Are You Vulnerability Blind? 3 Reasons to Reconsider a Bug Bounty
•
1 gefällt mir•635 views
For the ondemand version of the webinar, visit: https://www.brighttalk.com/webcast/14415/242115 Bug Bounty programs are critical to the security programs of thousands of organizations, but many still have not embraced them. Join security leader Johnathan Hunt, VP Information Security at InVision, Paul Ross, SVP of Marketing at Bugcrowd to discuss why that situation must change, through topics including: - How a security expert changed his mind about bug bounties - Why no bug bounty means missed vulnerabilities - How Bugcrowd finds a P1 bug every 27 hours We will explore InVision’s bug bounty experience from conception to being critical to their customers’ confidence in their security. *Register for the webinar now* “Whether or not you’re going to have the good guys working for you or not, doesn’t mean the bad guys are going to stop working” - Johnathan Hunt, Invision
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Andere mochten auch
Andere mochten auch (13)
Mehr von bugcrowd
Mehr von bugcrowd (14)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Are You Vulnerability Blind? 3 Reasons to Reconsider a Bug Bounty
- 1. S e p t emb er 20 16 ARE YOU VULNERABILITY BLIND? 3 REASONS TO RECONSIDER A BUG BOUNTY
- 2. 1/25/172 PAUL ROSS SVP MARKETING JOHNATHAN HUNT VP INFORMATION SECURITY SPEAKERS
- 3. AGENDA • Vulnerability Blindness • 3 Reasons to Reconsider a Bug Bounty 1. How a security expert changed his mind about bug bounties 2. Why no bug bounty means missed vulnerabilities 3. How Bugcrowd finds a P1 bug every 13 hours* 1/25/173 *Increase from 1 every 27 hours earlier in 2016
- 4. WHY IS THERE AN ISSUE TO ADDRESS? 1/25/174 Ballooning attack surface Cybersecurity resource shortage Broken status-quo Active, efficient adversaries Breaking The Vulnerability Cycle
- 5. MYTHS OF BUG BOUNTY (OR WHY YOU MIGHT HAVE DISMISSED THEM IN THE PAST) 1/25/175
- 6. 6 POLL 1/25/17 | ESCAPE VELOCITY
- 7. CONTINUOUS VULNERABILITY ASSESSMENT HAS NOT BEEN A THING 1/25/177 Zone of Vulnerability Blindness Zone of Vulnerability Blindness Code Release Code Release Vulnerability Awareness
- 8. BUG BOUNTY & CONTINUOUS ASSESSMENT AS THE SOLUTION 1/25/178
- 9. WHAT IS A BUG BOUNTY? 1/25/179 (Think of it as a competition)
- 10. Financial Services Consumer Tech Retail & Ecommerce Infrastructure Technology Automotive Security Technology Other 2/3rd of Programs are Private WIDE ADOPTION OF CROWDSOURCED SECURITY
- 11. THE REHABILITATION OF A BUG BOUNTY SKEPTIC 1/25/1711 Reason 1
- 12. INTRODUCING INVISION Award-winning product design collaboration platform • Provide two million people with the power to prototype, review, refine, manage and user test web and mobile products. • Drives the product design process at leading Fortune 100 companies, including at Disney, IBM, Walmart, Apple, Verizon and General Motors. 1/25/1712
- 13. INVISION SECURITY PROGRAM BEFORE BUG BOUNTY • Monthly internal vulnerability scans • Monthly external vulnerability scans • Annual Third-Party Penetration Test • 30-day patch cycle • Web Application Firewall • DDoS Protection 1/25/1713
- 14. ‘WHETHER OR NOT YOU’RE GOING TO HAVE THE GOOD GUYS WORKING FOR YOU, DOESN’T MEAN THE BAD GUYS ARE GOING TO STOP WORKING’ — JOHNATHAN HUNT 1/25/1714
- 15. WHY NO BUG BOUNTY MEANS MISSED VULNERABILITIES 1/25/1715 Reason 2
- 16. CONTINUOUS VULNERABILITY ASSESSMENT HAS NOT BEEN A THING 1/25/1716 Zone of Vulnerability Blindness Zone of Vulnerability Blindness Code Release Code Release Vulnerability Awareness
- 17. BUG BOUNTY DELIVERS CONTINUOUS VULNERABILITY ASSESSMENT 1/25/1717 Code Release Code Release Vulnerability Awareness
- 18. HOW BUGCROWD FINDS A P1 BUG EVERY 13 HOURS 1/25/1718 Reason 3
- 19. A RADICAL CYBER SECURITY ADVANTAGE: Enterprise Bug Bounty Solutions & Hackers On-Demand • 300+ Programs run • Every program is managed by Bugcrowd • Deep researcher engagement and support • No confusing pricing models and no bounty commissions • 45,000+ researchers 1/25/1719 Curated Crowd that Thinks like an Adversary but acts as an ally to Find Vulnerabilities A Platform That Simplifies Connecting Researchers to Organizations, Saving You Time and Money Security Expertise To Design, Support, and Manage Crowd Security Programs
- 20. TIMELINE OF A SUCCESSFUL BUG BOUNTY PROGRAM 1/25/1720 Launches private bounty program Receives first P1 submission Receives 100th Submission Runs On-Demand program Adds 100 additional researchers Receives 500th submission
- 21. CONCLUSION Avoiding Vulnerability Blindness • Reality of modern development pipeline dictates a new approach • Continuous vulnerability assessment is real and achievable through bug bounty model • Bugcrowd delivers the radical cybersecurity advantage of the crowd 1/25/1721 Curated Crowd Simple-to-use platform Expertise to ensure success
- 22. NEXT STEPS TALK WITH A BUG BOUNTY EXPERT HTTPS://PAGES.BUGCROWD.COM/TALK-WITH-A-BUG-BOUNTY-EXPERT 1/25/17 | ESCAPE VELOCITY22
- 23. 1/25/1723 PAUL ROSS JOHNATHAN HUNT @pjross01 @JHuntSecurity Q&A