Stories with Tag IT Security

• Most IT companies fail to serve security.txt for RFC 9116 in 2025

  permalink

  Posted: 2025-03-02 22:33:21

  Verbose tl;dr

  Despite being a simple, beneficial, and standardized way for security researchers to report vulnerabilities, adoption of security.txt files (as defined by RFC 9116) remains disappointingly low. A 2025 study by Hartwork found that the vast majority of IT companies, including many prominent names, still do not provide a security.txt file on their websites. This lack of adoption hinders responsible vulnerability disclosure and potentially leaves these organizations more susceptible to exploitation, as researchers lack clear reporting channels. The study emphasizes the continued need for greater awareness and adoption of this straightforward security best practice.

  In a blog post titled "Most IT companies fail to serve security.txt for RFC 9116 in 2025," published on hartwork.org, the author laments the surprisingly low adoption rate of the security.txt standard, a simple yet effective method for improving vulnerability disclosure processes. RFC 9116, which formally specifies this standard, outlines how organizations should provide a plaintext file named security.txt at a well-known location (/.well-known/security.txt) on their website. This file contains essential contact information for security researchers and ethical hackers to report potential vulnerabilities. Despite being a straightforward and beneficial practice, the author's research indicates a dismal adoption rate even among prominent IT companies.

  The blog post details the author's methodology, which involved scanning the top 100 publicly traded IT companies listed on the NASDAQ stock exchange. They checked for the presence of a valid security.txt file at the standardized location. The results revealed a disappointingly low adoption rate, with a significant majority of these companies failing to implement this basic security measure. This lack of adoption hinders responsible vulnerability disclosure, potentially leaving these organizations more susceptible to exploitation.

  The author emphasizes the simplicity and importance of implementing security.txt. It requires minimal effort to create and deploy the file, yet it provides a clear and standardized communication channel for security researchers. This facilitates the responsible reporting of vulnerabilities, allowing companies to address potential security flaws before they can be exploited by malicious actors. The low adoption rate, therefore, represents a missed opportunity for these companies to enhance their security posture and protect themselves from potential attacks.

  The blog post concludes with a renewed call to action, urging organizations to embrace the security.txt standard. By implementing this simple measure, companies can significantly improve their vulnerability management processes, foster better relationships with the security research community, and ultimately strengthen their overall security. The author stresses that the minimal effort required to deploy a security.txt file is far outweighed by the potential benefits in terms of improved security and reduced risk. The continued lack of widespread adoption, even years after the standardization through RFC 9116, is presented as a concerning trend within the cybersecurity landscape.

  • security.txt
  • RFC 9116
  • Cybersecurity
  • IT Security
  • vulnerability disclosure
  • responsible disclosure
  • Website Security
  • Security Best Practices
  • internet security
  • information security

  Summary of Comments ( 1 )
  https://news.ycombinator.com/item?id=43235972

  Verbose tl;dr

  Hacker News users generally agreed with the premise that security.txt adoption is disappointingly low, with several expressing frustration at the security industry's failure to implement basic best practices. Some commenters pointed out that even security-focused companies often lack a security.txt file, highlighting a general apathy or ignorance towards the standard. Others discussed the potential downsides of security.txt, such as increased exposure to automated vulnerability scanning and the possibility of it becoming a target for social engineering attacks. A few suggested that the lack of adoption might stem from the perceived lack of clear benefits or fear of legal repercussions for disclosed vulnerabilities. The overall sentiment reflects a concern for the slow uptake of a seemingly simple yet beneficial security measure.

  The Hacker News post titled "Most IT companies fail to serve security.txt for RFC 9116 in 2025" generated a moderate number of comments discussing the adoption (or lack thereof) of the security.txt standard. Several commenters expressed a general sentiment of disappointment and frustration with the slow uptake of such a simple, yet beneficial, security practice.

  One compelling line of discussion revolved around the practical challenges and perceived lack of incentives for companies to implement security.txt. Some argued that security researchers often find vulnerabilities through means other than those advertised in a security.txt file, therefore diminishing its perceived value for companies. Others countered this point by highlighting the importance of providing a clear and official channel for reporting vulnerabilities, regardless of how they are discovered. This, they argued, can help streamline the vulnerability disclosure process and prevent researchers from resorting to less secure or less desirable methods of contact.

  Another commenter pointed out that the absence of security.txt often leads to wasted time and effort for security researchers who have to resort to searching for contact information through various channels, potentially leading to delayed vulnerability disclosures. This reinforces the argument that security.txt benefits both the reporting party and the receiving organization.

  The issue of discoverability also arose, with some commenters questioning how effective security.txt is if search engines aren't indexing it reliably. This raised concerns about the practical utility of the standard if it's not easily findable by those who need it.

  Finally, a few comments touched upon the potential legal implications of not having a security.txt file, suggesting that in the future, its absence might be considered negligent, especially in regulated industries. This adds another layer of incentive for companies to adopt the standard, moving beyond best practice and towards a potential legal requirement.

  While no single comment was overwhelmingly compelling in isolation, the collective discussion painted a picture of a security standard struggling with adoption despite its simplicity and potential benefits. The comments highlighted the tension between the perceived effort required for implementation and the potential benefits, as well as the need for improved discoverability and potential future legal implications that might drive wider adoption.

• Nontraditional Red Teams

  permalink

  Posted: 2025-02-04 18:01:45

  Verbose tl;dr

  Zach Holman's post "Nontraditional Red Teams" advocates for expanding the traditional security-focused red team concept to other areas of a company. He argues that dedicated teams, separate from existing product or engineering groups, can provide valuable insights by simulating real-world user behavior and identifying potential problems with products, marketing campaigns, and company policies. These "red teams" can act as devil's advocates, challenging assumptions and uncovering blind spots that internal teams might miss, ultimately leading to more robust and user-centric products and strategies. Holman emphasizes the importance of empowering these teams to operate independently and providing them the freedom to explore unconventional approaches.

  Zach Holman's blog post, "Nontraditional Red Teams," explores the concept of red teaming beyond its typical application in cybersecurity and military strategy, advocating for its use in a broader range of contexts, specifically within product development and organizational decision-making. He argues that the core principles of red teaming—challenging assumptions, identifying vulnerabilities, and simulating adversarial perspectives—can be immensely valuable for stress-testing ideas, strategies, and even company culture.

  Holman emphasizes the importance of structured and deliberate contrarian thinking. He posits that the inherent human tendency towards confirmation bias often leads individuals and teams to overlook potential weaknesses in their plans. By proactively incorporating a "red team" mindset, organizations can preemptively identify and address these flaws before they manifest into real-world problems. This proactive approach, he suggests, can save significant resources and mitigate potential damage in the long run.

  The post elaborates on practical methods for implementing nontraditional red teams. Holman suggests appointing specific individuals or forming dedicated groups to play the role of "devil's advocate," tasked with critically examining prevailing opinions and proposing alternative scenarios. He underscores the importance of creating a safe and open environment where these contrarian viewpoints can be expressed without fear of reprisal. This psychological safety, he argues, is crucial for fostering honest and productive discussions that lead to more robust and well-informed decisions.

  Furthermore, Holman discusses the potential benefits of rotating the red team role among different individuals or teams. This rotation, he explains, not only distributes the cognitive load of critical analysis but also cultivates a broader organizational understanding of potential vulnerabilities and alternative perspectives. He also touches on the idea of incorporating external perspectives into the red teaming process, suggesting that bringing in outside experts or consultants can provide valuable insights and challenge internal biases more effectively.

  Finally, the post concludes by highlighting the overall value proposition of nontraditional red teaming. Holman portrays it not as a purely defensive measure, but rather as a proactive tool for innovation and organizational learning. By systematically challenging assumptions and embracing dissenting opinions, companies can foster a culture of critical thinking, improve their decision-making processes, and ultimately achieve greater resilience and adaptability in the face of uncertainty.

  • Red Teaming
  • Security
  • Penetration Testing
  • Vulnerability Assessment
  • Cybersecurity
  • information security
  • risk management
  • Compliance
  • IT Security
  • social engineering
  • Physical Security
  • network security
  • Application Security
  • Threat Modeling
  • Adversary Simulation
  • Ethical Hacking
  • Nontraditional
  • Innovation
  • Business Continuity
  • Disaster Recovery

  Summary of Comments ( 0 )
  https://news.ycombinator.com/item?id=42936162

  Verbose tl;dr

  HN commenters largely agree with the author's premise that "red teams" are often misused, focusing on compliance and shallow vulnerability discovery rather than true adversarial emulation. Several highlighted the importance of a strong security culture and open communication for red teaming to be effective. Some commenters shared anecdotes about ineffective red team exercises, emphasizing the need for clear objectives and buy-in from leadership. Others discussed the difficulty in finding skilled red teamers who can think like real attackers. A compelling point raised was the importance of "purple teaming" – combining red and blue teams for collaborative learning and improvement, rather than treating it as a purely adversarial exercise. Finally, some argued that the term "red team" has become diluted and overused, losing its original meaning.

  The Hacker News post titled "Nontraditional Red Teams," linking to Zach Holman's blog post about the same topic, has a moderate number of comments, sparking a discussion around various aspects of red teaming and its implementation.

  Several commenters focused on the practicalities and challenges of implementing red teams, especially in smaller organizations. One commenter pointed out the difficulty of finding individuals with the right skillset and mindset for red teaming, suggesting that a good red teamer needs to be a "jack of all trades" with a deep understanding of the business. This commenter also highlighted the cost factor, noting that dedicating resources to a full-time red team can be prohibitive for smaller companies. Another echoed this sentiment, suggesting that smaller organizations might explore alternatives like hiring external consultants for periodic red team exercises.

  The discussion also delved into the importance of defining clear scopes and objectives for red teams. One commenter emphasized the need for specific, measurable goals to avoid the red team becoming an "unguided missile," potentially wasting time and resources on less critical areas. This ties into another comment highlighting the risk of red teams becoming overly focused on technical exploits rather than business-level risks. They advocate for a broader approach that considers not only vulnerabilities in systems but also vulnerabilities in processes and human factors.

  Another thread within the comments explored the cultural aspects of red teaming. One commenter discussed the importance of fostering a culture of psychological safety, where team members feel comfortable challenging assumptions and reporting potential issues without fear of retribution. They argue that without this safety net, red teaming efforts might be stifled, and valuable insights might be missed.

  Finally, some comments offered alternative perspectives on achieving similar outcomes to red teaming without dedicating a full team. One commenter suggested incorporating "red team thinking" into existing roles, encouraging employees to critically assess their own work and identify potential weaknesses. Another mentioned the concept of "chaos engineering" as a complementary approach, focused on testing the resilience of systems through controlled disruptions.

  While there's no single overwhelmingly compelling comment, the discussion collectively offers a valuable exploration of the nuances of red teaming, highlighting both its potential benefits and the practical challenges involved in its implementation. The comments provide insights into the importance of clear objectives, the right skillset, and a supportive organizational culture for successful red teaming. They also explore alternatives and complementary approaches for organizations with limited resources.