SlideShare a Scribd company logo

Bug Bounty Programs : Good for Government

Dinesh O Bareja
Dinesh O Bareja

Bug bounty program offer numerous benefits to the sponsoring companies. Government organizations as well as private organizations will benefit if they have bug hunters sniffing around on their network.

Technology
1 of 48
Download to read offline
Bug Bounty PROGRAMS: GOOD FOR Government आपकी दुनिया मेरे हाथों सुरक्षित My hands… & Your world is secured! Presented at The Hackers Conference, New Delhi August 25, 2013
Time For Real Change A Security budget is inversely proportional to a CxO’s “feel-good” factor Is NOW! Bug Bounty Programs will attract the best Security brains for ~ZERO cost! NOW
The Bounty Hunter He hunted humans ! WILDWESTTIMES… Better than the best gunslinger or tracker Harrison Ford as Han Solo in Star Wars
The Bounty Hunter WILDSPACEAGE Better than the best! Mercenary Gun for Hire Harrison Ford as Han Solo in Star Wars
INTERNETAGE
• Wild • Dangerous • Unknown • Constantly Morphing • Dynamic Surface • Virtual / Intangible • Supports Life
• Ethical Helper • Khabri (informer) • Responsible Citizen • Good Samaritan • Honest Person
Black Hats are among organizations and business men too who will cheat the good hacker of reward and recognition !
Star Wars Episode IV (1977) Han Solo (Harrison Ford), to Princess Leia (Carrie Fisher) Lucas Films/Courtesy Everett Collection I'm not in it for you, princess. Look, I ain't in this for your revolution, and I expect to be well paid. I'm in it for the money.
Men Are Nothing Until They Are Excited
• Govt Dept was target of spear phishing • Malware was put out for analysis to bounty of 25k – this was increased to 50k due to increase in scope and tie between two teams in phase 1 • Bounty hunter has to identify the malicious activity and the command centre • Time bound results expected (24 hours) • Maximum information and good presentation to be given weightage • Information was of high quality and the department was able to contain the attack malware and the attacker • Market Value of work done – Man hours if assignment was carried out internally: min 100 – Value of work if I had quoted: Rs. 5,00,000
Bounteous rewards await the Government department that starts a BB program. They are able to identify (actually) good testers who will HONESTLY disclose vulnerabilities.
• Capability for Security management, protection or response – primarily with intelligence agencies • Departments depend on CERT empanelled firms and carry out only one time assessment • Total lack of awareness (or respect for IS) among HoDs and security expertise in Ops team • Most government infrastructure is waiting for a “kehar” • Someone’s Death Wish!
• Capacity and Capability building sans resources • Lack of skills, awareness and knowledge • Uncertainty about skills / ethics of testers • Big PPP players work (only) on big projects • Attain high level of assurance at low cost • Supporting independent research
• Fulfill our national Mission Impossible: –500k IS professionals in 3 yrs –PPP (Public + Professional Participation will work better than the Public, Private Participation) • Continuous Testing by proven professionals • Critical Infrastructure Protection • Information Sharing
• Identify professional friends-in-need • Find vulnerabilities missed by your team • Save BIG money on housekeeping • Best brains in the business work free !! • Success fee based – non negotiable. • Potential candidates for hire • Crowd sourced quality control
• Use a BB Escrow Service • Start one on your own or crowd-source • Contact hackers in Hall of Fame • Reach out via Social Media • Word of Mouth • Offer Good Bounty
• Companies have to be as ethical as the hackers • Admin – super geek • Workflow / bug tracking system • Your terms and conditions – transparent and in plain simple language • Escalation path (in case one does not agree to the admin’s decision for payout)
• Open playing field for unknowns • Researcher sells in the underground • Revenge attack by unhappy hunter • Rogue hacker steals data • Wrong, slow or improper communication • Dealing with young hot professionals OOPS!
http://rt.com/news/facebook-post-exploit-hacker-zuckerberg-621/
• Technically sound head geek ! • Quick Communication Plan • Transparency • Acknowledge and Pamper • Pay Good Money (be the best) • Media Announcements • Wall of Fame
NOW !!
• Cost of Web Application Testing using automated open source tools = 50k to 200k • Cost paid by a very “aware” govt department to a CERT empaneled ‘auditor’ = 20k to 50k the audit firm will be foolish to carry out one manual test! • With this pricing the client can forget getting anyone to even give a ‘jhalak’ of a commercial tool like Core, IBM, Qualys
मैं बड़ी कं पिी हूँ और मेरे िाम के लिए यह बग शग मेरे िाम के लिए अच्छा िह ं Me a big corporation, or me a big guy – it’s not good for my image or reputation
Priority Nature of Bug 1 Remote Code Execution 2 SQLi 3 Authentication Bypass 4 Privilege escalation 5 Circumvention of web app permissions 6 Stored XSS 7 Reflected XSS 8 CSRF 9 Clickjacking
• Age: 0 > 25 • Started BH: 3 – 5 years • Amount of money made: – Y0 – Y2 .. About $ 0 – 500 (unless very lucky or good) – Y2 onwards – average minimum $ 800 – 1000 per mo growing to av $ 2 – 3k • Daily work life: – Regular life; average 6 to 8 hours daily, less on weekends – Bug Hunting: 8 – 10 hours, more if excited, more on weekends – Sleep: whenever ! • Social Acceptability: – Y0 – Y3 .. BAD, parents gave up – Y2 onwards… great ! • Taxable Income: who knows ! • Has PAN Number, Bank account
you do not want your anyone from here! - visiting you… - buying your data… - selling your data… … NO Siree !
• Facebook Whitehat List https://www.facebook.com/whitehat/thanks/ • Twitter Whitehat List https://www.twitter.com/about/security • Google Security Hall of Fame http://www.google.com/about/appsecurity/hall-of- fame/distinction/ • PayPal Wall of Fame https://www.paypal.com/webapps/mpp/security-tools/wall-of- fame-honorable-mention • Dropbox "Special Thanks" for Security https://www.dropbox.com/special_thanks • Adobe Security Acknowledgments http://www.adobe.com/support/security/bulletins/securiacknowledgments.html • Apple Security Notifications http://support.apple.com/kb/HT1318 • Zendesk Security http://www.zendesk.com/company/responsible-disclosure-policy • Nokia Siemens Networks Hall of Fame http://www.nokiasiemensnetworks.com/about- • Facebook Whitehat List https://www.facebook.com/whitehat/thanks/ • Twitter Whitehat List https://www.twitter.com/about/security • Google Security Hall of Fame http://www.google.com/about/appsecurity/hall- of-fame/distinction/ • PayPal Wall of Fame https://www.paypal.com/webapps/mpp/security- tools/wall-of-fame-honorable-mention • Dropbox "Special Thanks" for Security https://www.dropbox.com/special_thanks • Adobe Security Acknowledgments http://www.adobe.com/support/security/bulletins/securiacknowledgments.html • Apple Security Notifications http://support.apple.com/kb/HT1318 • Zendesk Security http://www.zendesk.com/company/responsible-disclosure- policy • Nokia Siemens Networks Hall of Fame http://www.nokiasiemensnetworks.com/about-
• Vignesh Kumar • Amol Naik (25/26) • Riyaz Walikar (24) • Krutarth Shukla • Ajay Singh Negi • Prakhar Prasad (20) • Mahadev Subedi • Aditya Gupta (22) • Subho Halder (22) • Harsh Vardhan Bopanna
• Open Security Alliance, Principal and CEO • Jharkhand Police, Cyber Security Advisor • Pyramid Cyber Security & Forensics, Principal Advisor • Indian Honeynet Project, Co Founder • Professional skills and special interest areas – Security Consulting and Advisory services for IS Architecture, Analysis, Optimization. – Government – policy, strategy, law enforcement – Technologies: SOC, DLP, IRM, SIEM… – Practices: Incident Response, SAM, Forensics, Regulatory guidance.. – Community: mentoring, training, citizen outreach, India research.. • Opinioned Blogger, occasional columnist, wannabe photographer
Contact Information E: dinesh@opensecurityalliance.org T: +91.9769890505 Twitter: @bizsprite L: http://in.linkedin.com/in/dineshbareja Facebook: dineshobareja Acknowledgements & Disclaimer Various resources on the internet have been referred to contribute to the information presented. Images have been acknowledged where possible. Any company names, brand names, trade marks are mentioned only to facilitate understanding of the message being communicated - no claim is made to establish any sort of relation (exclusive or otherwise) by the author(s), unless otherwise mentioned. Apologies for any infraction, as this will be wholly unintentional, and objections may please be communicated to us for remediation of the erroneous action(s).
Bug Bounty Programs : Good for Government

Recommended

Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsDinesh O Bareja
 
Incident Response Requires Superhumans
Incident Response Requires SuperhumansIncident Response Requires Superhumans
Incident Response Requires SuperhumansDinesh O Bareja
 
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaGovernance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaDinesh O Bareja
 
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...Dinesh O Bareja
 
Can Cyber Insurance Enforce Change in Enterprise GRC
Can Cyber Insurance Enforce Change in Enterprise GRCCan Cyber Insurance Enforce Change in Enterprise GRC
Can Cyber Insurance Enforce Change in Enterprise GRCDinesh O Bareja
 
ISE - InfoSec Essentials .. an introduction
ISE - InfoSec Essentials .. an introductionISE - InfoSec Essentials .. an introduction
ISE - InfoSec Essentials .. an introductionDinesh O Bareja
 
Cyber of things 2.0
Cyber of things 2.0Cyber of things 2.0
Cyber of things 2.0Deepak Kumar (D3)
 
Cyber Threat Intel : Overview
Cyber Threat Intel : OverviewCyber Threat Intel : Overview
Cyber Threat Intel : OverviewDeepak Kumar (D3)
 

Recommended

Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsDinesh O Bareja
 
Incident Response Requires Superhumans
Incident Response Requires SuperhumansIncident Response Requires Superhumans
Incident Response Requires SuperhumansDinesh O Bareja
 
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaGovernance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaDinesh O Bareja
 
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...Dinesh O Bareja
 
Can Cyber Insurance Enforce Change in Enterprise GRC
Can Cyber Insurance Enforce Change in Enterprise GRCCan Cyber Insurance Enforce Change in Enterprise GRC
Can Cyber Insurance Enforce Change in Enterprise GRCDinesh O Bareja
 
ISE - InfoSec Essentials .. an introduction
ISE - InfoSec Essentials .. an introductionISE - InfoSec Essentials .. an introduction
ISE - InfoSec Essentials .. an introductionDinesh O Bareja
 
Cyber of things 2.0
Cyber of things 2.0Cyber of things 2.0
Cyber of things 2.0Deepak Kumar (D3)
 
Cyber Threat Intel : Overview
Cyber Threat Intel : OverviewCyber Threat Intel : Overview
Cyber Threat Intel : OverviewDeepak Kumar (D3)
 
Cyber War, Cyber Peace, Stones and Glass Houses
Cyber War, Cyber Peace, Stones and Glass HousesCyber War, Cyber Peace, Stones and Glass Houses
Cyber War, Cyber Peace, Stones and Glass HousesPaige Rasid
 
Overview of Artificial Intelligence in Cybersecurity
Overview of Artificial Intelligence in CybersecurityOverview of Artificial Intelligence in Cybersecurity
Overview of Artificial Intelligence in CybersecurityOlivier Busolini
 
Cyber Forensics & Challenges
Cyber Forensics & ChallengesCyber Forensics & Challenges
Cyber Forensics & ChallengesDeepak Kumar (D3)
 
AI and the Impact on Cybersecurity
AI and the Impact on CybersecurityAI and the Impact on Cybersecurity
AI and the Impact on CybersecurityGraham Mann
 
Social Engineering
Social EngineeringSocial Engineering
Social EngineeringCyber Agency
 
2015 Cybercrime Trends – Things are Going to Get Interesting
2015 Cybercrime Trends – Things are Going to Get Interesting2015 Cybercrime Trends – Things are Going to Get Interesting
2015 Cybercrime Trends – Things are Going to Get InterestingIBM Security
 
The Realities and Challenges of Cyber Crime and Cyber Security in Africa
The Realities and Challenges of Cyber Crime and Cyber Security in AfricaThe Realities and Challenges of Cyber Crime and Cyber Security in Africa
The Realities and Challenges of Cyber Crime and Cyber Security in AfricaZsolt Nemeth
 
Models of Escalation and De-escalation in Cyber Conflict
Models of Escalation and De-escalation in Cyber ConflictModels of Escalation and De-escalation in Cyber Conflict
Models of Escalation and De-escalation in Cyber ConflictZsolt Nemeth
 
AI and Cybersecurity - Food for Thought
AI and Cybersecurity - Food for ThoughtAI and Cybersecurity - Food for Thought
AI and Cybersecurity - Food for ThoughtNUS-ISS
 
Information Security for Small Business
Information Security for Small BusinessInformation Security for Small Business
Information Security for Small BusinessJulius Clark, CISSP, CISA
 
Addressing Cyber Threats in The Banking Sector - Lt Col (R) Sazali Bin Sukardi
Addressing Cyber Threats in The Banking Sector - Lt Col (R) Sazali Bin SukardiAddressing Cyber Threats in The Banking Sector - Lt Col (R) Sazali Bin Sukardi
Addressing Cyber Threats in The Banking Sector - Lt Col (R) Sazali Bin SukardiKnowledge Group
 
Julius Clark is Making Criminal Hackers Miserable
Julius Clark is Making Criminal Hackers MiserableJulius Clark is Making Criminal Hackers Miserable
Julius Clark is Making Criminal Hackers MiserableJulius Clark, CISSP, CISA
 
ICISS Newsletter Oct14
ICISS Newsletter Oct14ICISS Newsletter Oct14
ICISS Newsletter Oct14Capt SB Tyagi, COAC'CC*,FISM,CSC,
 
Cybercrime: Radically Rethinking the Global Threat
Cybercrime: Radically Rethinking the Global ThreatCybercrime: Radically Rethinking the Global Threat
Cybercrime: Radically Rethinking the Global ThreatNTT Innovation Institute Inc.
 
Funsec3e ppt ch05
Funsec3e ppt ch05Funsec3e ppt ch05
Funsec3e ppt ch05Skillspire LLC
 
Smart Nation, smart hacks and legal liability for cybersecurity breaches in t...
Smart Nation, smart hacks and legal liability for cybersecurity breaches in t...Smart Nation, smart hacks and legal liability for cybersecurity breaches in t...
Smart Nation, smart hacks and legal liability for cybersecurity breaches in t...Benjamin Ang
 
IT Security and Wire Fraud Awareness Slide Deck
IT Security and Wire Fraud Awareness Slide DeckIT Security and Wire Fraud Awareness Slide Deck
IT Security and Wire Fraud Awareness Slide DeckDon Gulling
 
Monitoring, Detecting And Preventing Insider Fraud And Abuse V2
Monitoring, Detecting And Preventing Insider Fraud And Abuse V2Monitoring, Detecting And Preventing Insider Fraud And Abuse V2
Monitoring, Detecting And Preventing Insider Fraud And Abuse V2Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
ACS Talk (Melbourne) - The future of security
ACS Talk (Melbourne) - The future of securityACS Talk (Melbourne) - The future of security
ACS Talk (Melbourne) - The future of securitysiswarren
 
Cybersecurity and Legal lessons after Apple v FBI
Cybersecurity and Legal lessons after Apple v FBICybersecurity and Legal lessons after Apple v FBI
Cybersecurity and Legal lessons after Apple v FBIBenjamin Ang
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About ComplianceDinesh O Bareja
 
Business - IT Alignment Increases Value Of IT
Business - IT Alignment Increases Value Of ITBusiness - IT Alignment Increases Value Of IT
Business - IT Alignment Increases Value Of ITDinesh O Bareja
 

More Related Content

What's hot

Cyber War, Cyber Peace, Stones and Glass Houses
Cyber War, Cyber Peace, Stones and Glass HousesCyber War, Cyber Peace, Stones and Glass Houses
Cyber War, Cyber Peace, Stones and Glass HousesPaige Rasid
 
Overview of Artificial Intelligence in Cybersecurity
Overview of Artificial Intelligence in CybersecurityOverview of Artificial Intelligence in Cybersecurity
Overview of Artificial Intelligence in CybersecurityOlivier Busolini
 
AI and the Impact on Cybersecurity
AI and the Impact on CybersecurityAI and the Impact on Cybersecurity
AI and the Impact on CybersecurityGraham Mann
 
Social Engineering
Social EngineeringSocial Engineering
Social EngineeringCyber Agency
 
2015 Cybercrime Trends – Things are Going to Get Interesting
2015 Cybercrime Trends – Things are Going to Get Interesting2015 Cybercrime Trends – Things are Going to Get Interesting
2015 Cybercrime Trends – Things are Going to Get InterestingIBM Security
 
The Realities and Challenges of Cyber Crime and Cyber Security in Africa
The Realities and Challenges of Cyber Crime and Cyber Security in AfricaThe Realities and Challenges of Cyber Crime and Cyber Security in Africa
The Realities and Challenges of Cyber Crime and Cyber Security in AfricaZsolt Nemeth
 
Models of Escalation and De-escalation in Cyber Conflict
Models of Escalation and De-escalation in Cyber ConflictModels of Escalation and De-escalation in Cyber Conflict
Models of Escalation and De-escalation in Cyber ConflictZsolt Nemeth
 
AI and Cybersecurity - Food for Thought
AI and Cybersecurity - Food for ThoughtAI and Cybersecurity - Food for Thought
AI and Cybersecurity - Food for ThoughtNUS-ISS
 
Addressing Cyber Threats in The Banking Sector - Lt Col (R) Sazali Bin Sukardi
Addressing Cyber Threats in The Banking Sector - Lt Col (R) Sazali Bin SukardiAddressing Cyber Threats in The Banking Sector - Lt Col (R) Sazali Bin Sukardi
Addressing Cyber Threats in The Banking Sector - Lt Col (R) Sazali Bin SukardiKnowledge Group
 
Julius Clark is Making Criminal Hackers Miserable
Julius Clark is Making Criminal Hackers MiserableJulius Clark is Making Criminal Hackers Miserable
Julius Clark is Making Criminal Hackers MiserableJulius Clark, CISSP, CISA
 
Smart Nation, smart hacks and legal liability for cybersecurity breaches in t...
Smart Nation, smart hacks and legal liability for cybersecurity breaches in t...Smart Nation, smart hacks and legal liability for cybersecurity breaches in t...
Smart Nation, smart hacks and legal liability for cybersecurity breaches in t...Benjamin Ang
 
IT Security and Wire Fraud Awareness Slide Deck
IT Security and Wire Fraud Awareness Slide DeckIT Security and Wire Fraud Awareness Slide Deck
IT Security and Wire Fraud Awareness Slide DeckDon Gulling
 
ACS Talk (Melbourne) - The future of security
ACS Talk (Melbourne) - The future of securityACS Talk (Melbourne) - The future of security
ACS Talk (Melbourne) - The future of securitysiswarren
 
Cybersecurity and Legal lessons after Apple v FBI
Cybersecurity and Legal lessons after Apple v FBICybersecurity and Legal lessons after Apple v FBI
Cybersecurity and Legal lessons after Apple v FBIBenjamin Ang
 

What's hot (20)

Cyber War, Cyber Peace, Stones and Glass Houses
Cyber War, Cyber Peace, Stones and Glass HousesCyber War, Cyber Peace, Stones and Glass Houses
Cyber War, Cyber Peace, Stones and Glass Houses
 
Overview of Artificial Intelligence in Cybersecurity
Overview of Artificial Intelligence in CybersecurityOverview of Artificial Intelligence in Cybersecurity
Overview of Artificial Intelligence in Cybersecurity
 
Cyber Forensics & Challenges
Cyber Forensics & ChallengesCyber Forensics & Challenges
Cyber Forensics & Challenges
 
AI and the Impact on Cybersecurity
AI and the Impact on CybersecurityAI and the Impact on Cybersecurity
AI and the Impact on Cybersecurity
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
2015 Cybercrime Trends – Things are Going to Get Interesting
2015 Cybercrime Trends – Things are Going to Get Interesting2015 Cybercrime Trends – Things are Going to Get Interesting
2015 Cybercrime Trends – Things are Going to Get Interesting
 
The Realities and Challenges of Cyber Crime and Cyber Security in Africa
The Realities and Challenges of Cyber Crime and Cyber Security in AfricaThe Realities and Challenges of Cyber Crime and Cyber Security in Africa
The Realities and Challenges of Cyber Crime and Cyber Security in Africa
 
Models of Escalation and De-escalation in Cyber Conflict
Models of Escalation and De-escalation in Cyber ConflictModels of Escalation and De-escalation in Cyber Conflict
Models of Escalation and De-escalation in Cyber Conflict
 
AI and Cybersecurity - Food for Thought
AI and Cybersecurity - Food for ThoughtAI and Cybersecurity - Food for Thought
AI and Cybersecurity - Food for Thought
 
Information Security for Small Business
Information Security for Small BusinessInformation Security for Small Business
Information Security for Small Business
 
Addressing Cyber Threats in The Banking Sector - Lt Col (R) Sazali Bin Sukardi
Addressing Cyber Threats in The Banking Sector - Lt Col (R) Sazali Bin SukardiAddressing Cyber Threats in The Banking Sector - Lt Col (R) Sazali Bin Sukardi
Addressing Cyber Threats in The Banking Sector - Lt Col (R) Sazali Bin Sukardi
 
Julius Clark is Making Criminal Hackers Miserable
Julius Clark is Making Criminal Hackers MiserableJulius Clark is Making Criminal Hackers Miserable
Julius Clark is Making Criminal Hackers Miserable
 
ICISS Newsletter Oct14
ICISS Newsletter Oct14ICISS Newsletter Oct14
ICISS Newsletter Oct14
 
Cybercrime: Radically Rethinking the Global Threat
Cybercrime: Radically Rethinking the Global ThreatCybercrime: Radically Rethinking the Global Threat
Cybercrime: Radically Rethinking the Global Threat
 
Funsec3e ppt ch05
Funsec3e ppt ch05Funsec3e ppt ch05
Funsec3e ppt ch05
 
Smart Nation, smart hacks and legal liability for cybersecurity breaches in t...
Smart Nation, smart hacks and legal liability for cybersecurity breaches in t...Smart Nation, smart hacks and legal liability for cybersecurity breaches in t...
Smart Nation, smart hacks and legal liability for cybersecurity breaches in t...
 
IT Security and Wire Fraud Awareness Slide Deck
IT Security and Wire Fraud Awareness Slide DeckIT Security and Wire Fraud Awareness Slide Deck
IT Security and Wire Fraud Awareness Slide Deck
 
Monitoring, Detecting And Preventing Insider Fraud And Abuse V2
Monitoring, Detecting And Preventing Insider Fraud And Abuse V2Monitoring, Detecting And Preventing Insider Fraud And Abuse V2
Monitoring, Detecting And Preventing Insider Fraud And Abuse V2
 
ACS Talk (Melbourne) - The future of security
ACS Talk (Melbourne) - The future of securityACS Talk (Melbourne) - The future of security
ACS Talk (Melbourne) - The future of security
 
Cybersecurity and Legal lessons after Apple v FBI
Cybersecurity and Legal lessons after Apple v FBICybersecurity and Legal lessons after Apple v FBI
Cybersecurity and Legal lessons after Apple v FBI
 

Viewers also liked

Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About ComplianceDinesh O Bareja
 
Business - IT Alignment Increases Value Of IT
Business - IT Alignment Increases Value Of ITBusiness - IT Alignment Increases Value Of IT
Business - IT Alignment Increases Value Of ITDinesh O Bareja
 
Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document Dinesh O Bareja
 
Cyberwar - Is India Ready
Cyberwar - Is India ReadyCyberwar - Is India Ready
Cyberwar - Is India ReadyDinesh O Bareja
 
Indian Thoughts in Information Security
Indian Thoughts in Information SecurityIndian Thoughts in Information Security
Indian Thoughts in Information SecurityDinesh O Bareja
 
Mind Your Manners On Linked In
Mind Your Manners On Linked InMind Your Manners On Linked In
Mind Your Manners On Linked InDinesh O Bareja
 
Community Disaster Incident Response
Community Disaster Incident ResponseCommunity Disaster Incident Response
Community Disaster Incident ResponseDinesh O Bareja
 
Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its PreventionDinesh O Bareja
 
Common Sense 101 - so much to learn about CS
Common Sense 101 - so much to learn about CSCommon Sense 101 - so much to learn about CS
Common Sense 101 - so much to learn about CSDinesh O Bareja
 

Viewers also liked (11)

Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About Compliance
 
Business - IT Alignment Increases Value Of IT
Business - IT Alignment Increases Value Of ITBusiness - IT Alignment Increases Value Of IT
Business - IT Alignment Increases Value Of IT
 
Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document
 
Compliance Awareness
Compliance AwarenessCompliance Awareness
Compliance Awareness
 
Cyberwar - Is India Ready
Cyberwar - Is India ReadyCyberwar - Is India Ready
Cyberwar - Is India Ready
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
 
Indian Thoughts in Information Security
Indian Thoughts in Information SecurityIndian Thoughts in Information Security
Indian Thoughts in Information Security
 
Mind Your Manners On Linked In
Mind Your Manners On Linked InMind Your Manners On Linked In
Mind Your Manners On Linked In
 
Community Disaster Incident Response
Community Disaster Incident ResponseCommunity Disaster Incident Response
Community Disaster Incident Response
 
Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its Prevention
 
Common Sense 101 - so much to learn about CS
Common Sense 101 - so much to learn about CSCommon Sense 101 - so much to learn about CS
Common Sense 101 - so much to learn about CS
 

Similar to Bug Bounty Programs : Good for Government

Keeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKeeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKelly Robertson
 
Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaSteve Poole
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOpsShannon Lietz
 
Global CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy PartnershipGlobal CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy PartnershipEC-Council
 
Users awarness programme for Online Privacy
Users awarness programme for Online PrivacyUsers awarness programme for Online Privacy
Users awarness programme for Online PrivacyKazi Sarwar Hossain
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side...
Cybercrime and the Developer: How to Start Defending Against the Darker Side... Cybercrime and the Developer: How to Start Defending Against the Darker Side...
Cybercrime and the Developer: How to Start Defending Against the Darker Side...Steve Poole
 
Securing & Safeguarding Your Library Setup.pptx
Securing & Safeguarding Your Library Setup.pptxSecuring & Safeguarding Your Library Setup.pptx
Securing & Safeguarding Your Library Setup.pptxBrian Pichman
 
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...Source Conference
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
Selling 0days to governments and offensive security companies
Selling 0days to governments and offensive security companiesSelling 0days to governments and offensive security companies
Selling 0days to governments and offensive security companiesMaor Shwartz
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Matt Hathaway
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Alexandre Sieira
 
Basic Security for Digital Companies - #MarketersUnbound (2014)
Basic Security for Digital Companies - #MarketersUnbound (2014)Basic Security for Digital Companies - #MarketersUnbound (2014)
Basic Security for Digital Companies - #MarketersUnbound (2014)Justin Bull
 
Jax london2016 cybercrime-and-the-developer
Jax london2016 cybercrime-and-the-developerJax london2016 cybercrime-and-the-developer
Jax london2016 cybercrime-and-the-developerSteve Poole
 
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Steve Poole
 
MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsAlison Gianotto
 
Social Engineering, or hacking people
Social Engineering, or hacking peopleSocial Engineering, or hacking people
Social Engineering, or hacking peopleTudor Damian
 
Continuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain ApproachContinuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain ApproachSonatype
 

Similar to Bug Bounty Programs : Good for Government (20)

Keeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKeeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application Security
 
Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 Sofia
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
Global CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy PartnershipGlobal CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy Partnership
 
Users awarness programme for Online Privacy
Users awarness programme for Online PrivacyUsers awarness programme for Online Privacy
Users awarness programme for Online Privacy
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side...
Cybercrime and the Developer: How to Start Defending Against the Darker Side... Cybercrime and the Developer: How to Start Defending Against the Darker Side...
Cybercrime and the Developer: How to Start Defending Against the Darker Side...
 
Securing & Safeguarding Your Library Setup.pptx
Securing & Safeguarding Your Library Setup.pptxSecuring & Safeguarding Your Library Setup.pptx
Securing & Safeguarding Your Library Setup.pptx
 
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
 
Janitor vs cleaner
Janitor vs cleanerJanitor vs cleaner
Janitor vs cleaner
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
 
Selling 0days to governments and offensive security companies
Selling 0days to governments and offensive security companiesSelling 0days to governments and offensive security companies
Selling 0days to governments and offensive security companies
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
 
Basic Security for Digital Companies - #MarketersUnbound (2014)
Basic Security for Digital Companies - #MarketersUnbound (2014)Basic Security for Digital Companies - #MarketersUnbound (2014)
Basic Security for Digital Companies - #MarketersUnbound (2014)
 
Jax london2016 cybercrime-and-the-developer
Jax london2016 cybercrime-and-the-developerJax london2016 cybercrime-and-the-developer
Jax london2016 cybercrime-and-the-developer
 
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
 
MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk Fundamentals
 
Social Engineering, or hacking people
Social Engineering, or hacking peopleSocial Engineering, or hacking people
Social Engineering, or hacking people
 
Continuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain ApproachContinuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain Approach
 

More from Dinesh O Bareja

WFH Cybersecurity Basics Employees and Employers
WFH Cybersecurity Basics Employees and Employers WFH Cybersecurity Basics Employees and Employers
WFH Cybersecurity Basics Employees and Employers Dinesh O Bareja
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
Finance and Accounting professionals to bridge the gap with IT
Finance and Accounting professionals to bridge the gap with ITFinance and Accounting professionals to bridge the gap with IT
Finance and Accounting professionals to bridge the gap with ITDinesh O Bareja
 
Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Dinesh O Bareja
 
India Top5 Information Security Concerns 2013
India Top5 Information Security Concerns 2013India Top5 Information Security Concerns 2013
India Top5 Information Security Concerns 2013Dinesh O Bareja
 
OSA - Internet Security in India
OSA - Internet Security in IndiaOSA - Internet Security in India
OSA - Internet Security in IndiaDinesh O Bareja
 
20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security Awareness20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security AwarenessDinesh O Bareja
 

More from Dinesh O Bareja (8)

WFH Cybersecurity Basics Employees and Employers
WFH Cybersecurity Basics Employees and Employers WFH Cybersecurity Basics Employees and Employers
WFH Cybersecurity Basics Employees and Employers
 
Cybersecurity 2.0
Cybersecurity 2.0Cybersecurity 2.0
Cybersecurity 2.0
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
 
Finance and Accounting professionals to bridge the gap with IT
Finance and Accounting professionals to bridge the gap with ITFinance and Accounting professionals to bridge the gap with IT
Finance and Accounting professionals to bridge the gap with IT
 
Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0
 
India Top5 Information Security Concerns 2013
India Top5 Information Security Concerns 2013India Top5 Information Security Concerns 2013
India Top5 Information Security Concerns 2013
 
OSA - Internet Security in India
OSA - Internet Security in IndiaOSA - Internet Security in India
OSA - Internet Security in India
 
20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security Awareness20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security Awareness
 

Recently uploaded

My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 

Recently uploaded (20)

My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 

Bug Bounty Programs : Good for Government

  • 1. Bug Bounty PROGRAMS: GOOD FOR Government आपकी दुनिया मेरे हाथों सुरक्षित My hands… & Your world is secured! Presented at The Hackers Conference, New Delhi August 25, 2013
  • 2. Time For Real Change A Security budget is inversely proportional to a CxO’s “feel-good” factor Is NOW! Bug Bounty Programs will attract the best Security brains for ~ZERO cost! NOW
  • 3.
  • 4.
  • 5. The Bounty Hunter He hunted humans ! WILDWESTTIMES… Better than the best gunslinger or tracker Harrison Ford as Han Solo in Star Wars
  • 6. The Bounty Hunter WILDSPACEAGE Better than the best! Mercenary Gun for Hire Harrison Ford as Han Solo in Star Wars
  • 8. • Wild • Dangerous • Unknown • Constantly Morphing • Dynamic Surface • Virtual / Intangible • Supports Life
  • 9. • Ethical Helper • Khabri (informer) • Responsible Citizen • Good Samaritan • Honest Person
  • 10.
  • 11. Black Hats are among organizations and business men too who will cheat the good hacker of reward and recognition !
  • 12. Star Wars Episode IV (1977) Han Solo (Harrison Ford), to Princess Leia (Carrie Fisher) Lucas Films/Courtesy Everett Collection I'm not in it for you, princess. Look, I ain't in this for your revolution, and I expect to be well paid. I'm in it for the money.
  • 13. Men Are Nothing Until They Are Excited
  • 14. • Govt Dept was target of spear phishing • Malware was put out for analysis to bounty of 25k – this was increased to 50k due to increase in scope and tie between two teams in phase 1 • Bounty hunter has to identify the malicious activity and the command centre • Time bound results expected (24 hours) • Maximum information and good presentation to be given weightage • Information was of high quality and the department was able to contain the attack malware and the attacker • Market Value of work done – Man hours if assignment was carried out internally: min 100 – Value of work if I had quoted: Rs. 5,00,000
  • 15.
  • 16. Bounteous rewards await the Government department that starts a BB program. They are able to identify (actually) good testers who will HONESTLY disclose vulnerabilities.
  • 17. • Capability for Security management, protection or response – primarily with intelligence agencies • Departments depend on CERT empanelled firms and carry out only one time assessment • Total lack of awareness (or respect for IS) among HoDs and security expertise in Ops team • Most government infrastructure is waiting for a “kehar” • Someone’s Death Wish!
  • 18. • Capacity and Capability building sans resources • Lack of skills, awareness and knowledge • Uncertainty about skills / ethics of testers • Big PPP players work (only) on big projects • Attain high level of assurance at low cost • Supporting independent research
  • 19. • Fulfill our national Mission Impossible: –500k IS professionals in 3 yrs –PPP (Public + Professional Participation will work better than the Public, Private Participation) • Continuous Testing by proven professionals • Critical Infrastructure Protection • Information Sharing
  • 20. • Identify professional friends-in-need • Find vulnerabilities missed by your team • Save BIG money on housekeeping • Best brains in the business work free !! • Success fee based – non negotiable. • Potential candidates for hire • Crowd sourced quality control
  • 21. • Use a BB Escrow Service • Start one on your own or crowd-source • Contact hackers in Hall of Fame • Reach out via Social Media • Word of Mouth • Offer Good Bounty
  • 22. • Companies have to be as ethical as the hackers • Admin – super geek • Workflow / bug tracking system • Your terms and conditions – transparent and in plain simple language • Escalation path (in case one does not agree to the admin’s decision for payout)
  • 23. • Open playing field for unknowns • Researcher sells in the underground • Revenge attack by unhappy hunter • Rogue hacker steals data • Wrong, slow or improper communication • Dealing with young hot professionals OOPS!
  • 25. • Technically sound head geek ! • Quick Communication Plan • Transparency • Acknowledge and Pamper • Pay Good Money (be the best) • Media Announcements • Wall of Fame
  • 27. • Cost of Web Application Testing using automated open source tools = 50k to 200k • Cost paid by a very “aware” govt department to a CERT empaneled ‘auditor’ = 20k to 50k the audit firm will be foolish to carry out one manual test! • With this pricing the client can forget getting anyone to even give a ‘jhalak’ of a commercial tool like Core, IBM, Qualys
  • 28. मैं बड़ी कं पिी हूँ और मेरे िाम के लिए यह बग शग मेरे िाम के लिए अच्छा िह ं Me a big corporation, or me a big guy – it’s not good for my image or reputation
  • 29. Priority Nature of Bug 1 Remote Code Execution 2 SQLi 3 Authentication Bypass 4 Privilege escalation 5 Circumvention of web app permissions 6 Stored XSS 7 Reflected XSS 8 CSRF 9 Clickjacking
  • 30. • Age: 0 > 25 • Started BH: 3 – 5 years • Amount of money made: – Y0 – Y2 .. About $ 0 – 500 (unless very lucky or good) – Y2 onwards – average minimum $ 800 – 1000 per mo growing to av $ 2 – 3k • Daily work life: – Regular life; average 6 to 8 hours daily, less on weekends – Bug Hunting: 8 – 10 hours, more if excited, more on weekends – Sleep: whenever ! • Social Acceptability: – Y0 – Y3 .. BAD, parents gave up – Y2 onwards… great ! • Taxable Income: who knows ! • Has PAN Number, Bank account
  • 31. you do not want your anyone from here! - visiting you… - buying your data… - selling your data… … NO Siree !
  • 32.
  • 33.
  • 34. • Facebook Whitehat List https://www.facebook.com/whitehat/thanks/ • Twitter Whitehat List https://www.twitter.com/about/security • Google Security Hall of Fame http://www.google.com/about/appsecurity/hall-of- fame/distinction/ • PayPal Wall of Fame https://www.paypal.com/webapps/mpp/security-tools/wall-of- fame-honorable-mention • Dropbox "Special Thanks" for Security https://www.dropbox.com/special_thanks • Adobe Security Acknowledgments http://www.adobe.com/support/security/bulletins/securiacknowledgments.html • Apple Security Notifications http://support.apple.com/kb/HT1318 • Zendesk Security http://www.zendesk.com/company/responsible-disclosure-policy • Nokia Siemens Networks Hall of Fame http://www.nokiasiemensnetworks.com/about- • Facebook Whitehat List https://www.facebook.com/whitehat/thanks/ • Twitter Whitehat List https://www.twitter.com/about/security • Google Security Hall of Fame http://www.google.com/about/appsecurity/hall- of-fame/distinction/ • PayPal Wall of Fame https://www.paypal.com/webapps/mpp/security- tools/wall-of-fame-honorable-mention • Dropbox "Special Thanks" for Security https://www.dropbox.com/special_thanks • Adobe Security Acknowledgments http://www.adobe.com/support/security/bulletins/securiacknowledgments.html • Apple Security Notifications http://support.apple.com/kb/HT1318 • Zendesk Security http://www.zendesk.com/company/responsible-disclosure- policy • Nokia Siemens Networks Hall of Fame http://www.nokiasiemensnetworks.com/about-
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41. • Vignesh Kumar • Amol Naik (25/26) • Riyaz Walikar (24) • Krutarth Shukla • Ajay Singh Negi • Prakhar Prasad (20) • Mahadev Subedi • Aditya Gupta (22) • Subho Halder (22) • Harsh Vardhan Bopanna
  • 42.
  • 43.
  • 44.
  • 45.
  • 46. • Open Security Alliance, Principal and CEO • Jharkhand Police, Cyber Security Advisor • Pyramid Cyber Security & Forensics, Principal Advisor • Indian Honeynet Project, Co Founder • Professional skills and special interest areas – Security Consulting and Advisory services for IS Architecture, Analysis, Optimization. – Government – policy, strategy, law enforcement – Technologies: SOC, DLP, IRM, SIEM… – Practices: Incident Response, SAM, Forensics, Regulatory guidance.. – Community: mentoring, training, citizen outreach, India research.. • Opinioned Blogger, occasional columnist, wannabe photographer
  • 47. Contact Information E: dinesh@opensecurityalliance.org T: +91.9769890505 Twitter: @bizsprite L: http://in.linkedin.com/in/dineshbareja Facebook: dineshobareja Acknowledgements & Disclaimer Various resources on the internet have been referred to contribute to the information presented. Images have been acknowledged where possible. Any company names, brand names, trade marks are mentioned only to facilitate understanding of the message being communicated - no claim is made to establish any sort of relation (exclusive or otherwise) by the author(s), unless otherwise mentioned. Apologies for any infraction, as this will be wholly unintentional, and objections may please be communicated to us for remediation of the erroneous action(s).