHING FOR A SUITABLE FREELANCER
This is the most critical step. Since you'll give the credentials to him so you need to hire a genuine and experienced person for the same. Although it's not an easy task. Here I'll mention some points for you to check before hiring a freelancer.
WHERE TO SEARCH
You can search a freelancer on facebook, twitter, Linkedin, etc. Go to some facebook group related to bug bounty and post your requirement there. Please note, don't include your website name/address in this step.
Include your E-mail address in the post so that they can contact you. Now you'll start receiving leads. You can talk with them one by one and discuss the price quote. You can talk to some companies also so that they can give you a quotation for the work. Google it with the word "Security audit company" and you will get some relevant results nearby.
So I hope you got a relevant freelancer or company to start the work. If you face any issue contact me @ firstname.lastname@example.org I'll help you out.
#3: FINALYSING THE AUDIT
Before giving your valuable company details and credentials, you need to provide them some guidelines and signed up an agreement. Ask them briefly what security issues they will cover. Once everything is decided between you and the auditor, It's the time to go ahead. Let him find the issues and report you.
So, with the above 3 steps, you can get a basic audit done for your website. Ask them for a report too. Now what you think, is your website 100% secure after this audit? Well, absolutely not. Here is the time to discuss the post-security-audit step.
RESPONSIBLE DISCLOSURE PROGRAM
Responsible Disclosure Program is hosted by a company who gave permission to the security researchers to test their hacking skills on the company's assets under defined rules and regulations for the defined scope.
So basically, once you have done with a basic security audit you can promote your Responsible Disclosure Program. This program will help you to find hidden bugs in your application. But, launching your security disclosure program is not so easy.
To launch your own effective Responsible Disclosure Program you need to create a few guidelines for researchers.
GUIDELINES OF RESPONSIBLE DISCLOSURE PROGRAM
1- Define the program scope in a crystal clear manner. Scope includes all your digital assets including website mobile application etc on which you want testing to be performed. You can exclude some subdomains if you think they aren't worthy.
2- Proper warning must be there to avoid automated testing. Automated testing is done using tools which may harm your server as these tools send multiple requests in a shorter duration of time.
3- Disallow testing for D-DOS and rate-limiting vulnerabilities. This might crash your website due to a high number of requests at a time.
4- Give more focus on Business Logical Bugs. These bugs don't require much technical knowledge but it has a high impact on business.
5- Give importance to each and every bug because sometimes small bugs help to exploit the big vulnerability by chaining them.
6- Ask the researcher to avoid public disclosure at least before the patch.
From a security researcher, you can expect a report which includes multiple parts. Read out the points. I have discussed them in details.
Following are the different parts you can expect in a report:
- Name of vulnerability
- Impact of vulnerability
- Proof Of Concept (written, video format or both)
- Mitigation steps
This is the name of the vulnerability like XSS, SQLI, etc. Some vulnerabilities are business-related issues and don't have any perfect name. We may call them logical issues. They are limited to your website and may affect your business badly.
It's up to you to decide if they are really putting impact. Like if some researcher managed to bypass the payment mechanism and ordered something for free. This sounds to be a critical issue. But, what if you already do a manual check after the payment. Then this won't be counted as that much critical.
So, it totally depends on the working mechanism of your company. But play on the safe side. Always patch the vulnerability if it's detected. This will minimize the risk of attack.
IMPACT OF THE VULNERABILITY
Some vulnerabilities have standard impacts While some have target-oriented impacts. Standard impact means, suppose your website have SQL injection Vulnerability. Then, the impact will be of database theft/leakage. And this is the only impact of SQL injection vulnerability.
It is possible that the researcher won't write much about the impact of standard vulnerabilities. But if your team doesn't understand, then they can query from the researcher about the same. The impact will help you to set the priorities to apply the patch.
On the other hand, the target-oriented impact is limited to your website only. The impact is not general. In this case, the researcher will provide you proper attack scenario to make you understand about the vulnerability and it's impact.
PROOF OF CONCEPT
Proof Of Concept or POC is a writeup or a video which confirms the existence of a vulnerability. This is the most important part of any Bug Bounty report. The Proof of Concept can be instructional writeup consist of step by step procedure or it can be a video file.
The main purpose of a POC is to show the company how they can reproduce the vulnerability to confirm it's existence. If you couldn't do it from a writeup, then you can also ask for the video. It'll totally be ok.
Mitigation step is the procedure of removing the detected vulnerability from an application. You can expect the procedure but the fix will be applied by your developer only. The researcher can give you steps to fix the vulnerability.
If they didn't give you by default inside the report, then you can ask for the same. However, many companies won't ask for the same as they have their own IT team. But if you don't have resources, you can just ask the researcher.
POST DETECTION PROCESS
Once you successfully got a valid vulnerability, you need to take quick action for it. The post-detection process may include:
- Reply to the researcher with the acknowledgement E-mail.
- Try reproduce the vulnerability with given steps
- Reply the E-mail with completion of the detection process
- Ask your developer to fix the issue ASAP.
- Once patched, ask hacker if he can reproduce the issue .
- Finally, send him thankyou email along with the reward.
HANDLING THE FALSE POSITIVES
Sometimes, script kiddies got involved in bug bounty hunting and report invalid or false positive issues. There is no option to prevent them. In fact, you need to handle them.
If you find vulnerability invalid or false positive then don't reply by mentioning it as invalid. Tell them that you are not able to reproduce the vulnerability and please send a POC video of that bug. Then wait for their reply. Check again with that video and if it couldn't be reproduced then simply mark it as unqualified and send him the email for the same.
Don't lose patience or say anything wrong. This will make you look unprofessional and degrade the value of your company. Be polite :)
REWARD FOR VALID VULNERABILITY
Everyone works for some reward. This can be monetary or non-monetary. If any security researcher submits you a valid vulnerability then it's your responsibility to give him some reward for the time he spent for testing your website.
The reward can vary from company to company. Here I'll give you many different types of reward options which you can offer to your security researchers.
#1 WALL OF FAME
Wall of fame is a dedicated page on your website where you gave honorable mentions. You can mention the name as well as the researcher's social handle or website.
This can be a good option for companies who don't have much budget to spend on their website's security.
#2 CERTIFICATE OF APPRECIATION
Certificate of appreciation is given to the researcher by the company in return of a valid bug.
#3 SWAG PACK - GIFT
Swag is a gift, usually a T-shirt with the company's logo gifted to the researcher for finding a valid bug.
Bounty is the amount paid to the researcher. Bounty amount can vary from the priority of the bug. If it's P1 the bounty amount can be highest and if it's P1 then bounty amount can be lowest.
This is a comprehensive guide on starting with your very own Responsible Disclosure Program and securing your digital assets. Before starting with it, you need to follow some steps to protect your website with beginners who do automated testing.
The basic thing you can do is get your website scanned by some professional Cyber Security Researcher and get a basic scan before launching your own public disclosure program. Mainly you need to focus on D-DOS protection.
After launching your own program, make sure to check E-mails on a regular basis otherwise you may have critical unresolved vulnerabilities.
If you get multiple Email for the same issue, the give privileges to the first report. and mark all other mails as duplicate and send them a regret E-mail.