SlideShare a Scribd company logo

Are You Vulnerability Blind? 3 Reasons to Reconsider a Bug Bounty

bugcrowd
bugcrowd

For the ondemand version of the webinar, visit: https://www.brighttalk.com/webcast/14415/242115 Bug Bounty programs are critical to the security programs of thousands of organizations, but many still have not embraced them. Join security leader Johnathan Hunt, VP Information Security at InVision, Paul Ross, SVP of Marketing at Bugcrowd to discuss why that situation must change, through topics including: - How a security expert changed his mind about bug bounties - Why no bug bounty means missed vulnerabilities - How Bugcrowd finds a P1 bug every 27 hours We will explore InVision’s bug bounty experience from conception to being critical to their customers’ confidence in their security. *Register for the webinar now* “Whether or not you’re going to have the good guys working for you or not, doesn’t mean the bad guys are going to stop working” - Johnathan Hunt, Invision

Technology
1 of 23
Download to read offline
S e p t emb er 20 16 ARE YOU VULNERABILITY BLIND? 3 REASONS TO RECONSIDER A BUG BOUNTY
1/25/172 PAUL ROSS SVP MARKETING JOHNATHAN HUNT VP INFORMATION SECURITY SPEAKERS
AGENDA • Vulnerability Blindness • 3 Reasons to Reconsider a Bug Bounty 1. How a security expert changed his mind about bug bounties 2. Why no bug bounty means missed vulnerabilities 3. How Bugcrowd finds a P1 bug every 13 hours* 1/25/173 *Increase from 1 every 27 hours earlier in 2016
WHY IS THERE AN ISSUE TO ADDRESS? 1/25/174 Ballooning attack surface Cybersecurity resource shortage Broken status-quo Active, efficient adversaries Breaking The Vulnerability Cycle
MYTHS OF BUG BOUNTY (OR WHY YOU MIGHT HAVE DISMISSED THEM IN THE PAST) 1/25/175
6 POLL 1/25/17 | ESCAPE VELOCITY
CONTINUOUS VULNERABILITY ASSESSMENT HAS NOT BEEN A THING 1/25/177 Zone of Vulnerability Blindness Zone of Vulnerability Blindness Code Release Code Release Vulnerability Awareness
BUG BOUNTY & CONTINUOUS ASSESSMENT AS THE SOLUTION 1/25/178
WHAT IS A BUG BOUNTY? 1/25/179 (Think of it as a competition)
Financial Services Consumer Tech Retail & Ecommerce Infrastructure Technology Automotive Security Technology Other 2/3rd of Programs are Private WIDE ADOPTION OF CROWDSOURCED SECURITY
THE REHABILITATION OF A BUG BOUNTY SKEPTIC 1/25/1711 Reason 1
INTRODUCING INVISION Award-winning product design collaboration platform • Provide two million people with the power to prototype, review, refine, manage and user test web and mobile products. • Drives the product design process at leading Fortune 100 companies, including at Disney, IBM, Walmart, Apple, Verizon and General Motors. 1/25/1712
INVISION SECURITY PROGRAM BEFORE BUG BOUNTY • Monthly internal vulnerability scans • Monthly external vulnerability scans • Annual Third-Party Penetration Test • 30-day patch cycle • Web Application Firewall • DDoS Protection 1/25/1713
‘WHETHER OR NOT YOU’RE GOING TO HAVE THE GOOD GUYS WORKING FOR YOU, DOESN’T MEAN THE BAD GUYS ARE GOING TO STOP WORKING’ — JOHNATHAN HUNT 1/25/1714
WHY NO BUG BOUNTY MEANS MISSED VULNERABILITIES 1/25/1715 Reason 2
CONTINUOUS VULNERABILITY ASSESSMENT HAS NOT BEEN A THING 1/25/1716 Zone of Vulnerability Blindness Zone of Vulnerability Blindness Code Release Code Release Vulnerability Awareness
BUG BOUNTY DELIVERS CONTINUOUS VULNERABILITY ASSESSMENT 1/25/1717 Code Release Code Release Vulnerability Awareness
HOW BUGCROWD FINDS A P1 BUG EVERY 13 HOURS 1/25/1718 Reason 3
A RADICAL CYBER SECURITY ADVANTAGE: Enterprise Bug Bounty Solutions & Hackers On-Demand • 300+ Programs run • Every program is managed by Bugcrowd • Deep researcher engagement and support • No confusing pricing models and no bounty commissions • 45,000+ researchers 1/25/1719 Curated Crowd that Thinks like an Adversary but acts as an ally to Find Vulnerabilities A Platform That Simplifies Connecting Researchers to Organizations, Saving You Time and Money Security Expertise To Design, Support, and Manage Crowd Security Programs
TIMELINE OF A SUCCESSFUL BUG BOUNTY PROGRAM 1/25/1720 Launches private bounty program Receives first P1 submission Receives 100th Submission Runs On-Demand program Adds 100 additional researchers Receives 500th submission
CONCLUSION Avoiding Vulnerability Blindness • Reality of modern development pipeline dictates a new approach • Continuous vulnerability assessment is real and achievable through bug bounty model • Bugcrowd delivers the radical cybersecurity advantage of the crowd 1/25/1721 Curated Crowd Simple-to-use platform Expertise to ensure success
NEXT STEPS TALK WITH A BUG BOUNTY EXPERT HTTPS://PAGES.BUGCROWD.COM/TALK-WITH-A-BUG-BOUNTY-EXPERT 1/25/17 | ESCAPE VELOCITY22
1/25/1723 PAUL ROSS JOHNATHAN HUNT @pjross01 @JHuntSecurity Q&A

Recommended

7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTEDbugcrowd
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...HackerOne
 
HackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning WangHackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning WangHackerOne
 
Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Build or Buy: The Barracuda Bug Bounty Story [Webinar]Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Build or Buy: The Barracuda Bug Bounty Story [Webinar]bugcrowd
 
If You Can't Beat 'Em, Join 'Em
If You Can't Beat 'Em, Join 'Em If You Can't Beat 'Em, Join 'Em
If You Can't Beat 'Em, Join 'Embugcrowd
 
Bug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in NumbersBug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in Numbersbugcrowd
 
Key Takeaways from Instructure's Successful Bug Bounty Program
Key Takeaways from Instructure's Successful Bug Bounty ProgramKey Takeaways from Instructure's Successful Bug Bounty Program
Key Takeaways from Instructure's Successful Bug Bounty Programbugcrowd
 
AppSecUSA 2016: 'Your License for Bug Hunting Season'
AppSecUSA 2016: 'Your License for Bug Hunting Season'AppSecUSA 2016: 'Your License for Bug Hunting Season'
AppSecUSA 2016: 'Your License for Bug Hunting Season'bugcrowd
 

Recommended

7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTEDbugcrowd
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...HackerOne
 
HackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning WangHackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning WangHackerOne
 
Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Build or Buy: The Barracuda Bug Bounty Story [Webinar]Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Build or Buy: The Barracuda Bug Bounty Story [Webinar]bugcrowd
 
If You Can't Beat 'Em, Join 'Em
If You Can't Beat 'Em, Join 'Em If You Can't Beat 'Em, Join 'Em
If You Can't Beat 'Em, Join 'Embugcrowd
 
Bug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in NumbersBug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in Numbersbugcrowd
 
Key Takeaways from Instructure's Successful Bug Bounty Program
Key Takeaways from Instructure's Successful Bug Bounty ProgramKey Takeaways from Instructure's Successful Bug Bounty Program
Key Takeaways from Instructure's Successful Bug Bounty Programbugcrowd
 
AppSecUSA 2016: 'Your License for Bug Hunting Season'
AppSecUSA 2016: 'Your License for Bug Hunting Season'AppSecUSA 2016: 'Your License for Bug Hunting Season'
AppSecUSA 2016: 'Your License for Bug Hunting Season'bugcrowd
 
Hackfest presentation.pptx
Hackfest presentation.pptxHackfest presentation.pptx
Hackfest presentation.pptxPeter Yaworski
 
Tejido muscular y tejido nervioso
Tejido muscular y tejido nerviosoTejido muscular y tejido nervioso
Tejido muscular y tejido nerviosoImelda Sánchez Cabuto
 
17420 geotechnical engineering
17420 geotechnical engineering17420 geotechnical engineering
17420 geotechnical engineeringsoni_nits
 
Tejido muscular y tejido nervioso
Tejido muscular y tejido nerviosoTejido muscular y tejido nervioso
Tejido muscular y tejido nerviosoE. Alondra Martínez Gómez
 
17415 d.c.machnes and transformer
17415 d.c.machnes and transformer17415 d.c.machnes and transformer
17415 d.c.machnes and transformersoni_nits
 
17438 communication techniques
17438 communication techniques17438 communication techniques
17438 communication techniquessoni_nits
 
Talleres didácticos de arqueología
Talleres didácticos de arqueologíaTalleres didácticos de arqueología
Talleres didácticos de arqueologíaJosé Carlos Sastre Blanco
 
Ti ta-ge
Ti ta-geTi ta-ge
Ti ta-genivashanand
 
Icfes ejemplode preguntasfilosofía2010 (1)
Icfes ejemplode preguntasfilosofía2010 (1)Icfes ejemplode preguntasfilosofía2010 (1)
Icfes ejemplode preguntasfilosofía2010 (1)luzdary1998
 
17442 biosensors
17442 biosensors17442 biosensors
17442 biosensorssoni_nits
 
Security Meetup 22 октября. «Опасное видео». Максим Андреев. Облако Mail.Ru
Security Meetup 22 октября. «Опасное видео». Максим Андреев. Облако Mail.RuSecurity Meetup 22 октября. «Опасное видео». Максим Андреев. Облако Mail.Ru
Security Meetup 22 октября. «Опасное видео». Максим Андреев. Облако Mail.RuMail.ru Group
 
How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013bugcrowd
 
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)bugcrowd
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counselbugcrowd
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Programbugcrowd
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
 
Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016bugcrowd
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Revitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr HealthRevitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr Healthbugcrowd
 
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty ProgramsHI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programsbugcrowd
 
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLVHow Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLVbugcrowd
 

More Related Content

Viewers also liked

Hackfest presentation.pptx
Hackfest presentation.pptxHackfest presentation.pptx
Hackfest presentation.pptxPeter Yaworski
 
17420 geotechnical engineering
17420 geotechnical engineering17420 geotechnical engineering
17420 geotechnical engineeringsoni_nits
 
17415 d.c.machnes and transformer
17415 d.c.machnes and transformer17415 d.c.machnes and transformer
17415 d.c.machnes and transformersoni_nits
 
17438 communication techniques
17438 communication techniques17438 communication techniques
17438 communication techniquessoni_nits
 
Icfes ejemplode preguntasfilosofía2010 (1)
Icfes ejemplode preguntasfilosofía2010 (1)Icfes ejemplode preguntasfilosofía2010 (1)
Icfes ejemplode preguntasfilosofía2010 (1)luzdary1998
 
17442 biosensors
17442 biosensors17442 biosensors
17442 biosensorssoni_nits
 
Security Meetup 22 октября. «Опасное видео». Максим Андреев. Облако Mail.Ru
Security Meetup 22 октября. «Опасное видео». Максим Андреев. Облако Mail.RuSecurity Meetup 22 октября. «Опасное видео». Максим Андреев. Облако Mail.Ru
Security Meetup 22 октября. «Опасное видео». Максим Андреев. Облако Mail.RuMail.ru Group
 
How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013bugcrowd
 
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)bugcrowd
 

Viewers also liked (13)

Hackfest presentation.pptx
Hackfest presentation.pptxHackfest presentation.pptx
Hackfest presentation.pptx
 
Tejido muscular y tejido nervioso
Tejido muscular y tejido nerviosoTejido muscular y tejido nervioso
Tejido muscular y tejido nervioso
 
17420 geotechnical engineering
17420 geotechnical engineering17420 geotechnical engineering
17420 geotechnical engineering
 
Tejido muscular y tejido nervioso
Tejido muscular y tejido nerviosoTejido muscular y tejido nervioso
Tejido muscular y tejido nervioso
 
17415 d.c.machnes and transformer
17415 d.c.machnes and transformer17415 d.c.machnes and transformer
17415 d.c.machnes and transformer
 
17438 communication techniques
17438 communication techniques17438 communication techniques
17438 communication techniques
 
Talleres didácticos de arqueología
Talleres didácticos de arqueologíaTalleres didácticos de arqueología
Talleres didácticos de arqueología
 
Ti ta-ge
Ti ta-geTi ta-ge
Ti ta-ge
 
Icfes ejemplode preguntasfilosofía2010 (1)
Icfes ejemplode preguntasfilosofía2010 (1)Icfes ejemplode preguntasfilosofía2010 (1)
Icfes ejemplode preguntasfilosofía2010 (1)
 
17442 biosensors
17442 biosensors17442 biosensors
17442 biosensors
 
Security Meetup 22 октября. «Опасное видео». Максим Андреев. Облако Mail.Ru
Security Meetup 22 октября. «Опасное видео». Максим Андреев. Облако Mail.RuSecurity Meetup 22 октября. «Опасное видео». Максим Андреев. Облако Mail.Ru
Security Meetup 22 октября. «Опасное видео». Максим Андреев. Облако Mail.Ru
 
How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013
 
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
 

More from bugcrowd

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counselbugcrowd
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Programbugcrowd
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
 
Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016bugcrowd
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Revitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr HealthRevitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr Healthbugcrowd
 
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty ProgramsHI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programsbugcrowd
 
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLVHow Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLVbugcrowd
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Test4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Testbugcrowd
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attackerbugcrowd
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Programbugcrowd
 
[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programsbugcrowd
 

More from bugcrowd (14)

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
 
Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Revitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr HealthRevitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr Health
 
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty ProgramsHI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
 
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLVHow Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Test4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Test
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attacker
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program
 
[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs
 

Recently uploaded

Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 

Recently uploaded (20)

Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 

Are You Vulnerability Blind? 3 Reasons to Reconsider a Bug Bounty

  • 1. S e p t emb er 20 16 ARE YOU VULNERABILITY BLIND? 3 REASONS TO RECONSIDER A BUG BOUNTY
  • 2. 1/25/172 PAUL ROSS SVP MARKETING JOHNATHAN HUNT VP INFORMATION SECURITY SPEAKERS
  • 3. AGENDA • Vulnerability Blindness • 3 Reasons to Reconsider a Bug Bounty 1. How a security expert changed his mind about bug bounties 2. Why no bug bounty means missed vulnerabilities 3. How Bugcrowd finds a P1 bug every 13 hours* 1/25/173 *Increase from 1 every 27 hours earlier in 2016
  • 4. WHY IS THERE AN ISSUE TO ADDRESS? 1/25/174 Ballooning attack surface Cybersecurity resource shortage Broken status-quo Active, efficient adversaries Breaking The Vulnerability Cycle
  • 5. MYTHS OF BUG BOUNTY (OR WHY YOU MIGHT HAVE DISMISSED THEM IN THE PAST) 1/25/175
  • 7. CONTINUOUS VULNERABILITY ASSESSMENT HAS NOT BEEN A THING 1/25/177 Zone of Vulnerability Blindness Zone of Vulnerability Blindness Code Release Code Release Vulnerability Awareness
  • 8. BUG BOUNTY & CONTINUOUS ASSESSMENT AS THE SOLUTION 1/25/178
  • 9. WHAT IS A BUG BOUNTY? 1/25/179 (Think of it as a competition)
  • 10. Financial Services Consumer Tech Retail & Ecommerce Infrastructure Technology Automotive Security Technology Other 2/3rd of Programs are Private WIDE ADOPTION OF CROWDSOURCED SECURITY
  • 11. THE REHABILITATION OF A BUG BOUNTY SKEPTIC 1/25/1711 Reason 1
  • 12. INTRODUCING INVISION Award-winning product design collaboration platform • Provide two million people with the power to prototype, review, refine, manage and user test web and mobile products. • Drives the product design process at leading Fortune 100 companies, including at Disney, IBM, Walmart, Apple, Verizon and General Motors. 1/25/1712
  • 13. INVISION SECURITY PROGRAM BEFORE BUG BOUNTY • Monthly internal vulnerability scans • Monthly external vulnerability scans • Annual Third-Party Penetration Test • 30-day patch cycle • Web Application Firewall • DDoS Protection 1/25/1713
  • 14. ‘WHETHER OR NOT YOU’RE GOING TO HAVE THE GOOD GUYS WORKING FOR YOU, DOESN’T MEAN THE BAD GUYS ARE GOING TO STOP WORKING’ — JOHNATHAN HUNT 1/25/1714
  • 15. WHY NO BUG BOUNTY MEANS MISSED VULNERABILITIES 1/25/1715 Reason 2
  • 16. CONTINUOUS VULNERABILITY ASSESSMENT HAS NOT BEEN A THING 1/25/1716 Zone of Vulnerability Blindness Zone of Vulnerability Blindness Code Release Code Release Vulnerability Awareness
  • 17. BUG BOUNTY DELIVERS CONTINUOUS VULNERABILITY ASSESSMENT 1/25/1717 Code Release Code Release Vulnerability Awareness
  • 18. HOW BUGCROWD FINDS A P1 BUG EVERY 13 HOURS 1/25/1718 Reason 3
  • 19. A RADICAL CYBER SECURITY ADVANTAGE: Enterprise Bug Bounty Solutions & Hackers On-Demand • 300+ Programs run • Every program is managed by Bugcrowd • Deep researcher engagement and support • No confusing pricing models and no bounty commissions • 45,000+ researchers 1/25/1719 Curated Crowd that Thinks like an Adversary but acts as an ally to Find Vulnerabilities A Platform That Simplifies Connecting Researchers to Organizations, Saving You Time and Money Security Expertise To Design, Support, and Manage Crowd Security Programs
  • 20. TIMELINE OF A SUCCESSFUL BUG BOUNTY PROGRAM 1/25/1720 Launches private bounty program Receives first P1 submission Receives 100th Submission Runs On-Demand program Adds 100 additional researchers Receives 500th submission
  • 21. CONCLUSION Avoiding Vulnerability Blindness • Reality of modern development pipeline dictates a new approach • Continuous vulnerability assessment is real and achievable through bug bounty model • Bugcrowd delivers the radical cybersecurity advantage of the crowd 1/25/1721 Curated Crowd Simple-to-use platform Expertise to ensure success
  • 22. NEXT STEPS TALK WITH A BUG BOUNTY EXPERT HTTPS://PAGES.BUGCROWD.COM/TALK-WITH-A-BUG-BOUNTY-EXPERT 1/25/17 | ESCAPE VELOCITY22
  • 23. 1/25/1723 PAUL ROSS JOHNATHAN HUNT @pjross01 @JHuntSecurity Q&A