SlideShare a Scribd company logo
4 REASONS TO CROWDSOURCE YOUR PENETRATION TEST
The premier platform for crowdsourced cybersecurity.
casey@bugcrowd.com
jcran@bugcrowd.com
All content (c) Bugcrowd Inc, 2014 - All rights reserved.
The Problem
Security is not a
fair fight.
How do you level
your playing field?
HACKED
HACKED
HACKED HACKED
HACKED
HACKED
All content (c) Bugcrowd Inc, 2014 - All rights reserved.
About your presenters
@caseyjohnellis
Founder and CEO, Bugcrowd
Recovering pentester turned
solution architect turned sales guy
turned entrepreneur
Founder and CEO of Bugcrowd
@jcran
VP Delivery, Bugcrowd
Bugcrowd researcher turned
operations lead
Formerly @Rapid7, @Metasploit,
@PwnieExpress
CONFIDENTIAL. DO NOT DISTRIBUTE.
All content (c) Bugcrowd Inc, 2014 - All rights reserved.
Bugcrowd Products
Crowdsourced security to fit your needs
Free
Responsible Disclosure
Capped cost
Ad-hoc or continuous
Elite tier researchers
Flex Bounty
Continuous testing
Monthly fee + transaction fee
Bug Bounty
CONFIDENTIAL. DO NOT DISTRIBUTE.
All content (c) Bugcrowd Inc, 2014 - All rights reserved.
What is Flex?
• A bug bounty in the format of a penetration test
• Typically a 2 week, fixed cost, fixed timeline project
• Private (vetted researchers) or open
• Bugcrowd does vulnerability analysis
• Deliverable:
• Report with overview and verified vulnerabilities
• Access to platform and researchers
CONFIDENTIAL. DO NOT DISTRIBUTE.
All content (c) Bugcrowd Inc, 2014 - All rights reserved.
Use cases
• A more effective web, mobile and/or IOT penetration test
• Lots of effort in a short timeframe
• Ideal for short testing windows
• Rapid deployment testing
• New products or features, supplier due diligence,
acquisitions, etc
• Precursor to a public bug bounty program (i.e. what is my
*real* security posture)
CONFIDENTIAL. DO NOT DISTRIBUTE.
All content (c) Bugcrowd Inc, 2014 - All rights reserved.
How does it work?
• Program Setup
• Program Kickoff and Invitations
• Program Runs [2 weeks on average]
• Analysis [96 hours on average]
• Report Delivery and Access
CONFIDENTIAL. DO NOT DISTRIBUTE.
All content (c) Bugcrowd Inc, 2014 - All rights reserved.
CONFIDENTIAL. DO NOT DISTRIBUTE.
All content (c) Bugcrowd Inc, 2014 - All rights reserved.
CONFIDENTIAL. DO NOT DISTRIBUTE.
All content (c) Bugcrowd Inc, 2014 - All rights reserved.
4 Reasons to Crowdsource Your
Penetration Test
• Pay for results not effort
• Engage diverse skill-sets
• A Reward model that encourages depth and breadth
• Higher total effort
CONFIDENTIAL. DO NOT DISTRIBUTE.
All content (c) Bugcrowd Inc, 2014 - All rights reserved.
Pay for results not effort
• 193 Average number of submissions per program
• 45 Average number of valid submissions
• $256 Average cost per bug (How much does it cost now?)
• Average Priority from 1 (showstopper) to 5 (won’t fix):
3.88
CONFIDENTIAL. DO NOT DISTRIBUTE.
All content (c) Bugcrowd Inc, 2014 - All rights reserved.
Engage diverse skill-sets
• Vast array of specialties
• Web Application, Network, Mobile, Hardware
• Testing styles and patterns vary wildly
• Have questions? Engage the researchers at the end of
the program
CONFIDENTIAL. DO NOT DISTRIBUTE.
All content (c) Bugcrowd Inc, 2014 - All rights reserved.
A reward model that encourages
depth and breadth
• Top 3 issues get a significant percentage of the
reward pool
• All “unplaced” submissions get the remainder
• Sliding scale varies on the difficulty of the
application and prior testing results
CONFIDENTIAL. DO NOT DISTRIBUTE.
All content (c) Bugcrowd Inc, 2014 - All rights reserved.
Higher total effort
• Up to 80 hours of effort in the first 8 hours
• At least 160 man-hours per bounty
• Activity depends on incentives
CONFIDENTIAL. DO NOT DISTRIBUTE.
All content (c) Bugcrowd Inc, 2014 - All rights reserved.
Summary
• Cost effective, quick, high quality results
• Capped cost and capped timeline
• Great way to prepare for an ongoing bounty program
• Flex model incentivizes both breadth and depth
Questions?
https://bugcrowd.com
sales@bugcrowd.com
@caseyjohnellis
@jcran

More Related Content

What's hot

5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program
bugcrowd
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOps
SeniorStoryteller
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security Solutions
SeniorStoryteller
 
The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOps
SeniorStoryteller
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities Management
WhiteSource
 
Taking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelTaking Open Source Security to the Next Level
Taking Open Source Security to the Next Level
WhiteSource
 
Getting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOpsGetting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOps
Franklin Mosley
 
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskInnocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
WhiteSource
 
Ops Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WayOps Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the Way
SeniorStoryteller
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure Culture
WhiteSource
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration Testing
jananya213
 
Bug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in NumbersBug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in Numbers
bugcrowd
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
SeniorStoryteller
 
AppSecUSA 2016: 'Your License for Bug Hunting Season'
AppSecUSA 2016: 'Your License for Bug Hunting Season'AppSecUSA 2016: 'Your License for Bug Hunting Season'
AppSecUSA 2016: 'Your License for Bug Hunting Season'
bugcrowd
 
The Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsThe Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOps
WhiteSource
 
The State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource WebinarThe State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource Webinar
WhiteSource
 
Tackling the Container Iceberg:How to approach security when most of your sof...
Tackling the Container Iceberg:How to approach security when most of your sof...Tackling the Container Iceberg:How to approach security when most of your sof...
Tackling the Container Iceberg:How to approach security when most of your sof...
WhiteSource
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
 The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour... The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
WhiteSource
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions
Cigital
 

What's hot (20)

5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOps
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security Solutions
 
The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOps
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities Management
 
Taking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelTaking Open Source Security to the Next Level
Taking Open Source Security to the Next Level
 
Getting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOpsGetting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOps
 
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskInnocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
 
Ops Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WayOps Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the Way
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure Culture
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration Testing
 
Bug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in NumbersBug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in Numbers
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
AppSecUSA 2016: 'Your License for Bug Hunting Season'
AppSecUSA 2016: 'Your License for Bug Hunting Season'AppSecUSA 2016: 'Your License for Bug Hunting Season'
AppSecUSA 2016: 'Your License for Bug Hunting Season'
 
The Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsThe Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOps
 
The State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource WebinarThe State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource Webinar
 
Tackling the Container Iceberg:How to approach security when most of your sof...
Tackling the Container Iceberg:How to approach security when most of your sof...Tackling the Container Iceberg:How to approach security when most of your sof...
Tackling the Container Iceberg:How to approach security when most of your sof...
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
 The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour... The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions
 

Similar to 4 Reasons to Crowdsource Your Pen Test

Owasp LA
Owasp LAOwasp LA
Owasp LA
leifdreizler
 
Fundamentals of crowdsourced testing
Fundamentals of crowdsourced testingFundamentals of crowdsourced testing
Fundamentals of crowdsourced testing
Nicholas Roberts
 
Shifting left: Continuous testing for better app quality and security
Shifting left: Continuous testing for better app quality and securityShifting left: Continuous testing for better app quality and security
Shifting left: Continuous testing for better app quality and security
NowSecure
 
Integrating Automated Testing into DevOps
Integrating Automated Testing into DevOpsIntegrating Automated Testing into DevOps
Integrating Automated Testing into DevOps
TechWell
 
A Decade of DevOps: Design Patterns for Future-Proofing Your DevOps Strategy
A Decade of DevOps: Design Patterns for Future-Proofing Your DevOps StrategyA Decade of DevOps: Design Patterns for Future-Proofing Your DevOps Strategy
A Decade of DevOps: Design Patterns for Future-Proofing Your DevOps Strategy
DevOps.com
 
Web Application Security And Getting Into Bug Bounties
Web Application Security And Getting Into Bug BountiesWeb Application Security And Getting Into Bug Bounties
Web Application Security And Getting Into Bug Bounties
kunwaratul hax0r
 
CrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggerated
CrikeyCon 2017  - Rumours of our Demise Have Been Greatly ExaggeratedCrikeyCon 2017  - Rumours of our Demise Have Been Greatly Exaggerated
CrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggerated
eightbit
 
Patterns of Automation: Simplify Your Test Code
Patterns of Automation: Simplify Your Test CodePatterns of Automation: Simplify Your Test Code
Patterns of Automation: Simplify Your Test Code
TechWell
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
Shubham Gupta
 
Continuous delivery is more than dev ops
Continuous delivery is more than dev opsContinuous delivery is more than dev ops
Continuous delivery is more than dev ops
Agile Montréal
 
Quality Assurance and its Importance in Software Industry by Aman Shukla
Quality Assurance and its Importance in Software Industry by Aman ShuklaQuality Assurance and its Importance in Software Industry by Aman Shukla
Quality Assurance and its Importance in Software Industry by Aman Shukla
AbhishekKumar773294
 
Best Practices for Shifting Left Performance and Accessibility Testing
Best Practices for Shifting Left Performance and Accessibility TestingBest Practices for Shifting Left Performance and Accessibility Testing
Best Practices for Shifting Left Performance and Accessibility Testing
Perfecto by Perforce
 
Samal biswa manual tester-functional-accessibility
Samal biswa manual tester-functional-accessibilitySamal biswa manual tester-functional-accessibility
Samal biswa manual tester-functional-accessibility
samal biswa
 
Optimizely Product Vision: The Future of Experimentation
Optimizely Product Vision: The Future of ExperimentationOptimizely Product Vision: The Future of Experimentation
Optimizely Product Vision: The Future of Experimentation
Optimizely
 
Top 10 Benefits of Crowd Testing
Top 10 Benefits of Crowd TestingTop 10 Benefits of Crowd Testing
Top 10 Benefits of Crowd Testing
KiwiQA
 
Webcast Presentation: Accelerate Continuous Delivery with Development Testing...
Webcast Presentation: Accelerate Continuous Delivery with Development Testing...Webcast Presentation: Accelerate Continuous Delivery with Development Testing...
Webcast Presentation: Accelerate Continuous Delivery with Development Testing...
GRUC
 
Should I Partner with an Outsourced QA Provider for Security Testing?
Should I Partner with an Outsourced QA Provider for Security Testing?Should I Partner with an Outsourced QA Provider for Security Testing?
Should I Partner with an Outsourced QA Provider for Security Testing?
QASource
 
AdTech at Scale: from the classroom to the industry
AdTech at Scale: from the classroom to the industryAdTech at Scale: from the classroom to the industry
AdTech at Scale: from the classroom to the industry
Bernardo de Seabra
 
Product Vs Craft
Product Vs CraftProduct Vs Craft
Product Vs Craft
MagenTys
 
Seven Keys to Navigating Your Agile Testing Transition
Seven Keys to Navigating Your Agile Testing TransitionSeven Keys to Navigating Your Agile Testing Transition
Seven Keys to Navigating Your Agile Testing Transition
TechWell
 

Similar to 4 Reasons to Crowdsource Your Pen Test (20)

Owasp LA
Owasp LAOwasp LA
Owasp LA
 
Fundamentals of crowdsourced testing
Fundamentals of crowdsourced testingFundamentals of crowdsourced testing
Fundamentals of crowdsourced testing
 
Shifting left: Continuous testing for better app quality and security
Shifting left: Continuous testing for better app quality and securityShifting left: Continuous testing for better app quality and security
Shifting left: Continuous testing for better app quality and security
 
Integrating Automated Testing into DevOps
Integrating Automated Testing into DevOpsIntegrating Automated Testing into DevOps
Integrating Automated Testing into DevOps
 
A Decade of DevOps: Design Patterns for Future-Proofing Your DevOps Strategy
A Decade of DevOps: Design Patterns for Future-Proofing Your DevOps StrategyA Decade of DevOps: Design Patterns for Future-Proofing Your DevOps Strategy
A Decade of DevOps: Design Patterns for Future-Proofing Your DevOps Strategy
 
Web Application Security And Getting Into Bug Bounties
Web Application Security And Getting Into Bug BountiesWeb Application Security And Getting Into Bug Bounties
Web Application Security And Getting Into Bug Bounties
 
CrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggerated
CrikeyCon 2017  - Rumours of our Demise Have Been Greatly ExaggeratedCrikeyCon 2017  - Rumours of our Demise Have Been Greatly Exaggerated
CrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggerated
 
Patterns of Automation: Simplify Your Test Code
Patterns of Automation: Simplify Your Test CodePatterns of Automation: Simplify Your Test Code
Patterns of Automation: Simplify Your Test Code
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
 
Continuous delivery is more than dev ops
Continuous delivery is more than dev opsContinuous delivery is more than dev ops
Continuous delivery is more than dev ops
 
Quality Assurance and its Importance in Software Industry by Aman Shukla
Quality Assurance and its Importance in Software Industry by Aman ShuklaQuality Assurance and its Importance in Software Industry by Aman Shukla
Quality Assurance and its Importance in Software Industry by Aman Shukla
 
Best Practices for Shifting Left Performance and Accessibility Testing
Best Practices for Shifting Left Performance and Accessibility TestingBest Practices for Shifting Left Performance and Accessibility Testing
Best Practices for Shifting Left Performance and Accessibility Testing
 
Samal biswa manual tester-functional-accessibility
Samal biswa manual tester-functional-accessibilitySamal biswa manual tester-functional-accessibility
Samal biswa manual tester-functional-accessibility
 
Optimizely Product Vision: The Future of Experimentation
Optimizely Product Vision: The Future of ExperimentationOptimizely Product Vision: The Future of Experimentation
Optimizely Product Vision: The Future of Experimentation
 
Top 10 Benefits of Crowd Testing
Top 10 Benefits of Crowd TestingTop 10 Benefits of Crowd Testing
Top 10 Benefits of Crowd Testing
 
Webcast Presentation: Accelerate Continuous Delivery with Development Testing...
Webcast Presentation: Accelerate Continuous Delivery with Development Testing...Webcast Presentation: Accelerate Continuous Delivery with Development Testing...
Webcast Presentation: Accelerate Continuous Delivery with Development Testing...
 
Should I Partner with an Outsourced QA Provider for Security Testing?
Should I Partner with an Outsourced QA Provider for Security Testing?Should I Partner with an Outsourced QA Provider for Security Testing?
Should I Partner with an Outsourced QA Provider for Security Testing?
 
AdTech at Scale: from the classroom to the industry
AdTech at Scale: from the classroom to the industryAdTech at Scale: from the classroom to the industry
AdTech at Scale: from the classroom to the industry
 
Product Vs Craft
Product Vs CraftProduct Vs Craft
Product Vs Craft
 
Seven Keys to Navigating Your Agile Testing Transition
Seven Keys to Navigating Your Agile Testing TransitionSeven Keys to Navigating Your Agile Testing Transition
Seven Keys to Navigating Your Agile Testing Transition
 

More from bugcrowd

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
bugcrowd
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
bugcrowd
 
If You Can't Beat 'Em, Join 'Em
 If You Can't Beat 'Em, Join 'Em If You Can't Beat 'Em, Join 'Em
If You Can't Beat 'Em, Join 'Em
bugcrowd
 
Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016
bugcrowd
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Revitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr HealthRevitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr Health
bugcrowd
 
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLVHow Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
bugcrowd
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013
bugcrowd
 

More from bugcrowd (10)

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
 
If You Can't Beat 'Em, Join 'Em
 If You Can't Beat 'Em, Join 'Em If You Can't Beat 'Em, Join 'Em
If You Can't Beat 'Em, Join 'Em
 
Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Revitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr HealthRevitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr Health
 
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLVHow Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013
 

Recently uploaded

KubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial IntelligentKubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial Intelligent
Emre Gündoğdu
 
10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...
10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...
10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...
Web Inspire
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
GNAMBIKARAO
 
DocSplit Subsequent Implementation Activation.pptx
DocSplit Subsequent Implementation Activation.pptxDocSplit Subsequent Implementation Activation.pptx
DocSplit Subsequent Implementation Activation.pptx
AmitTuteja9
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
dtagbe
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
Unlimited Short Call Girls Mumbai ✅ 9833363713 FULL CASH PAYMENT
Unlimited Short Call Girls Mumbai ✅ 9833363713 FULL CASH PAYMENTUnlimited Short Call Girls Mumbai ✅ 9833363713 FULL CASH PAYMENT
Unlimited Short Call Girls Mumbai ✅ 9833363713 FULL CASH PAYMENT
rajesh344555
 
Decentralized Justice in Gaming and Esports
Decentralized Justice in Gaming and EsportsDecentralized Justice in Gaming and Esports
Decentralized Justice in Gaming and Esports
Federico Ast
 
Network Security and Cyber Laws (Complete Notes) for B.Tech/BCA/BSc. IT
Network Security and Cyber Laws (Complete Notes) for B.Tech/BCA/BSc. ITNetwork Security and Cyber Laws (Complete Notes) for B.Tech/BCA/BSc. IT
Network Security and Cyber Laws (Complete Notes) for B.Tech/BCA/BSc. IT
Sarthak Sobti
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
EASY TUTORIAL OF HOW TO USE CiCi AI BY: FEBLESS HERNANE
EASY TUTORIAL OF HOW TO USE CiCi AI BY: FEBLESS HERNANE EASY TUTORIAL OF HOW TO USE CiCi AI BY: FEBLESS HERNANE
EASY TUTORIAL OF HOW TO USE CiCi AI BY: FEBLESS HERNANE
Febless Hernane
 
Bangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
Bangalore Call Girls 9079923931 With -Cuties' Hot Call GirlsBangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
Bangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
narwatsonia7
 
Unlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENT
Unlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENTUnlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENT
Unlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENT
rajesh344555
 

Recently uploaded (15)

KubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial IntelligentKubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial Intelligent
 
10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...
10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...
10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
 
DocSplit Subsequent Implementation Activation.pptx
DocSplit Subsequent Implementation Activation.pptxDocSplit Subsequent Implementation Activation.pptx
DocSplit Subsequent Implementation Activation.pptx
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
Unlimited Short Call Girls Mumbai ✅ 9833363713 FULL CASH PAYMENT
Unlimited Short Call Girls Mumbai ✅ 9833363713 FULL CASH PAYMENTUnlimited Short Call Girls Mumbai ✅ 9833363713 FULL CASH PAYMENT
Unlimited Short Call Girls Mumbai ✅ 9833363713 FULL CASH PAYMENT
 
Decentralized Justice in Gaming and Esports
Decentralized Justice in Gaming and EsportsDecentralized Justice in Gaming and Esports
Decentralized Justice in Gaming and Esports
 
Network Security and Cyber Laws (Complete Notes) for B.Tech/BCA/BSc. IT
Network Security and Cyber Laws (Complete Notes) for B.Tech/BCA/BSc. ITNetwork Security and Cyber Laws (Complete Notes) for B.Tech/BCA/BSc. IT
Network Security and Cyber Laws (Complete Notes) for B.Tech/BCA/BSc. IT
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
EASY TUTORIAL OF HOW TO USE CiCi AI BY: FEBLESS HERNANE
EASY TUTORIAL OF HOW TO USE CiCi AI BY: FEBLESS HERNANE EASY TUTORIAL OF HOW TO USE CiCi AI BY: FEBLESS HERNANE
EASY TUTORIAL OF HOW TO USE CiCi AI BY: FEBLESS HERNANE
 
Bangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
Bangalore Call Girls 9079923931 With -Cuties' Hot Call GirlsBangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
Bangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
 
Unlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENT
Unlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENTUnlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENT
Unlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENT
 

4 Reasons to Crowdsource Your Pen Test

  • 1. 4 REASONS TO CROWDSOURCE YOUR PENETRATION TEST The premier platform for crowdsourced cybersecurity. casey@bugcrowd.com jcran@bugcrowd.com
  • 2. All content (c) Bugcrowd Inc, 2014 - All rights reserved. The Problem Security is not a fair fight. How do you level your playing field? HACKED HACKED HACKED HACKED HACKED HACKED
  • 3. All content (c) Bugcrowd Inc, 2014 - All rights reserved. About your presenters @caseyjohnellis Founder and CEO, Bugcrowd Recovering pentester turned solution architect turned sales guy turned entrepreneur Founder and CEO of Bugcrowd @jcran VP Delivery, Bugcrowd Bugcrowd researcher turned operations lead Formerly @Rapid7, @Metasploit, @PwnieExpress
  • 4. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. Bugcrowd Products Crowdsourced security to fit your needs Free Responsible Disclosure Capped cost Ad-hoc or continuous Elite tier researchers Flex Bounty Continuous testing Monthly fee + transaction fee Bug Bounty
  • 5. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. What is Flex? • A bug bounty in the format of a penetration test • Typically a 2 week, fixed cost, fixed timeline project • Private (vetted researchers) or open • Bugcrowd does vulnerability analysis • Deliverable: • Report with overview and verified vulnerabilities • Access to platform and researchers
  • 6. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. Use cases • A more effective web, mobile and/or IOT penetration test • Lots of effort in a short timeframe • Ideal for short testing windows • Rapid deployment testing • New products or features, supplier due diligence, acquisitions, etc • Precursor to a public bug bounty program (i.e. what is my *real* security posture)
  • 7. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. How does it work? • Program Setup • Program Kickoff and Invitations • Program Runs [2 weeks on average] • Analysis [96 hours on average] • Report Delivery and Access
  • 8. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved.
  • 9. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved.
  • 10. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. 4 Reasons to Crowdsource Your Penetration Test • Pay for results not effort • Engage diverse skill-sets • A Reward model that encourages depth and breadth • Higher total effort
  • 11. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. Pay for results not effort • 193 Average number of submissions per program • 45 Average number of valid submissions • $256 Average cost per bug (How much does it cost now?) • Average Priority from 1 (showstopper) to 5 (won’t fix): 3.88
  • 12. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. Engage diverse skill-sets • Vast array of specialties • Web Application, Network, Mobile, Hardware • Testing styles and patterns vary wildly • Have questions? Engage the researchers at the end of the program
  • 13. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. A reward model that encourages depth and breadth • Top 3 issues get a significant percentage of the reward pool • All “unplaced” submissions get the remainder • Sliding scale varies on the difficulty of the application and prior testing results
  • 14. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. Higher total effort • Up to 80 hours of effort in the first 8 hours • At least 160 man-hours per bounty • Activity depends on incentives
  • 15. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. Summary • Cost effective, quick, high quality results • Capped cost and capped timeline • Great way to prepare for an ongoing bounty program • Flex model incentivizes both breadth and depth