Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Are You Vulnerability Blind? 3 Reasons to Reconsider a Bug Bounty

273 views

Published on

For the ondemand version of the webinar, visit:
https://www.brighttalk.com/webcast/14415/242115

Bug Bounty programs are critical to the security programs of thousands of organizations, but many still have not embraced them. Join security leader Johnathan Hunt, VP Information Security at InVision, Paul Ross, SVP of Marketing at Bugcrowd to discuss why that situation must change, through topics including:

- How a security expert changed his mind about bug bounties
- Why no bug bounty means missed vulnerabilities
- How Bugcrowd finds a P1 bug every 27 hours

We will explore InVision’s bug bounty experience from conception to being critical to their customers’ confidence in their security.

*Register for the webinar now*

“Whether or not you’re going to have the good guys working for you or not, doesn’t mean the bad guys are going to stop working”

- Johnathan Hunt, Invision

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Are You Vulnerability Blind? 3 Reasons to Reconsider a Bug Bounty

  1. 1. S e p t emb er 20 16 ARE YOU VULNERABILITY BLIND? 3 REASONS TO RECONSIDER A BUG BOUNTY
  2. 2. 1/25/172 PAUL ROSS SVP MARKETING JOHNATHAN HUNT VP INFORMATION SECURITY SPEAKERS
  3. 3. AGENDA • Vulnerability Blindness • 3 Reasons to Reconsider a Bug Bounty 1. How a security expert changed his mind about bug bounties 2. Why no bug bounty means missed vulnerabilities 3. How Bugcrowd finds a P1 bug every 13 hours* 1/25/173 *Increase from 1 every 27 hours earlier in 2016
  4. 4. WHY IS THERE AN ISSUE TO ADDRESS? 1/25/174 Ballooning attack surface Cybersecurity resource shortage Broken status-quo Active, efficient adversaries Breaking The Vulnerability Cycle
  5. 5. MYTHS OF BUG BOUNTY (OR WHY YOU MIGHT HAVE DISMISSED THEM IN THE PAST) 1/25/175
  6. 6. 6 POLL 1/25/17 | ESCAPE VELOCITY
  7. 7. CONTINUOUS VULNERABILITY ASSESSMENT HAS NOT BEEN A THING 1/25/177 Zone of Vulnerability Blindness Zone of Vulnerability Blindness Code Release Code Release Vulnerability Awareness
  8. 8. BUG BOUNTY & CONTINUOUS ASSESSMENT AS THE SOLUTION 1/25/178
  9. 9. WHAT IS A BUG BOUNTY? 1/25/179 (Think of it as a competition)
  10. 10. Financial Services Consumer Tech Retail & Ecommerce Infrastructure Technology Automotive Security Technology Other 2/3rd of Programs are Private WIDE ADOPTION OF CROWDSOURCED SECURITY
  11. 11. THE REHABILITATION OF A BUG BOUNTY SKEPTIC 1/25/1711 Reason 1
  12. 12. INTRODUCING INVISION Award-winning product design collaboration platform • Provide two million people with the power to prototype, review, refine, manage and user test web and mobile products. • Drives the product design process at leading Fortune 100 companies, including at Disney, IBM, Walmart, Apple, Verizon and General Motors. 1/25/1712
  13. 13. INVISION SECURITY PROGRAM BEFORE BUG BOUNTY • Monthly internal vulnerability scans • Monthly external vulnerability scans • Annual Third-Party Penetration Test • 30-day patch cycle • Web Application Firewall • DDoS Protection 1/25/1713
  14. 14. ‘WHETHER OR NOT YOU’RE GOING TO HAVE THE GOOD GUYS WORKING FOR YOU, DOESN’T MEAN THE BAD GUYS ARE GOING TO STOP WORKING’ — JOHNATHAN HUNT 1/25/1714
  15. 15. WHY NO BUG BOUNTY MEANS MISSED VULNERABILITIES 1/25/1715 Reason 2
  16. 16. CONTINUOUS VULNERABILITY ASSESSMENT HAS NOT BEEN A THING 1/25/1716 Zone of Vulnerability Blindness Zone of Vulnerability Blindness Code Release Code Release Vulnerability Awareness
  17. 17. BUG BOUNTY DELIVERS CONTINUOUS VULNERABILITY ASSESSMENT 1/25/1717 Code Release Code Release Vulnerability Awareness
  18. 18. HOW BUGCROWD FINDS A P1 BUG EVERY 13 HOURS 1/25/1718 Reason 3
  19. 19. A RADICAL CYBER SECURITY ADVANTAGE: Enterprise Bug Bounty Solutions & Hackers On-Demand • 300+ Programs run • Every program is managed by Bugcrowd • Deep researcher engagement and support • No confusing pricing models and no bounty commissions • 45,000+ researchers 1/25/1719 Curated Crowd that Thinks like an Adversary but acts as an ally to Find Vulnerabilities A Platform That Simplifies Connecting Researchers to Organizations, Saving You Time and Money Security Expertise To Design, Support, and Manage Crowd Security Programs
  20. 20. TIMELINE OF A SUCCESSFUL BUG BOUNTY PROGRAM 1/25/1720 Launches private bounty program Receives first P1 submission Receives 100th Submission Runs On-Demand program Adds 100 additional researchers Receives 500th submission
  21. 21. CONCLUSION Avoiding Vulnerability Blindness • Reality of modern development pipeline dictates a new approach • Continuous vulnerability assessment is real and achievable through bug bounty model • Bugcrowd delivers the radical cybersecurity advantage of the crowd 1/25/1721 Curated Crowd Simple-to-use platform Expertise to ensure success
  22. 22. NEXT STEPS TALK WITH A BUG BOUNTY EXPERT HTTPS://PAGES.BUGCROWD.COM/TALK-WITH-A-BUG-BOUNTY-EXPERT 1/25/17 | ESCAPE VELOCITY22
  23. 23. 1/25/1723 PAUL ROSS JOHNATHAN HUNT @pjross01 @JHuntSecurity Q&A

×