Identifying Security Risks with Security.txt

November 2, 2017 | Views: 4891

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

While listening to a recent episode of Security Now, Steve Gibson discussed that help is on the way for securing websites and services. I have not seen much mention of it anywhere else but I feel that it is definitely something worth noting.

When it comes to identifying security risks in websites and services a major problem in the industry has been two-fold. First security researchers have been wary of testing the security of sites and services because of legal action that may be taken against them and second when and if they do test a site, and they discover a vulnerability in the site or service, there often lacks a way to properly disclose the vulnerability to the developers. Because of the lack of disclosure options, often the identified vulnerability goes unreported and therefore remains out in the wild providing the adversary with many avenues and vulnerabilities to attack. This is where a web developer and security researcher, Ed Foudil, and what he has submitted to the IETF, steps in to save the day.

Mr. Foudil has graciously submitted to the IETF a draft that seeks to standardize Security.txt. According to securitytxt.org: “The main purpose of the security.txt file is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to security.txt, security researchers can easily get in touch with companies about security issues.”

Security.txt is a simple text file, similar to a robot.txt file, located in the root directory of a website that defines a standard to help organizations define the process for security researchers to securely disclose security vulnerabilities that they have identified. Not only does this file provide you with the proper contact information but it also provides one with a secure way to transfer the information as outlined below taken from the draft IETF which can be read here.

As Steve Gibson said “this is so simple it’s brilliant” and should be applauded!
https://mikesship.blogspot.com/2017/10/securitytxt.html
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
1 Comment
  1. I too listen to Security Now and love the idea of a security.txt. Also check out darkreading.com

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel