Key Takeaways from Instructure's Successful Bug Bounty Program

•

2 gefällt mir•1,281 views

Slides used during Bugcrowd's 3/5/2015 webinar with Instructure, the innovative company behind Canvas Learning Management System. Learn why they turned to crowdsourced security, and how Bugcrowd's Flex program gave them great results.

Technologie

Key Takeaways from
Instructure’s Bug Bounty
Program
Presenters:
Q. Wade Billings, Sr. Director of Global IT Shared Services : Instructure
Jonathan Cran, VP Operations : Bugcrowd

Your Presenters
• Q. Wade Billings, Sr. Director of Global IT Shared Services
Instructure
• IT leadership career spanning over 20 years. Held high level
positions with Excite@Home, lowermybills.com, Medicity and
most recently WorkFront (fka AtTask)
• Involved in the Utah InfoSec community with ties to
BSidesSLC and UtahSec.org
• Jonathan Cran, VP Operations Bugcrowd
• Security Assessment Startups. Leadership positions with
Rapid7, Pwnie Express, Metasploit.

About Instructure
• Instructure makes smart software that makes people smarter
• Instructure is a fast growing, education technology SaaS
company serving multiple global markets
• Our growth since launch in 2011
• 18+ million users
• 1,200 institutions under contract
• 500+ employees
• Global ofﬁces and ﬁve hosting platforms worldwide

About Bugcrowd
• Your Elastic Security Team
• Founded in 2012, based in San Francisco, 20
employees
• 15,000 Researchers, $400,000 in researcher payments
in 2014, 150 programs
• Provider of Crowdcontrol, the platform for Bug Bounty
and Flex Bounty programs
• We help you start and manage your bug bounty program

Annual Assessment
• We update our platform every three weeks and users
beneﬁt from features and bug ﬁxes.
• Starting in 2011, Instructure took a proactive approach to
security.
• We publicly published results after the ﬁrst security audit
• When vulnerabilities were found, we ﬁxed them and put
them into production as quickly as possible
• We even embedded a blogger to observe and document
the process!!

Why Bugcrowd?
• This year we wanted to take it a step further.
• Economics of bug bounties promised better results
compared to the traditional approach
• Large researcher community, strong engagement
• Flex bounty met the “Annual Assessment” format

Bugcrowd Flex
• Two week bug bounty
• Private with vetted researchers
• Top placed rewards (35%), Others (65%)
• Flex Bounty Report
• Access to researchers and management platform

Flex Process
• Step 1: Onboarding
• Step 2: Program opens to private, vetted researchers
• Step 3: Crowdcontrol removes duplicates and out of scope
issues, providing quick feedback to researchers
• Step 4: Customer Validates, Assigns Awards and Authorizes
Payments
• Step 5: Program Closes, Report Created, Report Delivered
• Step 6: Customer resolves and Researcher re-tests (if
requested)

Flex Results
• Instead of two or three security
researchers, we had 63+
researchers active during the test
• 10x the number of vulnerabilities
identiﬁed
• This is NOT because Instructure is
less secure - we have been doing
these open audits each year for
three years
• Each researcher comes at the
problem with a different perspective

Flex Results
• Stored XSS
• Sending messages
for unsubscribed
courses
• Encrypted Cookie
Store malleability /
Key-reuse
• https://blog.bugcrowd.com/increased-pen-test-results-instructure-ﬂex/

Key Takeaways
• Security is a process, and you can beneﬁt by being
transparent about your assessment process
• Flex bounties work! More, high-quality results by
engaging with the research community vs traditional
methods
• Bugcrowd is helping make the bug bounty programs
accessible to organizations
• Download the report: https://blog.bugcrowd.com/
increased-pen-test-results-instructure-ﬂex/

What’s next
• We’ve launched a new ongoing bug bounty
program in partnership with Bugcrowd
• Our overarching goal is to create the most secure
learning and engagement platform for teachers
and corporate trainers across the world.
• We do this by being proactive and playing offense
when it comes to security, not defense.

Weitere ähnliche Inhalte

Was ist angesagt?

View this ondemand webinar here: https://pages.bugcrowd.com/7-bug-bounty-myths-busted-ondemand-webinar About the content: Despite thousands of large and small organizations running bug bounty programs, there is still a lot of fear and uncertainty about these in the cybersecurity community. In this recorded webinar we will explore 7 myths about Bug Bounty programs, the hackers who are involved, and the impact they are having on the security posture of organizations around the world. After viewing this presentation and ondemand webinar you will: 1. Learn if a bug bounty program is right for your organization 2. Understand if a bug bounty encourages hackers to attack your systems 3. Explore the real benefits of bug bounty programs – and find out if they actually work 4. Get insight on whether these programs are too hard and costly to manage

7 Bug Bounty Myths, BUSTED

bugcrowd

DevSecOps requires processes and tools that enable weaving security throughout the DevOps pipeline. It is much more than a buzzword, and if you'd ask most organizations, well, they believe they are in the process of adopting DevSecOps tools and practices. But, are they? In order to deeply understand the state of DevSecOps implementation we need to learn more about the relationship between developers and security teams. After surveying more than 560 application security professionals and software developers we found several insights. Join Jeff Martin, associate VP of product management, and Rhys Arkins, director of product management at WhiteSource, to learn about: The current challenges of the security and development teams when it comes to AppSec The contradicting views and gaps between the teams on DevSecOps maturity How to break the silos and advance toward DevSecOps maturity

The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers

DevOps.com

Getting to Know Security and Devs: Keys to Successful DevSecOps

Franklin Mosley

The high-profile attacks and data-breaches of the last few years have shown us the importance of securing our software. While it is good that we are seeing more tools that can analyze systems for vulnerabilities, this does not help the programmer write secure code in the first place. To prevent security from becoming a bottleneck–and expensive security mistakes from becoming increasingly probable–we need to look to techniques that allow us to secure software by construction. This talk has two parts. First, I will present technical ideas from research, including my own, that help secure software by construction. Even though these are reasonable ideas, however, the gap between academia and industry often prevents these ideas from becoming realized in practice. Second, I will discuss what prevents longer-term security solutions from being commercialized, how we started the Cybersecurity Factory accelerator bridge the research/industry gap, and how we can work together to address the issues that remain. http://2016.phillyemergingtech.com/session/securing-software-by-construction/

Philly ETE 2016: Securing Software by Construction

jxyz

The chase for security perfection is not uncommon. The idea of ‘shift left’ - locating defects from the beginning of SDLC and rectifying them early is a well-founded approach. But in a competitive business landscape, companies must balance the tradeoff between speed and quality to keep their business moving. Join our application security webinar and learn how to implement an agile DevSecOps to carry out the necessary security checks without compromising on time-to-market.

Outpost24 webinar - Why security perfection is the enemy of DevSecOps

Outpost24

In this webinar we will explore the findings from the recent PtaaS Impact Report: 2020, which aims to unravel the benefits and challenges of deploying a SaaS-based pentesting model in a modern software development environment. Join us as Cobalt Chief Strategy Officer Caroline Wong, Cobalt.io customer Ryan Stinson and experienced technology executive Dr. Chenxi Wang discuss how DevOps is changing the adoption of application security measures and how a PtaaS solution adapts to meet this change. This webinar will cover: The impact of DevOps on application security Why SaaS-driven companies are expanding pentesting scopes and frequency How PtaaS adapts to meet the speed of DevOps

Pentest as a Service Impact 2020

DevOps.com

Silver Lining for Miles: DevOps for Building Security Solutions

SeniorStoryteller

The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...

WhiteSource

Amy DeMartine - 7 Habits of Rugged DevOps

SeniorStoryteller

The year is 2031, how has software development and security evolved in the last decade? Are there any developers or security folks left? Have robots taken our jobs? We will join Security Engineer Sam, that is responsible for securing a cutting edge application for a hot fintech company in the year 2021. The app has just completed a major release and Sam is sharing her progress and learnings with her peers at a local OWASP meetup. After a night of celebration she wakes up and finds her future self jumping out of a time-machine in her bedroom closet. Time travel paradoxes aside, the future of the world is at stake because a sentient A.I. is threatening to hack the planet. There is a small task force that has been working for a decade on finding a way to finally solve secure software development, and they have done it! There is no time to waste, you are joining your future self to go to the year 2031 and learn what they have learned to bring that knowledge back to present and avoid the dark future from ever happening.

DevSecOps in 2031: How robots and humans will secure apps together Log

Stefan Streichsbier

Preventing Information Flow with Jeeves - Singapore Data Privacy Workshop

jxyz

The R.O.A.D to DevOps

SeniorStoryteller

Outpost24 Webinar - Creating a sustainable application security program to dr...

Outpost24

Practical DevSecOps Using Security Instrumentation

VMware Tanzu

At a time when some say users pose the biggest threat, new tools are emerging that give users more freedom than ever. 451 Analyst, Adrian Sanabria speaks on this bold new approach to application control in our latest webinar. KEY TOPICS 1. Learn from the past: valuing User Experience, IT workload & business/IT relations. 2. Take off the training wheels: it’s possible to trust users to make the right choices, but still have options if they don”t. 3. Drop unreasonable goals: more restrictions ≠ more security.

451 AppSense Webinar - Why blame the user?

Adrian Sanabria

Managing incidents in a DevOps environment is a near insurmountable task. With shared responsibilities and on-call rotations, anyone might be called into a system firefight at any time. Accepting failure and the problems created with complex system is a core tenet of DevOps thinking, and helping your team respond to incidents more effectively is key. Matthew Boeckman has served on the frontlines of DevOps incident management for 19 years. He’s seen it all and is an expert on building teams and workflows to support effective alerting, clear communication, and rapid recovery.

Top 10 Practices of Highly Successful DevOps Incident Management Teams

Deborah Schalm

Even though large breaches have hit headline news in years past, some companies are still on the fence about investing in cybersecurity. As a security practitioner (or jack of all trades) how can you be expected to cover your assets with zero budget? Thankfully, there are plenty of open-source tools out there that will allow you to secure your organization. Come join me as I discuss how you can track your network assets, perform vulnerability assessments, prevent attacks with intrusion prevention systems, and even deploy HIDS. We will also jump into finding sensitive data and PII in your network, as well as incident response tools and automation. All it costs is your time (and maybe a VM or two). You really can drastically improve the security posture of your network with little to no budget, and you’ll have fun doing it! OK, maybe it won’t be fun, but at least you’ll learn something, right?

Open Source Defense for Edge 2017

Adrian Sanabria

In recent years, endpoint security has evolved well beyond signature-based antivirus which proved unable to keep pace with the speed and volume of evolving threats. With the onslaught of new security technologies available, it can be difficult to determine where to begin. In this webinar, 451 Senior Analyst, Adrian Sanabria and Cylance Product Marketing Manager, Steve Salinas will discuss a proven approach to securing your endpoints. Adrian and Steve will present the fundamental steps to securing endpoints: • Step 1: A Better Malware Mousetrap • Step 2: More Resilient Endpoints • Step 3: Stopping Non-Malware Attacks • Step 4: Full System Visibility with Endpoint Detection and Response • Step 5: Dynamic Defense with User Behavior • Step 6: Data Visibility • Conclusion: Malware is Solved! What Now? Endpoint security can be complex. Join us for this webinar to learn how applying a reasoned, results-based approach can help you can take control of your endpoints and silence attackers.

451 and Cylance - The Roadmap To Better Endpoint Security

Adrian Sanabria

6 Most Common Threat Modeling Misconceptions

Cigital

Nucleus small

Stijn Jans

Was ist angesagt? (20)

7 Bug Bounty Myths, BUSTED

The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers

Getting to Know Security and Devs: Keys to Successful DevSecOps

Philly ETE 2016: Securing Software by Construction

Outpost24 webinar - Why security perfection is the enemy of DevSecOps

Pentest as a Service Impact 2020

Silver Lining for Miles: DevOps for Building Security Solutions

The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...

Amy DeMartine - 7 Habits of Rugged DevOps

DevSecOps in 2031: How robots and humans will secure apps together Log

Preventing Information Flow with Jeeves - Singapore Data Privacy Workshop

The R.O.A.D to DevOps

Outpost24 Webinar - Creating a sustainable application security program to dr...

Practical DevSecOps Using Security Instrumentation

451 AppSense Webinar - Why blame the user?

Top 10 Practices of Highly Successful DevOps Incident Management Teams

Open Source Defense for Edge 2017

451 and Cylance - The Roadmap To Better Endpoint Security

6 Most Common Threat Modeling Misconceptions

Nucleus small

Ähnlich wie Key Takeaways from Instructure's Successful Bug Bounty Program

Owasp LA

leifdreizler

CIO 360 grados: empoderamiento total

Corporacion Colombia Digital

Dr Abel Sanchez at Bristlecone Pulse 2017 MIT

Bristlecone SCC

Advanced Agile Product Ownership

Maikel Meeuwse

Building Engaging Customer Experiences Powered by MongoDB

rivetlogic

Introductie slides Advanced Agile Product Ownership door het Nederlands Insti...

Maikel Meeuwse

SGCI OAC webinar 4 18-19

Nancy Wilkins-Diehr

LinkedIn has built many personalized recommendation applications to help our members to be more productive, making it easier to discover, communicate, and share with other professionals. How do we rapidly build recommendation products with our "Big Data"? At Grace Hopper 2014 conference, I presented at poster session the steps that we take to turn abstract ideas into successful products on LinkedIn.

Build Big Data Products at LinkedIn

Lili Wu

Pivotal's Secret Sauce

VMware Tanzu

Presentation final.pptx (1)

Muneesh Batra

Presentation final.pptx (1)

Muneesh Batra

Jack Nichelson - Information Security Metrics - Practical Security Metrics

centralohioissa

Information Security Metrics - Practical Security Metrics

Jack Nichelson

Near east university

DerrickDusabe

Most organizations have made significant investments in security controls to enable prevention and detection. But when incidents occur, is your firm able to quickly mitigate them? The best security teams are. And as a result their organizations can learn from them and improve their performance next time. This webinar will review critical components of proper incident mitigation including: - Conducting post mortem and updating SOPs - Evaluating historical response performance - Generating reports for management, auditors, and authorities Our featured speakers for this webinar will be: - Stephen Brennan, Global Technical Consulting Lead - Managing Partner, CSC - Ted Julian, Chief Marketing Officer, Co3 Systems

You've Been Breached: How To Mitigate The Incident

Resilient Systems

"A dead ScrumMaster is a useless ScrumMaster,” echo the votary of Ken Schwaber (Co-Founder of Scrum) folklore. In this session hosted by Pat Reed (Agile Alliance Board Member) and Laszlo Szalvay (Executive at SolutionsIQ) we will explore how and why the accounting department needs to be your biggest champion as you embark on your next agile transformation. Pat and Laszlo will walk through concrete steps and real world examples of how capitalization works with Scrum and what you need to tell the accountants so they don’t shoot you. So don’t end up a dead ScrumMaster.

Proposed Title Fear and Loathing in Agility: Long Live the Accounting Departm...

Laszlo Szalvay

Vicki Rogers, Senior Manager of Change, Georgia Tech Learn how Georgia Tech adopted the IT change management process (AKA change enablement practice in ITIL v4), designed to help control the life cycle of strategic, tactical, and operational changes to IT services through standardized procedures. In this webinar, host Vicki Rogers will briefly describe and define change management and how it fits into the ITSM model, touching on changes with ITIL v4. Please join us as Vick

Adding Value with Change Management

ITSM Academy, Inc.

APM webinar sponsored by the South Wales and West of England Branch on 14 July 2022. Speaker: Sophie Okell Introducing ethical hacking to the Ministry of Defence; the project management behind the innovation. This webinar talked you through the journey of how a groundbreaking cyber testing methodology was applied in the Ministry of Defence. How the project overcame the challenges faced, such as the complex stakeholder landscape, change resistance to such an innovative product and navigating commercial and legal. The methods and factors that made the project successful: Senior leadership support and advocacy. Small, empowered and flexible team. Internal marketing campaign, making use of communications and rewards. A consultative, transformation approach. Stakeholder mapping and engagement. External communications, including a successful press release. Demonstrating success early in the project and building on it. Short delivery timescales Clear methodology for the test, detailed in easily digestible communications Making use of internal champions across the organisation. The benefits achieved: Reduction to the cyber risk. Increased collaborative cyber culture. Upskilling of internal IT and cyber staff. Positioning of the MOD as a cyber leader on the global stage. https://youtu.be/e0FXmRlKT20 https://www.apm.org.uk/news/introducing-ethical-hacking-to-the-ministry-of-defence-webinar/

Introducing Ethical Hacking to the Ministry of Defence.pdf

Association for Project Management

Agile Development And Medtech

Robert Ginsberg

Presentation from Salesforce.org Higher Ed Summit 2018 by: Daniel McGaughey, University of Pittsburgh. Please join the University of Pittsburgh as we outline our approach to Salesforce security from an enterprise perspective. Pitt selected Salesforce as the platform to support a new Enterprise Relationship Management (ERM) system. Initial projects include implementation of Undergraduate Recruiting and Enterprise Service Desk. Using an enterprise approach to Salesforce security creates the base for future expansion. Salesforce security is configured using custom just in time provisioning so that user provisioning and de-provisioning is automated at login. Users are created and assigned a license at first login. User permissions are evaluated and updated at each login based on Active Directory group membership. Licenses will be revoked via a scheduled integration. Users who are not entitled to use the system will be denied login. We use Service Cloud cases to support the Security request and approval workflow. Once all approvals are complete users are added to appropriate Active Directory groups automatically. Pitt admins do not create users and assign permissions. Watch a recording of this presentation: https://youtu.be/NhHvNmmHaWs

Salesforce Security: Fully Automated

Salesforce.org

Ähnlich wie Key Takeaways from Instructure's Successful Bug Bounty Program (20)

Owasp LA

CIO 360 grados: empoderamiento total

Dr Abel Sanchez at Bristlecone Pulse 2017 MIT

Advanced Agile Product Ownership

Building Engaging Customer Experiences Powered by MongoDB

Introductie slides Advanced Agile Product Ownership door het Nederlands Insti...

SGCI OAC webinar 4 18-19

Build Big Data Products at LinkedIn

Pivotal's Secret Sauce

Presentation final.pptx (1)

Jack Nichelson - Information Security Metrics - Practical Security Metrics

Information Security Metrics - Practical Security Metrics

Near east university

You've Been Breached: How To Mitigate The Incident

Proposed Title Fear and Loathing in Agility: Long Live the Accounting Departm...

Adding Value with Change Management

Introducing Ethical Hacking to the Ministry of Defence.pdf

Agile Development And Medtech

Salesforce Security: Fully Automated

Mehr von bugcrowd

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel

bugcrowd

Ekoparty 2017 - The Bug Hunter's Methodology

bugcrowd

Grant McCracken and Daniel Trauner's presentation on setting up and managing a successful bug bounty program. Having a bug bounty program is one of the most efficient methods of finding security vulnerabilities today. But, as anyone who has tried to run a bug bounty program knows, it's not a trivial undertaking... As professionals who have helped to manage hundreds of bug bounty programs, we're uniquely positioned to provide advice on how to succeed. Whether you're already running a bug bounty program, are looking to run a bug bounty program, or are a researcher, this talk aims to deepen your knowledge of the subject.

If You Can't Beat 'Em, Join 'Em (AppSecUSA)

bugcrowd

You don’t need a license for bug hunting season anymore. Bug bounty programs are becoming well established as a valuable tool in identifying vulnerabilities early. The Department of Defense has authorized its first bug bounty program, and many vendors are taking a fresh look. While the programs are highly effective, many questions remain about how to structure bug bounty programs to address the concerns that vendors and researchers have about controlling bug hunters, security and privacy, contractual issues with bug hunters, what happens if there is a rogue hacker in the crowd, and liability and compliance concerns. This presentation will cover the best practices for structuring effective bug bounty programs. Talk originally given at AppSecUSA 2016 | October 13, 2016

AppSecUSA 2016: 'Your License for Bug Hunting Season'

bugcrowd

Bug Bounty Tipping Point: Strength in Numbers

bugcrowd

If You Can't Beat 'Em, Join 'Em

bugcrowd

Writing vuln reports that maximize payouts - Nullcon 2016

bugcrowd

Bug Bounty Hunter Methodology - Nullcon 2016

bugcrowd

How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV

bugcrowd

WATCH JASON'S TALK LIVE, 8/14 @ 11AM PDT - Register Here: http://bgcd.co/DEFCON23-haddix Jason Haddix explores successful tactics and tools used by himself and the best bug hunters. Practical methodologies, tools and tips that make you better at hacking websites and mobile apps to claim those bounties. Follow Jason on Twitter: http://twitter.com/jhaddix Follow Bugcrowd on Twitter: http://twitter.com/bugcrowd Check out the latest bug bounties on Bugcrowd: https://bugcrowd.com/programs

How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...

bugcrowd

5 Tips to Successfully Running a Bug Bounty Program

bugcrowd

How to run a kick ass bug bounty program - Node Summit 2013

bugcrowd

Mehr von bugcrowd (12)

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel

Ekoparty 2017 - The Bug Hunter's Methodology

If You Can't Beat 'Em, Join 'Em (AppSecUSA)

AppSecUSA 2016: 'Your License for Bug Hunting Season'

Bug Bounty Tipping Point: Strength in Numbers

If You Can't Beat 'Em, Join 'Em

Writing vuln reports that maximize payouts - Nullcon 2016

Bug Bounty Hunter Methodology - Nullcon 2016

How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV

How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...

5 Tips to Successfully Running a Bug Bounty Program

How to run a kick ass bug bounty program - Node Summit 2013

Kürzlich hochgeladen

BooK Now Call us at +918448380779 to hire a gorgeous and seductive call girl for sex. Take a Delhi Escort Service. The help of our escort agency is mostly meant for men who want sexual Indian Escorts In Delhi NCR. It should be noted that any impersonator will get 100 attention from our Young Girls Escorts in Delhi. They will assume the position of reliable allies. VIP Call Girl With Original Photos Book Tonight +918448380779 Our Cheap Price 1 Hour not available 2 Hours 5000 Full Night 8000 TAG: Call Girls in Delhi, Noida, Gurgaon, Ghaziabad, Connaught Place, Greater Kailash Delhi, Lajpat Nagar Delhi, Mayur Vihar Delhi, Chanakyapuri Delhi, New Friends Colony Delhi, Majnu Ka Tilla, Karol Bagh, Malviya Nagar, Saket, Khan Market, Noida Sector 18, Noida Sector 76, Noida Sector 51, Gurgaon Mg Road, Iffco Chowk Gurgaon, Rajiv Chowk Gurgaon All Delhi Ncr Free Home Deliver

08448380779 Call Girls In Civil Lines Women Seeking Men

Delhi Call girls

Scaling API-first – The story of a global engineering organization

Radu Cotescu

🐬 The future of MySQL is Postgres 🐘

RTylerCroy

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

The presentation explores the development and application of artificial intelligence (AI) from its inception to its current status in the modern world. The term "artificial intelligence" was first coined by John McCarthy in 1956 to describe efforts to develop computer programs capable of performing tasks that typically require human intelligence. This concept was first introduced at a conference held at Dartmouth College, where programs demonstrated capabilities such as playing chess, proving theorems, and interpreting texts. In the early stages, Alan Turing contributed to the field by defining intelligence as the ability of a being to respond to certain questions intelligently, proposing what is now known as the Turing Test to evaluate the presence of intelligent behavior in machines. As the decades progressed, AI evolved significantly. The 1980s focused on machine learning, teaching computers to learn from data, leading to the development of models that could improve their performance based on their experiences. The 1990s and 2000s saw further advances in algorithms and computational power, which allowed for more sophisticated data analysis techniques, including data mining. By the 2010s, the proliferation of big data and the refinement of deep learning techniques enabled AI to become mainstream. Notable milestones included the success of Google's AlphaGo and advancements in autonomous vehicles by companies like Tesla and Waymo. A major theme of the presentation is the application of generative AI, which has been used for tasks such as natural language text generation, translation, and question answering. Generative AI uses large datasets to train models that can then produce new, coherent pieces of text or other media. The presentation also discusses the ethical implications and the need for regulation in AI, highlighting issues such as privacy, bias, and the potential for misuse. These concerns have prompted calls for comprehensive regulations to ensure the safe and equitable use of AI technologies. Artificial intelligence has also played a significant role in healthcare, particularly highlighted during the COVID-19 pandemic, where it was used in drug discovery, vaccine development, and analyzing the spread of the virus. The capabilities of AI in healthcare are vast, ranging from medical diagnostics to personalized medicine, demonstrating the technology's potential to revolutionize fields beyond just technical or consumer applications. In conclusion, AI continues to be a rapidly evolving field with significant implications for various aspects of society. The development from theoretical concepts to real-world applications illustrates both the potential benefits and the challenges that come with integrating advanced technologies into everyday life. The ongoing discussion about AI ethics and regulation underscores the importance of managing these technologies responsibly to maximize their their benefits while minimizing potential harms.

Artificial Intelligence: Facts and Myths

Joaquim Jorge

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

A Call to Action for Generative AI in 2024

Results

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Finology Group – Insurtech Innovation Award 2024

The Digital Insurer

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

A Domino Admins Adventures (Engage 2024)

Gabriella Davis

Presentation on how to chat with PDF using ChatGPT code interpreter

naman860154

Heather Hedden, Senior Consultant at Enterprise Knowledge, presented “The Role of Taxonomy and Ontology in Semantic Layers” at a webinar hosted by Progress Semaphore on April 16, 2024. Taxonomies at their core enable effective tagging and retrieval of content, and combined with ontologies they extend to the management and understanding of related data. There are even greater benefits of taxonomies and ontologies to enhance your enterprise information architecture when applying them to a semantic layer. A survey by DBP-Institute found that enterprises using a semantic layer see their business outcomes improve by four times, while reducing their data and analytics costs. Extending taxonomies to a semantic layer can be a game-changing solution, allowing you to connect information silos, alleviate knowledge gaps, and derive new insights. Hedden, who specializes in taxonomy design and implementation, presented how the value of taxonomies shouldn’t reside in silos but be integrated with ontologies into a semantic layer. Learn about: - The essence and purpose of taxonomies and ontologies in information and knowledge management; - Advantages of semantic layers leveraging organizational taxonomies; and - Components and approaches to creating a semantic layer, including the integration of taxonomies and ontologies

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf

Enterprise Knowledge

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Neo4j

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men

Delhi Call girls

Histor y of HAM Radio presentation slide

vu2urc

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

Sara Mae O’Brien Scott and Tatiana Baquero Cakici, Senior Consultants at Enterprise Knowledge (EK), presented “AI Fast Track to Search-Focused AI Solutions” at the Information Architecture Conference (IAC24) that took place on April 11, 2024 in Seattle, WA. In their presentation, O’Brien-Scott and Cakici focused on what Enterprise AI is, why it is important, and what it takes to empower organizations to get started on a search-based AI journey and stay on track. The presentation explored the complexities of enterprise search challenges and how IA principles can be leveraged to provide AI solutions through the use of a semantic layer. O’Brien-Scott and Cakici showcased a case study where a taxonomy, an ontology, and a knowledge graph were used to structure content at a healthcare workforce solutions organization, providing personalized content recommendations and increasing content findability. In this session, participants gained insights about the following: Most common types of AI categories and use cases; Recommended steps to design and implement taxonomies and ontologies, ensuring they evolve effectively and support the organization’s search objectives; Taxonomy and ontology design considerations and best practices; Real-world AI applications that illustrated the value of taxonomies, ontologies, and knowledge graphs; and Tools, roles, and skills to design and implement AI-powered search solutions.

IAC 2024 - IA Fast Track to Search Focused AI Solutions

Enterprise Knowledge

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

Kürzlich hochgeladen (20)

08448380779 Call Girls In Civil Lines Women Seeking Men

Scaling API-first – The story of a global engineering organization

🐬 The future of MySQL is Postgres 🐘

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Artificial Intelligence: Facts and Myths

Boost Fertility New Invention Ups Success Rates.pdf

A Call to Action for Generative AI in 2024

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

Finology Group – Insurtech Innovation Award 2024

Boost PC performance: How more available memory can improve productivity

A Domino Admins Adventures (Engage 2024)

Presentation on how to chat with PDF using ChatGPT code interpreter

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men

Histor y of HAM Radio presentation slide

Axa Assurance Maroc - Insurer Innovation Award 2024

IAC 2024 - IA Fast Track to Search Focused AI Solutions

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Key Takeaways from Instructure's Successful Bug Bounty Program

2. Key Takeaways from Instructure’s Bug Bounty Program Presenters: Q. Wade Billings, Sr. Director of Global IT Shared Services : Instructure Jonathan Cran, VP Operations : Bugcrowd

3. Your Presenters • Q. Wade Billings, Sr. Director of Global IT Shared Services Instructure • IT leadership career spanning over 20 years. Held high level positions with Excite@Home, lowermybills.com, Medicity and most recently WorkFront (fka AtTask) • Involved in the Utah InfoSec community with ties to BSidesSLC and UtahSec.org • Jonathan Cran, VP Operations Bugcrowd • Security Assessment Startups. Leadership positions with Rapid7, Pwnie Express, Metasploit.

4. About Instructure • Instructure makes smart software that makes people smarter • Instructure is a fast growing, education technology SaaS company serving multiple global markets • Our growth since launch in 2011 • 18+ million users • 1,200 institutions under contract • 500+ employees • Global ofﬁces and ﬁve hosting platforms worldwide

5. About Bugcrowd • Your Elastic Security Team • Founded in 2012, based in San Francisco, 20 employees • 15,000 Researchers, $400,000 in researcher payments in 2014, 150 programs • Provider of Crowdcontrol, the platform for Bug Bounty and Flex Bounty programs • We help you start and manage your bug bounty program

6. Annual Assessment • We update our platform every three weeks and users benefit from features and bug fixes. • Starting in 2011, Instructure took a proactive approach to security. • We publicly published results after the first security audit • When vulnerabilities were found, we fixed them and put them into production as quickly as possible • We even embedded a blogger to observe and document the process!!

7. Why Bugcrowd? • This year we wanted to take it a step further. • Economics of bug bounties promised better results compared to the traditional approach • Large researcher community, strong engagement • Flex bounty met the “Annual Assessment” format

8. Bugcrowd Flex • Two week bug bounty • Private with vetted researchers • Top placed rewards (35%), Others (65%) • Flex Bounty Report • Access to researchers and management platform

9. Flex Reward Structure

10. Flex Process • Step 1: Onboarding • Step 2: Program opens to private, vetted researchers • Step 3: Crowdcontrol removes duplicates and out of scope issues, providing quick feedback to researchers • Step 4: Customer Validates, Assigns Awards and Authorizes Payments • Step 5: Program Closes, Report Created, Report Delivered • Step 6: Customer resolves and Researcher re-tests (if requested)

11. Flex Process

12. Flex Results • Instead of two or three security researchers, we had 63+ researchers active during the test • 10x the number of vulnerabilities identiﬁed • This is NOT because Instructure is less secure - we have been doing these open audits each year for three years • Each researcher comes at the problem with a different perspective

13. Flex Results • Stored XSS • Sending messages for unsubscribed courses • Encrypted Cookie Store malleability / Key-reuse • https://blog.bugcrowd.com/increased-pen-test-results-instructure-ﬂex/

14. Key Takeaways • Security is a process, and you can beneﬁt by being transparent about your assessment process • Flex bounties work! More, high-quality results by engaging with the research community vs traditional methods • Bugcrowd is helping make the bug bounty programs accessible to organizations • Download the report: https://blog.bugcrowd.com/ increased-pen-test-results-instructure-ﬂex/

15. What’s next • We’ve launched a new ongoing bug bounty program in partnership with Bugcrowd • Our overarching goal is to create the most secure learning and engagement platform for teachers and corporate trainers across the world. • We do this by being proactive and playing offense when it comes to security, not defense.

16. Questions?

Key Takeaways from Instructure's Successful Bug Bounty Program

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Key Takeaways from Instructure's Successful Bug Bounty Program

Ähnlich wie Key Takeaways from Instructure's Successful Bug Bounty Program (20)

Mehr von bugcrowd

Mehr von bugcrowd (12)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Key Takeaways from Instructure's Successful Bug Bounty Program