Crowdsourced Vulnerability Testing
Upcoming SlideShare
Loading in...5

Like this? Share it with your network

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 2 2

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Reward  Programs  as  a  Service   A  fresh  approach  to  security  tes8ng!   ”Bugcrowd and similar marketplaces, such as Danish firm CrowdCurity and Synack, are democratising the crowdsourced penetration testing model which has previously been only available to the biggest software companies that can afford to pay out millions of dollars”
  • 2. CrowdCurity CrowdCurity •  •  •  •  •  •  •  A  Service  Pla,orm  for  Vulnerability  Reward  Programs     Founded  in  July  2013   3  months  bootstrapping  in  ArgenCna   Pla,orm  Launched  September  2013   5  Programs  Runned   300+  Testers   Part  of  in  Sillicon  Valley  for  the  next  4  months   Jacob     Chris8an     Jakob     Esben     Michael    
  • 3. CrowdCurity The Risks of Online Business  $$$   Credit  Card  Fraud   Credit  cards  are  targeted   Online  businesses  have  a  high   risk  of  aNacks  by  intruders   who  steal  credit  card   informaCon  from  the  sites  to   sell  it  on  the  black  market.     There  is  plenty  to  steal   In  2012  the  european  online   B2C  sites  had  an  income  of   €312  billion  (3,5%  of  BNP).   The  transacCons  are  typically   handled  with  credit  cards.*   *Source  FDIH   Data  Disclosure   Forced  Crashes   Harmed  customers   Big  data  =  Big  risk   To  enable  a  high  service  level   sensiCve  data  is  being  stored   online.  If  this  data  is  disclosed   to  the  wrong  people  it  could   have  strong  negaCve  impact.     Integrity  Loss   When  private  data  is   disclosed  it  leads  to  an   integrity  loss  for  the  business   keeping  the  data  and  could   harm  the  customer  owning  it.   Loss  of  Service   Many  shops  and  services  put   a  pride  in  being  available   online  24-­‐7.  But  evil  aNackers   can  crash  a  site  in  minutes  if   it  is  not  protected.     Loss  of  income  and  integrity   When  a  site  is  forced  to  crash   the  business  lose  potenCal   income  and  the  integrity  of   the  site  and  the  business  is   seriously  harmed.   Viruses  and  Malware   On  vulnerable  sites  aNackers   can  implement  virusses  and   other  malware  which  infects   and  potenCally  damages  the   systems  of  the  customers     Customers  Lost   If  a  customer  is  infected  by  a   virus  or  malware  on  a  site,   there  is  a  high  chance  that   they  will  not  feel  safe  about   using  that  site  again.    
  • 4. CrowdCurity Why is it Difficult to Solve?   The  security  threat  of  being  hacked  which  online  businesses  are  facing,   is  a  distributed  and  self-­‐organizing  threat.  Most  of  the  tools  that  online   businesses  have  today  to  fight  aNacks,  are  stuff  like  code  reviews,   automaCc  scanners  and  corporate  security  experts.  All  of  these   soluCons  will  be  fighCng  a  loosing  baNle  against  the  aNacks.  By  nature   of  the  threat  it  is  difficult  to  solve  completely  by  using  centralized  and   automaCc  soluCons.      
  • 5. CrowdCurity The Solution Crowdsourced Security Testing "99designs  meets  IT  security  -­‐   Crowdsource  security  testers  to   discover  your  vulnerabiliCes"  
  • 6. CrowdCurity The Solution Crowdsourced   Security  Tes8ng   1   ENGAGE  HACKERS  WITH  REWARD  PROGRAMS!     •  By  running  a  vulnerability  reward  program  you  engage  a  crowd  of   skilled  hackers  with  good  intenCons  to  to  earn  rewards  and   recogniCon  by  tesCng  the  security  of  your  web  applicaCons   2   IT’S  SMARTER!     •  Instead  of  1  set  of  eyes  you  can  get  100+   •  MulCple  aNack  angles  gets  covered  by  moCvated  testers     3   IT’S  CHEAPER!     •  You  only  pay  for  valid  vulnerabiliCes–  No  bugs,  No  cost   •  You  get  100+  testers  cheaper  than  the  price  of  1  consultant     4   ALL  THE  BIG  GUYS  ARE  DOING  IT!     •  In  3  years  Google  has  paid  crowdsourced  researchers  over  $2   million  in  security  rewards  and  fixed  more  than  2,000  bugs*       *Source  thenextweb  
  • 7. CrowdCurity Reward Programs •  hNp://­‐bounty-­‐programs-­‐for-­‐the-­‐web    
  • 8. CrowdCurity Reward Program Challenges Security  Research  Community   •  How to get businesses to understand the value-add of a reward program? •  •  •  •  Attract Skilled researchers? Rules? Reporting? Payments? Online  busineses  
  • 9. CrowdCurity Reward Programs as a Service Security  Research  Community   •  Connecting businesses to the research community and promoting the valueadd of reward programs Service  Pla,orm   •  One place to find programs for skilled researchers •  Best Practice Rules •  Best Practice Reporting •  Reward/Payment Mgmt. Online  busineses  
  • 10. CrowdCurity How it works 1.  Security  Test  Needed   An  owner  of  a  successful   online  business  wants  to   test  the  security  of  his  web   applicaCon.   7.  Fix  and  con8nue   CrowdCurity $   2.  Create  Reward  Program   He  creates  a  vulnerability   reward  program  through  an   easy  to  use  submission   form  at   3.  Marke8ng  to  testers   The  reward  program  is   marketed  to  the  crowd  of   skilled  testers  from  around   the  world   The  business  fixes  the   vulnerability  and  the   business  owner  keeps  the   reward  program  to  discover   more  vulnerabiliCes   6.  Payment  Mgmt.   If  a  reward  is  given   CrowdCurity  handles  the   payment  to  the  tester  and   charges  the  business  a  20%   service  fee.   5.Business  Evaluates   4.  Tester  finds  vulnerability   A  tester  finds  a  vulnerability   in  the  web  applicaCon,  and   submits  the  details  of  it   through  an  easy  to  use   form  at   The  business  evaluates  the   vulnerability  and  decide  if  it   is  eligible  for  a  cash  reward.   The  feedback  is  given   through  
  • 11. CrowdCurity A Customer Case •  •  •  •      Cloud  service   <10  Employees   Many  big  customers   Already  focused  on  security   AnC-­‐aNack  measures  installed   Business Ready to Test •  •  •  •      Reward  Program   AdverCsed  to  Full  crowd     Reward  sizes  $300/$100/$25   Focus  on  Customer  Portal   Best  PracCce  Rules   Best Practice Setup •  •  •  •      The  Test   50+  testers  parCcipated   6  conCnents  represented   $1500  given  in  rewards   19  vulnerabiliCes  rewarded   High Value at a Low Cost
  • 12. CrowdCurity The Future of Reward Programs     •  A  standard  part  of  the  security  toolbox   •  Used  by  online  businesses  of  all  sizes   •  A  way  for  security  researchers  to  promote  themselves   for  e.g.  recruitment   •  Rewards  will  increase  with  the  popularity  
  • 13. CrowdCurity WWW.CROWDCURITY.COM Simple  intui8ve  layout  and  instruc8ve  videos      Forms  for  submi`ng  programs  and  vulnerabili8es   Nice  dashboard  with  an  overview  of  the  tests   Easy  to  use  views  of  programs  and  vulnerabili8es