While listening to a recent episode of Security Now Steve Gibson discussed some help that is on the way for securing web sites and services. I have not seen much mention of it anywhere else but I feel that it is definitely something worth noting.
When it comes to identifying security risks in web sites and services a major problem in the industry has been two-fold. First security researchers have been weary of testing the security of a sites and services because of legal action that may be taken against them and second when and if they do test a site, and they discover a vulnerability in the site or service, there often lacks a way to properly disclose the vulnerability to the developers. Because of the lack of disclosure options often the identified vulnerability just goes unreported and therefore remains out in the wild providing the adversary with many avenues and vulnerabilities to attack.
This is where a web developer and security researcher, Ed Foudil, and what he has submitted to the IETF, steps in to save the day. Mr. Foudil has graciously submitted to the IETF a draft that seeks to standardize SECURITY.TXT. According to securitytxt.org "The main purpose of the security.txt file is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to security.txt, security researchers can easily get in touch with companies about security issues."
Security.txt is a simple text file, similar to a robot.txt file, located in the root directory of a website that defines a standard to help organizations define the process for security researchers to securely disclose security vulnerabilities that they have identified. Not only does this file provide you with the proper contact information but it also provides one with a secure way to transfer the information as outlined below taken from the draft IETF which can be read HERE
2.4. Encryption:
This directive allows you to add your key for encrypted
communication. You MUST NOT directly add your PGP key. The value
MUST be a link to a page which contains your key. Keys SHOULD be
loaded over HTTPS.
<CODE BEGINS>
Encryption: https://example.com/pgp-key.txt
<CODE ENDS>
As Steve Gibson said "this is so simple it's brilliant" and should be applauded!
No comments:
Post a Comment