HackerOne, Security Meetup 4 декабря 2014, Mail.Ru Group

•Download as PPTX, PDF•

2 likes•1,016 views

Представитель одного из самых авторитетных в мире белых хакерских сообществ HackerOne, который присоединится к нам по видеосвязи, коснется разных организационных тонкостей, а также поделится опытом сотрудничества с международными компаниями.

Internet

Bounties and Other Incentives
Katie Moussouris
Chief Policy Officer
http://twitter.com/k8em0 <-- that’s a zero

Who I am
Chief Policy Officer, HackerOne
Mother of Microsoft’s Bounty Programs, Internet Bug Bounty Panelist
Chair of BlueHat Content Board 2010-2013
My (security*) work in bullet points:
◆ Linux Dev and Security Tzarina - TurboLinux, circa 2000
◆ Pen Tester - Artist formerly known as @stake
◆ Founder - Symantec Vulnerability Research (SVR)
◆ Founder - Microsoft Vulnerability Research (MSVR)
◆ Policy Maker
◆ Editor for ISO standard on Vulnerability Handling (30111)
◆ Lead SME for US National Body on Vulnerability Disclosure (29147)
◆ Lead editor for Penetration Testing as it applies to Common Criteria (20004-
2)and Secure Application Development processes (27034-3)
* Was a molecular biologist in a past professional life; worked on the Human
Genome Project

● Vulnerability Coordination Platform
o Built by Facebook, Microsoft, Chrome security folks
● 100+ live programs with well over $100k paid out each month
● 1,000+ users hackers (researchers?) recognized for their work
● Important: We only host these programs.
o Researchers & Security Teams manage their own programs.
o HackerOne employees do not have access to reports.
What is HackerOne?

Signal-to-Noise Ratio
● There's noise on the internet
● Researcher Reputation - Good for researchers and teams
o The best researchers stand out from noisier ones
 Mutual incentives to maintain a high-signal environment
o Security Teams benefit from additional context
o An Anecdote!
 "Noisiest" researcher had 1,500+ submissions and a <5% success rate.
 One month later: same researcher now has 60%+ success rate.

● Sharing knowledge is valuable to the entire community
o Those who do not learn from the mistakes of the past are doomed
to repeat them
● Q: How can we encourage more vulnerability sharing?
o One-click disclosures
o Streamlined coordination
o Shared goals
o No surprises
Knowledge

HackerOne Transparency
View the details of every vulnerability HackerOne has ever had: https://hackerone.com/security

IE Preview Bug Bounty: All in the timing
● Running a bounty program during the Preview (beta)
period for IE11 addressed the greatest number of
issues with the least impact to customers AND
engineers
● Vulnerability brokers don’t offer payment for the IE
browser in beta, so there is a gap in the marketplace
● Actual Results: 23 submissions, 18 bulletin-class
issues – including 4 sandbox escapes

IE 11 Preview Bounty --> Reverses Reporting Trend

"Hacker"?
● Definitions suck.
● Security is for everyone
o It needs to be more accessible & inclusive.
● Be a part of the security community

What's hot

In this webinar, we are joined by Tony Sager, Senior VP & Chief Evangelist for the Center for Internet Security (CIS). Tony will be discussing the latest changes to the CIS Controls framework and how they help protect your organization from cyberattacks. In almost every industry, complex organizations are adopting these foundational controls for effective cyber defense. Attendees will learn about: • How the CIS Controls align to common security & compliance frameworks • The underlying principles that drive the success of the CIS Controls • Why many organizations fail despite utilizing other "advanced" controls • The available tools that have grown up around the CIS Controls

Jumpstarting Your Cyberdefense Machine with the CIS Controls V7

Tripwire

Creating a quality web application is hard. It’s hard to gain customers, it’s hard to build your reputation and it’s hard to keep the costs low. Nevertheless, security is often an afterthought. However… Have you considered the cost of fixing security issues later? What about the reputational damage of a security breach? Are you worried about your customers’ data? We will talk about good security coding practices for web applications and how to apply them early on using some real world examples. We will also help you to think about your website’s vulnerabilities from the view of a hacker.

N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018

Codemotion

5 Tips For Preventing Ransomware On Your Network

NetFort

Penetration testing tools and phases

TestingXperts

Trend Micro Keynote: Nightingale Floors: Mitigating Cyber Attacks in 2015

Ingram Micro Cloud

Security Metrics are often about the performance of information security professionals - traditional ones are centered around vulnerability close rates, timelines, or criticality ratings. But how does one measure if those metrics are the rights ones? How does one measure risk reduction, or how successful your metrics program is at operationalizing that which is necessary to prevent a breach? The data we'll explore defined the 2016 Verizon DBIR Vulnerabilities section. This talk will borrow concepts from epidemiology, repeated game theory, classical and causal probability theory in order to demonstrate some inventive metrics for evaluating vulnerability management strategies. Not all vulnerabilities are at risk of being breached. Not all people are at risk for catching the flu. By analogy, we are trying to be effective at catching the "disease" of vulnerabilities which are susceptible to breaches, and not all are. How do we determine what is truly critical? How do we determine if we are effective at remediating what is truly critical? Because the incidence of disease is unknown, the absolute risk can not be calculated. This talk will introduce some concepts from other fields for dealing with infosec uncertainty. Attackers are human too - and currently available data allows us to make some predictions about how they'll behave. And to predict is to prevent.

Chicago Security Meetup 08/2016

Michael Roytman

Security often isn’t the top priority for many developers, who already are juggling multiple projects and deadlines. In fact, security seems to get in the way of keeping up with the pace of business. However, developers control a critical piece of the security puzzle and need to be engaged in the security cause—no longer can they stand by and say the responsibility for security lies in the hands of the security team. Rather, security must be built-in from the start. In this webinar, Secure Code Warrior CTO Matias Madou will look at what we as security professionals have been doing wrong and how agile, DevSecOps and DevOps are changing the role of the developer. Madou will discuss current best practices and ways in which they often fall short of the goal of building in security from the start, and will share new methodologies being deployed at multiple global organizations that make developers want to be part of the solution. Madou will be joined by Alexandre Pluvinage, head of Cybersecurity and Fraud Awareness at ING Belgium and ING BD Netherlands, who will discuss how his team engaged developers to think with a security mindset and how they rolled out a security program for developers, and share the results of the program to date.

Improving Software Security in an Agile Environment: A Case Study

DevOps.com

Enfilade: Tool to Detect Infections in MongoDB Instances

Aditya K Sood

Malware and the Cost of Inactivity

Cisco Security

Understanding ransomware

Prathan Phongthiproek

What's hot (10)

Jumpstarting Your Cyberdefense Machine with the CIS Controls V7

N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018

5 Tips For Preventing Ransomware On Your Network

Penetration testing tools and phases

Trend Micro Keynote: Nightingale Floors: Mitigating Cyber Attacks in 2015

Chicago Security Meetup 08/2016

Improving Software Security in an Agile Environment: A Case Study

Enfilade: Tool to Detect Infections in MongoDB Instances

Malware and the Cost of Inactivity

Understanding ransomware

Similar to HackerOne, Security Meetup 4 декабря 2014, Mail.Ru Group

The global security landscape is changing, now more than ever. With cloud computing gaining momentum and advanced persistent threats becoming a common occurrence, the industry is taking a more focused and serious approach, especially after some of last years' heavily publicized cyber breaches. Join this session for a high-level overview on the industry trends in the area of web application security, and find out why security is bound to become a hot topic in any organization developing or using web applications.

The state of web applications (in)security @ ITDays 2016

Tudor Damian

Matteo meucci Software Security - Napoli 10112016

Minded Security

Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015

Minded Security

Beyond security testing

Cu Nguyen

Owasp LA

leifdreizler

James Brown, Director of Cloud Computing & Security Architecture, Alert Logic covers: • The shared security model: what security you are responsible for to protect your content, applications, systems and networks vs AWS. • Overview of the OWASP Top 10 most critical web application security risks (such as SQL injections) • Best practices for how to protect your environment from the latest threats

Journey to the Cloud: Securing Your AWS Applications - April 2015

Alert Logic

Current Article Review1. Locate a current article about Regul.docx

annettsparrow

Data mining in security: Ja'far Alqatawna

Maribel García Arenas

The high-profile attacks and data-breaches of the last few years have shown us the importance of securing our software. While it is good that we are seeing more tools that can analyze systems for vulnerabilities, this does not help the programmer write secure code in the first place. To prevent security from becoming a bottleneck–and expensive security mistakes from becoming increasingly probable–we need to look to techniques that allow us to secure software by construction. This talk has two parts. First, I will present technical ideas from research, including my own, that help secure software by construction. Even though these are reasonable ideas, however, the gap between academia and industry often prevents these ideas from becoming realized in practice. Second, I will discuss what prevents longer-term security solutions from being commercialized, how we started the Cybersecurity Factory accelerator bridge the research/industry gap, and how we can work together to address the issues that remain. http://2016.phillyemergingtech.com/session/securing-software-by-construction/

Philly ETE 2016: Securing Software by Construction

jxyz

The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...

WhiteSource

Join us for a webinar featuring Forrester VP and Research Director Amy DeMartine to learn more about why open source security has become critical for securing modern applications, the main considerations when evaluating an open source security and license compliance solution and what she sees in store for the future. Additionally, WhiteSource Senior Director of Product Marketing, Jeff Crum, will discuss recent analysis of the Software Composition Analysis (SCA) market, including takeaways from The Forrester Wave™: Software Composition Analysis, Q2 2019.

Taking Open Source Security to the Next Level

WhiteSource

In today's digital age, safeguarding your organization's sensitive data is paramount, and this event will empower you with the knowledge and tools you need. Our expert speaker will guide you through the ever-evolving cybersecurity landscape, helping you understand the threats nonprofits face. Discover how to avoid common password pitfalls that can leave your organization vulnerable to attacks. Moreover, we'll unveil the crucial steps to establishing a people-first culture of security within your nonprofit, ensuring that everyone in your team is an active defender against cyber threats. Don't miss out on this opportunity to fortify your nonprofit's cybersecurity posture. Register now to gain invaluable insights and practical strategies to protect your mission, your donors, and your community. Secure your spot today! LEARNING OBJECTIVES 1. Understanding the Landscape of Cyber Threats === Participants will gain a comprehensive understanding of the various types of cyber threats that organizations face in today’s digital age, such as phishing attacks, ransomware, and data breaches. 2. Developing Effective Security Policies and Procedures === Participants will learn how to develop, implement, and maintain effective security policies and procedures to safeguard organizational data. 3. Promoting Employee Awareness and Training === Participants will acquire strategies for promoting security awareness among employees and providing them with the necessary training to recognize and respond to security threats. Hosted by TechSoup with the support of the Communities Foundation of Texas. Guest expert Michael Enos of TechSoup. Recorded on December 7, 2023. https://techsoupglobal.zoom.us/webinar/register/WN_E1pVmXZTS7O93W7-jPUn7Q

Creating a Culture of Security

TechSoup

Secure Software Development Lifecycle

1&1

Stay safe, grab a drink and join us virtually for our upcoming "Reveal the Security Risks in the Software Development Lifecycle" Meetup to learn how to find application security threats, issues in software development life cycle, build mature application security incident response processes and implement application security posture management. Agenda: 17:00 - 17:05 - 'Opening words' - by Gary Berman (Cyber Heroes Network) 17:05 - 17:35 - 'Why securing the SDLC fails at scale' - by Liav Caspi (Co-Founder & CTO at Legit Security) 17:35 - 18:05 - 'The Real AppSec Issues' - by Josh Grossman (CTO at BounceSecurity) 18:05 - 18:35 - 'Application security and IR process' - by Vitaly Davidoff (Application Security Lead at JFrog) 18:35 - 19:00 - 'The ASPM way - a new approach' - by Liav Caspi (Co-Founder & CTO at Legit Security)

Reveal the Security Risks in the software Development Lifecycle Meetup 060320...

lior mazor

Providing Services to our Remote Users: Open Source Solutions

Nicole C. Engard

Insider threats can have a profound impact on an organization. Beyond the lost value of the asset that was removed, disclosed or destroyed, organizations can suffer immediate losses of intrinsic value as well as lost revenue. Insider Risk's focus is on an organization's data problems rather than its people problems. Join me to learn more on this topic Insider risk protection and containment in Microsoft 365 at aMS Southeast Asia 2021.

aMs Southeast Asia 2021 : Insider risk protection and containment in microsof...

Mitul Rana

Taking Open Source Security to the Next Level

SBWebinars

Software Security Assurance for DevOps

Black Duck by Synopsys

How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps. You’ll learn: -New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments -Best practices for designing and incorporating an automated approach to application security into your existing development environment -Future development and application security challenges organizations will face and what they can do to prepare

Software Security Assurance for Devops

Jerika Phelps

This talk by Stefan Streichsbier, Co-Founder of GuardRails.io, provides a brief history of how development, operations and security testing have become highly complex. It continues to outline the key problems with traditional security solutions and why in 2020 companies around the world are still figuring out a good way to manage security as part of rapid development cycles. Specifically, the big challenge of introducing and fixing new security issues versus tackling the existing security dept of existing applications. To quote Bishop Desmond Tutu, “There comes a point where we need to stop just pulling people out of the river. We need to go upstream and find out why they’re falling in.” After setting the stage, the remainder of the talk will focus on the paradigm shift that security solutions have to incorporate in order to solve the problem of sustainably secure applications on all layers. This will explore how the elements of Speed, Just in time training, and Data science have to be leveraged to empower development teams around the globe to get ahead for once and finally become able to move fast and be safe at the same time. The 3 core takeaways for the audience are: 1.) Where security practices have gone wrong so far. 2.) What new technologies will cause a paradigm shift in how security is applied at scale. 3.) How security will look like in 5-10 years.

The Future of DevSecOps

Stefan Streichsbier

Similar to HackerOne, Security Meetup 4 декабря 2014, Mail.Ru Group (20)

The state of web applications (in)security @ ITDays 2016

Matteo meucci Software Security - Napoli 10112016

Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015

Beyond security testing

Owasp LA

Journey to the Cloud: Securing Your AWS Applications - April 2015

Current Article Review1. Locate a current article about Regul.docx

Data mining in security: Ja'far Alqatawna

Philly ETE 2016: Securing Software by Construction

The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...

Taking Open Source Security to the Next Level

Creating a Culture of Security

Secure Software Development Lifecycle

Reveal the Security Risks in the software Development Lifecycle Meetup 060320...

Providing Services to our Remote Users: Open Source Solutions

aMs Southeast Asia 2021 : Insider risk protection and containment in microsof...

Taking Open Source Security to the Next Level

Software Security Assurance for DevOps

Software Security Assurance for Devops

The Future of DevSecOps

More from Mail.ru Group

В рамках доклада мы поделимся примерами проектов, на которых есть автоматизация, но нет ни одного специально выделенного инженера для выполнения задач, связанных с автоматизацией тестирования. Затронем такие вопросы как: что нас привело к такому решению (отказаться от test automation инженеров); сложности, с которыми мы столкнулись; бонусы, которые мы в итоге получили.

Автоматизация без тест-инженеров по автоматизации, Мария Терехина и Владислав...

Mail.ru Group

Автоматизация тестирования UI — это всегда непростая задача, особенно в условиях активной разработки и постоянного изменения требований. Как мы решали эту проблему в mall.my.com. Как и почему пришли к BDD. Какие инструменты выбрали. И что из этого вышло.

BDD для фронтенда. Автоматизация тестирования с Cucumber, Cypress и Jenkins, ...

Mail.ru Group

Другая сторона баг-баунти-программ: как это выглядит изнутри, Владимир Дубровин

Mail.ru Group

Использование Fiddler и Charles при тестировании фронтенда проекта pulse.mail...

Mail.ru Group

что такое инциденты и почему это важно; как из непонятного сделать «рутину»; про автоматизацию: OTRS, Jira, чат-боты; про диагностику: логирование, как работает Bomgar; про сообщество: специальная программа тестирования почты для сотрудников.

Управление инцидентами в Почте Mail.ru, Антон Викторов

Mail.ru Group

На сегодняшний день такие популярные анализаторы, как OWASP ZAP и Burp Suite, не всегда хорошо справляются с задачей автоматического сканирования приложений. Нередко они не могут найти какие-то специфические директории, автоматически отправить запрос без участия человека. И чаще данные инструменты запускаются локально. При этом, если в компании хорошо работает команда по автоматизации тестирования, их работу можно взять за основу динамического анализа и фазинга. Как бонус, обсудим разницу Burp Suite Professional и Burp Suite Enterprise с точки зрения CI/CD и подключения автоматизированных тестов.

DAST в CI/CD, Ольга Свиридова

Mail.ru Group

Почему вам стоит использовать свой велосипед и почему не стоит Александр Бел...

Mail.ru Group

Расскажу про различные полезные библиотеки и функции Python: от простых и известных, до специфичных и редких. Поделюсь тем, какие технологии мы используем при разработке, обучении и деплое наших моделей: что помогало улучшить качество, а что тормозило разработку.

CV в пайплайне распознавания ценников товаров: трюки и хитрости Николай Масл...

Mail.ru Group

Все мы знаем, что наш любимый Pandas исключительно однопоточный, а модели из scikit-learn часто учатся не очень быстро даже в несколько процессов. Поэтому в докладе я расскажу о проекте RAPIDS - наборе библиотек для анализа данных и построения предиктивных моделей с использованием NVIDIA GPU. В докладе я предложу подискутировать о том, что закон Мура больше не выполняется, рассмотрю принципы работы архитектуры CUDA. Разберу библиотеки cuDF и cuML, а также постараюсь предельно честно рассказать о том, ждать ли чуда от перехода на GPU и в каких случаях чудо неизбежно.

RAPIDS: ускоряем Pandas и scikit-learn на GPU Павел Клеменков, NVidia

Mail.ru Group

Я расскажу, как мы поддержали вход через WebAuthn в самом крупном почтовом сервисе рунета и какие сложности скрываются за красивыми презентациями о том, какой WebAuthn простой и безопасный: как сделать WebAuthn понятным и доступным для пользователей; как поддержать его во всех браузерах и устройствах; как тестировать WebAuthn, в том числе автоматизированно; куда двигаться дальше после его запуска и включения.

WebAuthn в реальной жизни, Анатолий Остапенко

Mail.ru Group

Библиотека AMP — это не только современный инструмент создания богатых функциональностью и производительных web-сайтов, адаптированных для работы на мобильных устройствах. AMP для электронной почты радикально обновляет традиционный формат электронных писем, позволяя создавать более привлекательные и полезные для пользователя рассылки. В Почте Mail.ru очень вдохновляют новые возможности, которые может предоставить нашим пользователям и партнерам AMP для электронной почты. Этот доклад о том: почему стандарт для по-настоящему интерактивных электронных писем не получалось создать раньше; что из себя представляет стандарт AMP4Email, какие новые способы взаимодействия с письмом он дает; как с его помощью повысить ценность рассылки для пользователя; как мы реализовали поддержку AMP4Email в своих продуктах и обеспечили его безопасность; как AMP4Email может повысить конверсию на примере внедрения AMP-рассылок в партнерстве с крупнейшим сервисом электронной коммерции в России.

AMP для электронной почты, Сергей Пешков

Mail.ru Group

Как мы захотели TWA и сделали его без мобильных разработчиков, Данила Стрелков

Mail.ru Group

Delivery Club — крупнейшая фудтех-платформа в России, которая объединяет более 12 000 ресторанов разной ценовой категории в более чем 120 городах. Мы разработали приложение для наших партнеров, в котором они могут управлять заказами, меню, ингредиентами, статистикой в удобном интерфейсе. В докладе пойдет речь о том, как внедрение практик PWA помогло нам улучшить пользовательский опыт, решить вопросы, связанные с работой приложения на разных платформах. И как поддержка offline-режима избавила нас от проблем с вечными перепадами сети у наших партнеров.

Кейсы использования PWA для партнерских предложений в Delivery Club, Никита Б...

Mail.ru Group

Метапрограммирование: строим конечный автомат, Сергей Федоров, Яндекс.Такси

Mail.ru Group

Как не сделать врагами архитектуру и оптимизацию, Кирилл Березин, Mail.ru Group

Mail.ru Group

AI Journey — двухдневная конференция с ведущими международными и российскими спикерами — экспертами в области искусственного интеллекта и анализа данных, а также представителями компаний — лидеров по развитию и применению технологий ИИ в бизнес-процессах.

Этика искусственного интеллекта, Александр Кармаев (AI Journey)

Mail.ru Group

Нейро-машинный перевод в вопросно-ответных системах, Федор Федоренко (AI Jour...

Mail.ru Group

Конвергенция технологий как тренд развития искусственного интеллекта, Владими...

Mail.ru Group

Обзор трендов рекомендательных систем от Пульса, Андрей Мурашев (AI Journey)

Mail.ru Group

Мир глазами нейросетей, Данила Байгушев, Александр Сноркин ()

Mail.ru Group

More from Mail.ru Group (20)