bugcrowd, profile picture
Uploaded bybugcrowd
PPTX, PDF1,520 views

3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program

The document discusses the advantages of replacing traditional penetration testing with bug bounty programs, highlighting key differences in testers, coverage, and the payment model. Bug bounty programs involve a larger and more diverse pool of independent researchers for ongoing security assessments, while penetration tests are typically time-limited and fixed-cost. A case study from Canvas illustrates the effectiveness of bug bounties in identifying critical vulnerabilities and the growing trend towards crowdsourced security.

Technology
Related topics:
Penetration-Testing

Embed presentation

Downloaded 34 times
3 REASONS TO SWAP YOUR NEXT PEN TEST WITH A BUG BOUNTY PROGRAM
Jason Haddix, Head of Trust and Security Wade Billings, VP of Technology Services 2 YOUR SPEAKERS
AGENDA • Key differences between bug bounties and penetration testing • Definitions • Testers • Coverage • Model • Canvas by Instructure Case Study • Q&A 3 DOWNLOAD OUR REPORT ‘HEAD TO HEAD: BUG BOUNTIES VS. PENETRATION TESTING” https://bugcrowd.com/penetration-testing
WHAT IS PENETRATION TESTING? A penetration is… • A time-boxed, fixed-cost assessment • External consultants try to find as many vulnerabilities and config issues as possible and exploiting those vulnerabilities to determine the risks A penetration is NOT… • A red team assessment 4
| CONFINDENTIAL INFORMATION WHAT IS A BUG BOUNTY? 3/14/175 Independent security researchers from all over the world are recruited Vulnerabilities are found and reported Rewards are exchanged for reporting vulnerabilities in company applications
PENETRATION TESTING VS. BUG BOUNTIES: KEY DIFFERENCES 6
TESTERS: MANY VS. FEW Not only is the testing pool much larger, but it is also more diverse, providing organizations with a broad set of skills and expertise. 7
COVERAGE: ONGOING VS. POINT-IN-TIME Security assessment should be continuous, especially as development processes become more agile. Penetration testing can’t offer that coverage. Bug bounties can. 8
MANY WAYS TO USE BUG BOUNTY PROGRAMS 9 Start with invite only private program to gain experience Deliver ongoing security assurance with continuous private and/or public program Project or app specific On-Demand Start with invite only private program to gain experience Expand scope to increase value & researcher engagement
MODEL: PAY-FOR-RESULTS VS. CONTRACT- BASED Bug bounties utilize a pay-for-results model that encourages deeper and more focused testing. Higher severity bugs carry a bigger incentive. 10
11 CASE STUDY
SECURITY AT CANVAS • Published security notices • Extensive security testing • Open security audits since 2011 • Working with independent researchers
RESULTS: SIX YEARS OF PUBLIC SECURITY AUDITS 13 0 10 20 30 40 Average pen test findings 2011 - 2013 Average bug bounty findings 2014 - 2016 Non-critical vulnerabilities High-critical vulnerabilities
KEY LEARNINGS: MORE THAN JUST THE RESULTS 14
FUTURE OF BUG BOUNTIES…
| CONFINDENTIAL INFORMATION WIDE ADOPTION OF CROWDSOURCED SECURITY 3/14/1716 FINANCIAL SERVICES CONSUMER TECH RETAIL & ECOMMERE AUTOMOTIVE INFRASTRUCTURE TECH SECURITY TECHNOLOGY OTHER 2/3rd of Programs are Private
Q&A

More Related Content

PPTX
7 Bug Bounty Myths, BUSTED
bybugcrowd
 
PDF
[Webinar] The Art & Value of Bug Bounty Programs
bybugcrowd
 
PDF
4 Reasons to Crowdsource Your Pen Test
bybugcrowd
 
PPTX
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
bybugcrowd
 
PPTX
Build or Buy: The Barracuda Bug Bounty Story [Webinar]
bybugcrowd
 
PDF
Key Takeaways from Instructure's Successful Bug Bounty Program
bybugcrowd
 
PDF
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
bybugcrowd
 
PDF
Mobile Application Security Threats through the Eyes of the Attacker
bybugcrowd
 
7 Bug Bounty Myths, BUSTED
bybugcrowd
 
[Webinar] The Art & Value of Bug Bounty Programs
bybugcrowd
 
4 Reasons to Crowdsource Your Pen Test
bybugcrowd
 
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
bybugcrowd
 
Build or Buy: The Barracuda Bug Bounty Story [Webinar]
bybugcrowd
 
Key Takeaways from Instructure's Successful Bug Bounty Program
bybugcrowd
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
bybugcrowd
 
Mobile Application Security Threats through the Eyes of the Attacker
bybugcrowd
 

What's hot

PDF
Owasp LA
byleifdreizler
 
PDF
Winning open source vulnerabilities without loosing your deveopers - Azure De...
byWhiteSource
 
PPTX
Amy DeMartine - 7 Habits of Rugged DevOps
bySeniorStoryteller
 
PPTX
The State of Open Source Vulnerabilities - A WhiteSource Webinar
byWhiteSource
 
PDF
Bug Bounty Tipping Point: Strength in Numbers
bybugcrowd
 
PPTX
The Journey to DevSecOps
bySeniorStoryteller
 
PDF
The State of Open Source Vulnerabilities Management
byWhiteSource
 
PPTX
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
byOutpost24
 
PDF
Revitalizing Product Securtiy at Zephyr Health
bybugcrowd
 
PPTX
The R.O.A.D to DevOps
bySeniorStoryteller
 
PDF
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
byFINOS
 
PDF
PCI and Vulnerability Assessments - What’s Missing?
byBlack Duck by Synopsys
 
PPTX
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
byWhiteSource
 
PPTX
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
byWhiteSource
 
PDF
Failure Of Antivirus
byamarnath
 
PDF
Silver Lining for Miles: DevOps for Building Security Solutions
bySeniorStoryteller
 
PPTX
AppSecUSA 2016: 'Your License for Bug Hunting Season'
bybugcrowd
 
PDF
Tackling the Container Iceberg:How to approach security when most of your sof...
byWhiteSource
 
PDF
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
byDevSecCon
 
PDF
Getting to Know Security and Devs: Keys to Successful DevSecOps
byFranklin Mosley
 
Owasp LA
byleifdreizler
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
byWhiteSource
 
Amy DeMartine - 7 Habits of Rugged DevOps
bySeniorStoryteller
 
The State of Open Source Vulnerabilities - A WhiteSource Webinar
byWhiteSource
 
Bug Bounty Tipping Point: Strength in Numbers
bybugcrowd
 
The Journey to DevSecOps
bySeniorStoryteller
 
The State of Open Source Vulnerabilities Management
byWhiteSource
 
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
byOutpost24
 
Revitalizing Product Securtiy at Zephyr Health
bybugcrowd
 
The R.O.A.D to DevOps
bySeniorStoryteller
 
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
byFINOS
 
PCI and Vulnerability Assessments - What’s Missing?
byBlack Duck by Synopsys
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
byWhiteSource
 
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
byWhiteSource
 
Failure Of Antivirus
byamarnath
 
Silver Lining for Miles: DevOps for Building Security Solutions
bySeniorStoryteller
 
AppSecUSA 2016: 'Your License for Bug Hunting Season'
bybugcrowd
 
Tackling the Container Iceberg:How to approach security when most of your sof...
byWhiteSource
 
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
byDevSecCon
 
Getting to Know Security and Devs: Keys to Successful DevSecOps
byFranklin Mosley
 

Similar to 3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program

PPTX
LKNOG3 - Bug Bounty
byLKNOG
 
PDF
Yet another talk on bug bounty
byvinoth kumar
 
PPTX
Getting_Started_with_Bug_Bounty program.
byglcrushgaming
 
PDF
Bug Bounty Guide Tools and Resource.pdf
byhacktube5
 
DOCX
Earn Money from bug bounty
byJay Nagar
 
PDF
Bug Bounty for Blockchain Projects by Evgenia Broshevan, Project Lead at Hack...
byHackenProof
 
PDF
Testers, get into security bug bounties!
byeusebiu daniel blindu
 
PDF
Bugbounty Cybersecurity Trends and Threats 2025
byadibostoninstitute12
 
PDF
CrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggerated
byeightbit
 
PPTX
Web Application Security And Getting Into Bug Bounties
bykunwaratul hax0r
 
PPTX
AusCERT 2016 - An Unlikely Romance: The Current State of Bug Bounties
byCasey Ellis
 
PPTX
Bug bounties - cén scéal?
byCiaran McNally
 
PPTX
OWASP LATAM@home 2020
byPablo Garbossa
 
PDF
ISSA CISO Summit 2017 - AN UNLIKELY ROMANCE THE CURRENT STATE OF BUG BOUNTIES
byCasey Ellis
 
PDF
Bug Bounties and The Path to Secure Software by 451 Research
byHackerOne
 
PDF
Webinar kym-casey-bug bounty tipping point webcast - po edits
byCasey Ellis
 
PPTX
Bug bounty programs
byYassine Aboukir
 
PDF
Hunting bugs - C0r0n4con
byAnchises Moraes
 
PDF
BSides LA/PDX
byleifdreizler
 
PDF
Enigma 2018 - Combining the Power of Builders and Breakers
byCasey Ellis
 
LKNOG3 - Bug Bounty
byLKNOG
 
Yet another talk on bug bounty
byvinoth kumar
 
Getting_Started_with_Bug_Bounty program.
byglcrushgaming
 
Bug Bounty Guide Tools and Resource.pdf
byhacktube5
 
Earn Money from bug bounty
byJay Nagar
 
Bug Bounty for Blockchain Projects by Evgenia Broshevan, Project Lead at Hack...
byHackenProof
 
Testers, get into security bug bounties!
byeusebiu daniel blindu
 
Bugbounty Cybersecurity Trends and Threats 2025
byadibostoninstitute12
 
CrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggerated
byeightbit
 
Web Application Security And Getting Into Bug Bounties
bykunwaratul hax0r
 
AusCERT 2016 - An Unlikely Romance: The Current State of Bug Bounties
byCasey Ellis
 
Bug bounties - cén scéal?
byCiaran McNally
 
OWASP LATAM@home 2020
byPablo Garbossa
 
ISSA CISO Summit 2017 - AN UNLIKELY ROMANCE THE CURRENT STATE OF BUG BOUNTIES
byCasey Ellis
 
Bug Bounties and The Path to Secure Software by 451 Research
byHackerOne
 
Webinar kym-casey-bug bounty tipping point webcast - po edits
byCasey Ellis
 
Bug bounty programs
byYassine Aboukir
 
Hunting bugs - C0r0n4con
byAnchises Moraes
 
BSides LA/PDX
byleifdreizler
 
Enigma 2018 - Combining the Power of Builders and Breakers
byCasey Ellis
 

More from bugcrowd

PDF
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
PDF
5 Tips to Successfully Running a Bug Bounty Program
bybugcrowd
 
PDF
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
bybugcrowd
 
PDF
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bybugcrowd
 
PDF
Ekoparty 2017 - The Bug Hunter's Methodology
bybugcrowd
 
PDF
Writing vuln reports that maximize payouts - Nullcon 2016
bybugcrowd
 
PDF
How to run a kick ass bug bounty program - Node Summit 2013
bybugcrowd
 
PDF
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
bybugcrowd
 
PDF
If You Can't Beat 'Em, Join 'Em
bybugcrowd
 
PPTX
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
bybugcrowd
 
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
5 Tips to Successfully Running a Bug Bounty Program
bybugcrowd
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
bybugcrowd
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bybugcrowd
 
Ekoparty 2017 - The Bug Hunter's Methodology
bybugcrowd
 
Writing vuln reports that maximize payouts - Nullcon 2016
bybugcrowd
 
How to run a kick ass bug bounty program - Node Summit 2013
bybugcrowd
 
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
bybugcrowd
 
If You Can't Beat 'Em, Join 'Em
bybugcrowd
 
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
bybugcrowd
 

Recently uploaded

PDF
[BDD 2025 - Artificial Intelligence] Building AI Systems That Users (and Comp...
byWintari Yasmin
 
PPTX
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
PDF
So You Want to Work at Google | DevFest Seattle 2025
byMargaret Maynard-Reid
 
PDF
MuleSoft Meetup: Dreamforce'25 Tour- Vibing With AI & Agents.pdf
byTintu Jacob Shaji
 
PDF
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
PDF
Open Source Post-Quantum Cryptography - Matt Caswell
byAll Things Open
 
PDF
[DevFest Strasbourg 2025] - NodeJs Can do that !!
bymoassiongbon
 
PDF
[BDD 2025 - Mobile Development] Mobile Engineer and Software Engineer: Are we...
bywintari3
 
PDF
How Much Does It Cost to Build an eCommerce Website in 2025.pdf
byPixlogix Infotech
 
PDF
Mastering Agentic Orchestration with UiPath Maestro | Hands on Workshop
byUiPathCommunity
 
PDF
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
 
PDF
[BDD 2025 - Artificial Intelligence] AI for the Underdogs: Innovation for Sma...
byWintari Yasmin
 
PPTX
Leon Brands - Intro to GPU Occlusion (Graphics Programming Conference 2024)
byleonbrands1998
 
PDF
Integrating AI with Meaningful Human Collaboration
byCadabra Studio
 
PDF
[BDD 2025 - Full-Stack Development] PHP in AI Age: The Laravel Way. (Rizqy Hi...
byWintari Yasmin
 
PDF
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
PDF
The Necessity of Digital Forensics, the Digital Forensics Process & Laborator...
bychrstnpetwinchester
 
PDF
Parallel Computing BCS702 Module notes of the vtu college 7th sem 4.pdf
byMatheshVishnu
 
PDF
The Evolving Role of the CEO in the Age of AI
byPipal Tree Services Executive Search Firm
 
PDF
Transcript: The partnership effect: Libraries and publishers on collaborating...
byBookNet Canada
 
[BDD 2025 - Artificial Intelligence] Building AI Systems That Users (and Comp...
byWintari Yasmin
 
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
So You Want to Work at Google | DevFest Seattle 2025
byMargaret Maynard-Reid
 
MuleSoft Meetup: Dreamforce'25 Tour- Vibing With AI & Agents.pdf
byTintu Jacob Shaji
 
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
Open Source Post-Quantum Cryptography - Matt Caswell
byAll Things Open
 
[DevFest Strasbourg 2025] - NodeJs Can do that !!
bymoassiongbon
 
[BDD 2025 - Mobile Development] Mobile Engineer and Software Engineer: Are we...
bywintari3
 
How Much Does It Cost to Build an eCommerce Website in 2025.pdf
byPixlogix Infotech
 
Mastering Agentic Orchestration with UiPath Maestro | Hands on Workshop
byUiPathCommunity
 
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
 
[BDD 2025 - Artificial Intelligence] AI for the Underdogs: Innovation for Sma...
byWintari Yasmin
 
Leon Brands - Intro to GPU Occlusion (Graphics Programming Conference 2024)
byleonbrands1998
 
Integrating AI with Meaningful Human Collaboration
byCadabra Studio
 
[BDD 2025 - Full-Stack Development] PHP in AI Age: The Laravel Way. (Rizqy Hi...
byWintari Yasmin
 
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
The Necessity of Digital Forensics, the Digital Forensics Process & Laborator...
bychrstnpetwinchester
 
Parallel Computing BCS702 Module notes of the vtu college 7th sem 4.pdf
byMatheshVishnu
 
The Evolving Role of the CEO in the Age of AI
byPipal Tree Services Executive Search Firm
 
Transcript: The partnership effect: Libraries and publishers on collaborating...
byBookNet Canada
 

3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program

  • 1.
    3 REASONS TOSWAP YOUR NEXT PEN TEST WITH A BUG BOUNTY PROGRAM
  • 2.
    Jason Haddix, Headof Trust and Security Wade Billings, VP of Technology Services 2 YOUR SPEAKERS
  • 3.
    AGENDA • Key differencesbetween bug bounties and penetration testing • Definitions • Testers • Coverage • Model • Canvas by Instructure Case Study • Q&A 3 DOWNLOAD OUR REPORT ‘HEAD TO HEAD: BUG BOUNTIES VS. PENETRATION TESTING” https://bugcrowd.com/penetration-testing
  • 4.
    WHAT IS PENETRATIONTESTING? A penetration is… • A time-boxed, fixed-cost assessment • External consultants try to find as many vulnerabilities and config issues as possible and exploiting those vulnerabilities to determine the risks A penetration is NOT… • A red team assessment 4
  • 5.
    | CONFINDENTIAL INFORMATION WHATIS A BUG BOUNTY? 3/14/175 Independent security researchers from all over the world are recruited Vulnerabilities are found and reported Rewards are exchanged for reporting vulnerabilities in company applications
  • 6.
    PENETRATION TESTING VS.BUG BOUNTIES: KEY DIFFERENCES 6
  • 7.
    TESTERS: MANY VS. FEW Notonly is the testing pool much larger, but it is also more diverse, providing organizations with a broad set of skills and expertise. 7
  • 8.
    COVERAGE: ONGOING VS. POINT-IN-TIME Security assessmentshould be continuous, especially as development processes become more agile. Penetration testing can’t offer that coverage. Bug bounties can. 8
  • 9.
    MANY WAYS TOUSE BUG BOUNTY PROGRAMS 9 Start with invite only private program to gain experience Deliver ongoing security assurance with continuous private and/or public program Project or app specific On-Demand Start with invite only private program to gain experience Expand scope to increase value & researcher engagement
  • 10.
    MODEL: PAY-FOR-RESULTS VS. CONTRACT- BASED Bug bountiesutilize a pay-for-results model that encourages deeper and more focused testing. Higher severity bugs carry a bigger incentive. 10
  • 11.
  • 12.
    SECURITY AT CANVAS •Published security notices • Extensive security testing • Open security audits since 2011 • Working with independent researchers
  • 13.
    RESULTS: SIX YEARSOF PUBLIC SECURITY AUDITS 13 0 10 20 30 40 Average pen test findings 2011 - 2013 Average bug bounty findings 2014 - 2016 Non-critical vulnerabilities High-critical vulnerabilities
  • 14.
    KEY LEARNINGS: MORETHAN JUST THE RESULTS 14
  • 15.
    FUTURE OF BUGBOUNTIES…
  • 16.
    | CONFINDENTIAL INFORMATION WIDEADOPTION OF CROWDSOURCED SECURITY 3/14/1716 FINANCIAL SERVICES CONSUMER TECH RETAIL & ECOMMERE AUTOMOTIVE INFRASTRUCTURE TECH SECURITY TECHNOLOGY OTHER 2/3rd of Programs are Private
  • 17.

Editor's Notes

  • #2 SC Mag folks will introduce concept, take care of housekeeping and hand it over
  • #3 Spend a couple of minutes introducing yourselves and backgrounds
  • #4 Haddix to quickly outline agenda Plug = download accompanying report that is attached within the webinar screen or at the url listed
  • #5 Set framework for what we’re discussing–differentiate between red teaming and penetration testing Make sure to communicate the fact that we understand there are uses for penetration testing (and outline what those uses are) Also make sure to communicate that we’re not saying testers themselves are flawed, but the model
  • #6 Haddix
  • #7 Brief overview of next slides (acts as a summary/table of contents)
  • #8 Main message: this is why Canvas chose the crowdsourced model – more testers Stat: On average, public and private, 138 unique researchers submit on bounty programs Address: Trust Follow-up questions: How can you trust bug hunters? Wade, did you run into any internal questions about this? Do they have the necessary skills/specialized skill sets?
  • #9 Main message: continuous testing is the key to the improvement over pen testing Mention Methodology issue Follow-up questions: How did you ensure coverage of bug hunters?
  • #10 Note: I moved this slide up one for a better flow. Use this slide to talk about the different uses and talk about how Canvas is utilizing the crowdsourced model
  • #11 Don’t spend as much time on this slide… use this slide as a segue into the case study
  • #13 Wade to set framework for the Canvas story
  • #14 NOTE: Graph shows averages of 3 annual pen tests vs. 3 annual bug bounties Can also talk about each year individually–8x the first year, dip in results the second year, back up the third year Talk about QUALITY
  • #15 Wade to expand on learnings
  • #16 Wade to talk about the future of bug bounties at Canvas Haddix to talk about the future of the space…segue into logos slide (adoption)
  • #17 Haddix to expand upon the adoption, talk about private, talk about expanding testing capabilities
  • #18 Do you think every organization is ready for a bug bounty program? Can bug bounties replace all pen testing? What is the signal vs. noise in bug bounties? Is it worth it? What is the future of penetration testing? What top tier companies have switched to this model? Seems risky, how do you control rogue researchers?