fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

UK Government Releases Toolkit To Easily Disclose Vulnerabilities

UK Government Releases Toolkit To Easily Disclose Vulnerabilities

The National Cyber Security Centre (NCSC) in the U.K. has released a guideline to help companies implement a vulnerability disclosure process or improve it if one is already set up.

Named “The Vulnerability Disclosure Toolkit,” the document underlines the need for organizations of all sizes to pave the road for an open posture toward responsible bug reporting and encourage it.

Also read: Computer Misuse Act Singapore: The Truth And Its Offenses

Bug reporting policy to become law

A vulnerability disclosure procedure makes perfect sense these days as most cyber attacks are the result of a security issue and researchers are constantly finding new bugs.

Reporting the problems can be particularly difficult, in many cases much of the effort being spent on finding a contact that can take relevant action.

“Security vulnerabilities are discovered all the time and people want to be able to report them directly to the organisation responsible,” says the U.K. NCSC.

A company putting in the effort to reduce the number of vulnerabilities in its infrastructure can provide more secure products and services and lowers the risk of becoming a victim of a cyber attack.

“Having a clearly signposted reporting process demonstrates that your organisation takes security seriously. By providing a clear process, organisations can receive the information directly so the vulnerability can be addressed, and the risk of compromise reduced. This process also reduces the reputational damage of public disclosure by providing a way to report, and a defined policy of how the organisation will respond” -the U.K. NCSC

The document published by the U.K. NCSC today is not a rule book for easier vulnerability disclosure but provides essential information for a better process or for implementing it.

It is organized in three main sections describing what can be done to direct external vulnerability information to the right person and the report follows a clear standard that defines an agreed framework for closing it.

The NCSC recommends setting up a dedicated contact (email address or secure web form) and making it easy to find. This can be easily done with the security.txt standard, a plain text file published in the /.well-known directory of the domain root.

The file can include the company’s security contact(s) and vulnerability disclosure policy, or link to them. Additional fields can contain a public key if encrypted communication is required, or preferred languages. The NCSC gives its security.txt file as an example.https://932fe03e0528a1f4a51a4b82cfb52c79.safeframe.googlesyndication.com/safeframe/1-0-37/html/container.html

Responding promptly to an unsolicited vulnerability report after eliminating the suspicion of phishing should be the standard course, engaging with the finder, even if just to thank them.

The NCSC recommends companies to avoid forcing the finder to sign a non-disclosure agreement “as the individual is simply looking to ensure the vulnerability is fixed.”

Keeping researchers in the loop about the progress made to fix the issue shows transparency and appreciation of the effort put into finding and reporting.

Another benefit from this is that the finder may be able to retest and confirm that the problem no longer exists.

The release of “The Vulnerability Disclosure Toolkit” is the preamble for embedding vulnerability reporting into U.K.’s legislative frameworks.

The government is currently preparing laws that require smart device makers to make available a public contact for a vulnerability disclosure policy.

Also read: Best Privacy Certification: 3 Simple Steps On How To Achieve

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us