AusCERT 2016 - An Unlikely Romance: The Current State of Bug Bounties

•Download as PPTX, PDF•

0 likes•22 views

Our current approach to security assessment is inherently flawed; automation tools only find what they are programmed to find and penetration testing is extremely limited. Bug bounties build upon and improve upon these existing application security testing tools by harnessing the human creativity of the whitehat researcher community with a pay-for-results rewards model. As a cyber security veteran, Casey will analyze the evolution of the application security industry over the past several years and address why the existing tools and practices are falling short. With data from hundreds of bug bounty programs, he will also show how bug bounties are bridging the gap between companies who need to find security flaws before they’re exploited, and the hackers at the table ready to help. https://2017.conference.auscert.org.au/speaker/casey-ellis/

Technology

September 2016
AN UNLIKELY ROMANCE
THE CURRENT STATE OF BUG BOUNTIES

1/24/172
FOUNDER & CEO
FORMER PENTESTER
HACKER
DAD
YOUR SPEAKER

Financial Services Consumer Tech Retail & Ecommerce Infrastructure Technology
Automotive Security Technology Other
WIDE ADOPTION OF CROWDSOURCED SECURITY

THE HISTORY OF BUG BOUNTIES: 1995 TO PRESENT
5

REALLY, IT’S ABOUT PROTECTING THE INTERNET
6
“The Internet was so new
back then… We knew from
day one that the commercial
web was going to need
security”
Jeff Treuhaft, formerly of Netscape,
talking about the first technology bug
bounty program

7
112
Countries
50K+
Researchers
$5M+
Paid out
110
Employees
90K
Submissions
450+
Programs

WHY IS THERE AN ISSUE
TO ADDRESS?
8
Ballooning
attack surface
Cybersecurity
resource
shortage
Broken
status-quo
Active, efficient
adversaries
Application Security is Broken

BROKEN STATUS QUO
9
$7.8B
Estimated Security Assessment
Market Size by 2021
Source: http://cybersecurityventures.com/cybersecurity-market-report/

BALLOONING ATTACK SURFACE
10
20B+
Websites and Internet connected
devices
Sources: http://www.internetlivestats.com/total-number-of-websites/
https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/

CYBERSECURITY RESOURCE SHORTAGE
11
209K
Unfilled cybersecurity jobs as of
2015
Source: http://peninsulapress.com/2015/03/31/cybersecurity-jobs-growth/

ACTIVE AND EFFICIENT ADVERSARIES
12
350%
Increase of breaches caused by
hacking from 2007 to 2015
Source: http://www.idtheftcenter.org/2016databreaches.html

16
Only crazy tech
companies run bug
bounty programs
Bug bounties don’t
attract talented
testers or results
They’re too hard to
manage and too
expensive
Running a bounty
program is too risky
OBJECTIONS
If the model makes sense, what is stopping you?

OBJECTION: “ONLY TECH COMPANIES
RUN BUG BOUNTY PROGRAMS”
18
30%
of all bug bounty
programs are run by
Traditional
organizations.

OBJECTION: “THEY DON’T ATTRACT
TALENTED TESTERS OR RESULTS”
19
13 HRS
In 2016, a critical issue was
reported every...

OBJECTION: “THEY DON’T ATTRACT
TALENTED TESTERS OR RESULTS”
20
KNOWLEDGE
SEEKERS
HOBBYISTS
FULL-TIMERS
VIRTUOSOS
PROTECTORS

21
“We decided to run a bug
bounty program to get
access to a wide variety of
security testers. Hiring
security researchers is very
difficult in today’s market...”
Jon Green
Sr. Director of Security
Architecture

OBJECTION: “THEY’RE TOO HARD TO MANAGE
AND TOO EXPENSIVE”
22
68%
of all bug bounty
programs are private,
invite-only.

OBJECTION: “THEY’RE TOO HARD TO MANAGE
AND TOO EXPENSIVE” (cont.)
23

$24 Efficiency and effectiveness of the crowd is really why we bring them on… it’s helped in expanding our team for a fraction of the cost. Now my internal resources are better utilized. David Baker Former CSO$

25
For us, the managed approach
reduced our required time and effort
by at least 80% allowing us to not
only focus on what matters the most,
implementing the remediations but
also freeing up our security team to
focus on other components of our
security program.”
Johnathan Hunt
VP of Information Security

OBJECTION: “RUNNING A BOUNTY PROGRAM IS
TOO RISKY”
1/24/1726
Time
Pen Test Pen Test
Zone of
Vulnerability
Blindness
Zone of
Vulnerability
Blindness
Code
Release
Code
Release
Coverage
Automation

In reality, public disclosure
incidents occur less than
.0005%
of the time
27

HOW TO HAVE A HEALTHY
RELATIONSHIP...
1/24/1728

13 HRS
In 2016, a critical issue was
reported every...
34

35
Time
Pen Test Pen Test
Zone of
Vulnerability
Blindness
Zone of
Vulnerability
Blindness
Code
Release
Code
Release
Coverage
Automation
BROKEN STATUS QUO (cont.)

Presented by: Rohyt Belani, Phishme Abstract: In the physical world, the human brain has evolved to avoid danger. The threat of physical pain triggers fear – and we have learned to avoid behavior that causes pain. In the electronic world of email, however, this concept doesn’t translate. Clicking on a malicious link or opening an attachment laced with malware doesn’t cause pain, and often a user won’t even notice anything is wrong after doing it. How then, can we teach fear perception in the electronic world? Is it even possible? In this presentation I’ll discuss how immersive training can key on psychological triggers to teach people to become skeptical email users who not only avoid undesired security behavior but can aid intrusion detection by reporting suspicious emails, helping to mitigate one of the most serious problems in security: slow incident detection times. According to reports from Mandiant and Verizon, average detection time for an incident is in the hundreds of days. A properly trained workforce is not only resilient to phishing attacks, but can improve detection times as well.

Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead

OpenDNS

Practice makes perfect. And unfortunately for security professionals, attackers have realized that persistence is a powerful approach to breaching an organization's defenses. Focusing on prevention alone is no longer a sufficient strategy for securing your organization against the business risks of a breach. Our current security environment demands an approach less centered on ideal prevention and more focused on reality. During this webcast, we discussed key strategies that limit your risk and exposure to unrelenting threats. Some highlighted topics include: - How the shift in attacker motivations has impacted today's threat landscape - Why preventative techniques alone can no longer ensure a secure environment - Which strategies need to be considered for a holistic approach to security - What next steps you can take towards identifying your best strategy against attacks

Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...

EC-Council

John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd. He has nearly 20 years hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. As a Denim Group Principal, he helps executives and Chief Security Officers (CSO’s) of Fortune 500 companies and government organizations launch and expand their critical application security initiatives. His leadership has been instrumental in Denim Group being honored by Inc. Magazine as one of the fastest growing companies in the industry for five years in a row.

16231James Grant

EVOLVE to demand. demand to evolve by Igor Volovich

EC-Council

Igor Volovich presently serves as Vice President and head of Information Security and Cyber Risk Management of Schneider Electric for the Americas region. Schneider Electric is a global leader in energy, efficiency, process, and operations management, industrial automation software and systems, and energy and safety controls. Following a recent merger with Invensys plc, the combined enterprise represents more than 185,000 personnel working in over 120 countries, with annual revenues in excess of €23 billion.

The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez

EC-Council

Bobby Dominguez is an accomplished Internet pioneer and an acknowledged security, risk, and privacy expert. Mr. Dominguez has successfully integrated information security into top-level business initiatives at Home Shopping Network, PSCU Financial Services, and PNC Bank, where he implemented a new technology risk management framework. Under his leadership, the Sykes Global Security and Risk Management team was nominated and selected as one of the 5 best by 2008 SC Magazine “Best Security Team in the US.” Mr. Dominguez was also selected as one of the top 5 Chief Security Officers for the 2009, 2010, and 2013 SC Magazine “CSO of Year.” In 2012 he was a finalist for (ISC)2 Americas Information Security Leadership Awards.

Countering Cyber Threats

Phil Huggins FBCS CITP

What's hot

Cyber Resilience

Phil Huggins FBCS CITP

The 2018 Threatscape

Peter Wood

Resilience is the new cyber security

Phil Huggins FBCS CITP

Carbon Black: Keys to Shutting Down Attacks

Mighty Guides, Inc.

From Cybersecurity to Cyber Resilience

accenture

Alex Michael - 2017/2018 Cyber Threat Report in an Enterprise Mobile World

Pro Mrkt

[Webinar] Building a Product Security Incident Response Team: Learnings from ...

bugcrowd

How we got domain admin

Transcendent Group

Outpost24 webinar - Improve your organizations security with red teaming

Outpost24

Cyber Resilience: Managing Cyber Shocks

Phil Huggins FBCS CITP

Case Study on Managing the Virus Hunters

Havas Worldwide

Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...

Mighty Guides, Inc.

Virus hunter

9874657408

Smart security people - Dominic White - SensePost

Harry Gunns

Outpost24 webinar - Cybersecurity readiness in the post Covid-19 world

Outpost24

A recommendation for software development responses for future

Max Justice

Cost Justifying IT Security

Michael Davis

Darren Rawlinson - Dealing with Cyber Threats in an Enterprise Mobile World

Pro Mrkt

Adam Maskatiya - Redefining Security in an Era of Digital Transformation #mid...

Pro Mrkt

Stay Ahead of Threats with Advanced Security Protection - Fortinet

MarcoTechnologies

What's hot (20)

Cyber Resilience

The 2018 Threatscape

Resilience is the new cyber security

Carbon Black: Keys to Shutting Down Attacks

From Cybersecurity to Cyber Resilience

Alex Michael - 2017/2018 Cyber Threat Report in an Enterprise Mobile World

[Webinar] Building a Product Security Incident Response Team: Learnings from ...

How we got domain admin

Outpost24 webinar - Improve your organizations security with red teaming

Cyber Resilience: Managing Cyber Shocks

Case Study on Managing the Virus Hunters

Using Security Metrics to Drive Action in Asia Pacific - 22 Experts Share How...

Virus hunter

Smart security people - Dominic White - SensePost

Outpost24 webinar - Cybersecurity readiness in the post Covid-19 world

A recommendation for software development responses for future

Cost Justifying IT Security

Darren Rawlinson - Dealing with Cyber Threats in an Enterprise Mobile World

Adam Maskatiya - Redefining Security in an Era of Digital Transformation #mid...

Stay Ahead of Threats with Advanced Security Protection - Fortinet

Similar to AusCERT 2016 - An Unlikely Romance: The Current State of Bug Bounties

ISSA CISO Summit 2017 - AN UNLIKELY ROMANCE THE CURRENT STATE OF BUG BOUNTIES

Casey Ellis

Moti Sagey CPX keynote _Are All security products created equal

Moti Sagey מוטי שגיא

Ivanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders

Ivanti

How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond

SecPod Technologies

It’s widely known that patch management is a major pain point for most businesses. IT teams struggle to keep systems patched and secure. Cyber-attacks are continuous and anti-virus protection alone isn’t effective. Cyber hygiene best practices need to be followed to keep organizations secure and to prevent security breaches. In this webinar, Chandrashekhar - SecPod’s Founder & CEO, Douglas Smith - BlueHat Cyber’s Senior Sales Director, and Greg Pottebaum - SecPod’s VP OEM & Strategic Alliances, demonstrate: - How to efficiently reduce the cyber-attack surface of your business - Simple strategies to improve your security management - How Blue Hat Cyber uses SanerNow to automate patch management and secure their customer’s endpoints Request a FREE Demo of SanerNow platform at: www.secpod.com About SecPod SecPod is an endpoint security and management technology company. SecPod (Security Podium, incarnated as SecPod) was founded in the year 2008. SecPod’s SanerNow platform and tools are used by MSPs and enterprises worldwide. SecPod also licenses security technology to top security vendors through its SCAP Content Professional Feed. Facebook: https://www.facebook.com/secpod/ LinkedIn: https://www.linkedin.com/company/secp... Twitter: https://twitter.com/SecPod Email us at info@secpod.com to get more details on how to secure your organisation from cyber attacks.

Application Security by Ethical Hackers

Entersoft

Entersoft is an award winning application security provider trusted by over 300 global brands. Our approach is a combination of offensive assessment, proactive monitoring and pragmatic managed security which provides highly cost effective and reliable solutions to some of the most pressing problems in Cyber Security. Through our unique model, we found bugs in Yahoo!, Blackberry, Dropbox and other 150+ organizations.

End-to-End OT SecOps Transforming from Good to Great

accenture

Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22

Cenzic

Module 1 - Evolution to Secure DevOps.pptx

aaronpham13

The 5 most trusted cyber security companies to watch.

Merry D'souza

Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx

lior mazor

Executive Perspective Building an OT Security Program from the Top Down

accenture

Elastic's recommendation on keeping services up and running with real-time vi...

FaithWestdorp

Fortify-Application_Security_Foundation_Training.pptx

YoisRoberthTapiadeLa

Fortify-Application_Security_Foundation_Training.pptx

VictoriaChavesta

Top Application Security Trends of 2012

DaveEdwards12

Learn about the major risks to Cloud and Web-based Applications. What are their weaknesses? How can you deploy them in a more confident fashion and avoid the risks? What can you do to protect these applications without creating a major burden on your end-users and customers. Application Security has become one of the top most priorities of CIOs, CSOs and IT Staff in 2012. Cloud has created a paradigm shift in how we leverage technology. Learn about the power of the Cloud to Secure your applications.

SMi Group's Oil & Gas Cyber Security conference & exhibition

Dale Butler

Presales-Present_GravityZone Products_June2023.pptx

PawachMetharattanara

Presales-Present_GravityZone Products_June2023.pptx

PawachMetharattanara

Introduction to PolySwarm

PolySwarm

Introduction to PolySwarm

BlakeReyes

Similar to AusCERT 2016 - An Unlikely Romance: The Current State of Bug Bounties (20)

ISSA CISO Summit 2017 - AN UNLIKELY ROMANCE THE CURRENT STATE OF BUG BOUNTIES

Moti Sagey CPX keynote _Are All security products created equal

Ivanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders

How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond

Application Security by Ethical Hackers

End-to-End OT SecOps Transforming from Good to Great

Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22

Module 1 - Evolution to Secure DevOps.pptx

The 5 most trusted cyber security companies to watch.

Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx

Executive Perspective Building an OT Security Program from the Top Down

Elastic's recommendation on keeping services up and running with real-time vi...

Fortify-Application_Security_Foundation_Training.pptx

Top Application Security Trends of 2012

SMi Group's Oil & Gas Cyber Security conference & exhibition

Presales-Present_GravityZone Products_June2023.pptx

Introduction to PolySwarm

More from Casey Ellis

Hack The Capitol - The Unlikely Romance - Critical Infrastructure Edition

Casey Ellis

When most folks hear the word "hacker" their reaction is one of fear, but those responsible for cybersecurity are increasingly understanding the role of the "digital locksmiths" amongst us. While healthcare, power, and other CI verticals have been slower to accept crowdsourcing, adoption is well underway. In this talk, Casey Ellis will unpack the evolution of the unlikely romance between those who hack in good faith and the people who design, develop, deploy, and defend software and hardware intended for critical infrastructure and safety-critical applications.

Release The Hounds: Part 2 “11 Years Is A Long Ass Time”

Casey Ellis

Bugcrowd was founded at an inflection point in the history of the Internet and awareness of cybersecurity. A lot has changed since 2012 - to the cybersecurity industry, to the technology landscape, to the view of hackers as helpful and not just harmful, and - importantly - to the awareness of cybersecurity as "everyone's problem". In 2023, we find ourselves at a similar inflection point for our space. This keynote unpacks the last 11 years as a predictor of what is next, and as an encouragement and roadmap for budding cybersecurity entrepreneurs and solutioneers.

CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd

Casey Ellis

Bug bounty or beg bounty?

Casey Ellis

The first security technology bug bounty predated the Internet by over one hundred years: Alfred C Hobbs breaking an unbreakable lock at the Great Exhibition of 1851 for the princely sum of 200 Guineas. With the acceleration of technology adoption, unintended consequences, our adversaries, and the need to quickly understand how "unhackable" things really are, it's safe to say that things have escalated since then. In 2021, there as many who benefit from engaging the good-faith hacker community as there are folks who find themselves lost in a mish-mash of term confusion, unclear expectations, and general reservations - in spite of the increasingly obvious truth that "it takes an army of allies to overcome an army of adversaries". This breakout is for both. Casey John Ellis, the Founder, Chairman, and CTO of Bugcrowd, pioneer of the crowdsourced security as-a-service category, and co-founder of The Disclose.io Project will unpack the "family tree" of vulnerability disclosure, bug bounty, and crowdsourced security testing, frame up how we got here, and facilitate a discussion from the group about where it all goes next.

ACRNA Webinar #5: Cyber Security – The Unlikely Romance

Casey Ellis

When most folks hear the word “hacker” their reaction is one of fear, but those responsible for cybersecurity are increasingly understanding the role of the “digital locksmiths” amongst us. In this talk, Casey Ellis will unpack the unlikely romance between trusted, good-faith computer hackers, and the people who build and defend software infrastructure. He’ll share insights on how this feedback loop between builders and breakers has broken out of the early-adopter technology bubble to create a more resilient Internet for more traditionally conservative industries, including those where ICS/SCADA make up the core of their business. There will also be plenty of time for Q&A, so get your questions ready!

Corncon 2021 - Inside the Unlikely Romance

Casey Ellis

It has been 20 years since Rainforest Puppy released the RFPolicy responsible disclosure policy, 11 years since Google and Facebook brought the concept of bug bounty into the eye of the security industry, and 9 years since Bugcrowd pioneered the concept of inserting a platform in the process to facilitate conversations between builders and breakers in order to level the skill and resourcing playing field against our adversaries. So, how’s it all going? Did it all turn out to be a “tech company” thing? What have the results, and the impact on cybersecurity defense been on more traditionally conservative industries, like financial services? What can the history of the relationship between helpful hackers and organizations tell us about what we’ll need for the future? In this talk, Casey Ellis (Founder, Chairman, and CTO of Bugcrowd) will unpack some salient lessons after nearly 10 years building Bugcrowd.

#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...

Casey Ellis

RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME

Casey Ellis

Just over 8 years ago bug bounty was a shiny security thing that crazy tech companies did sometimes, the concept of a digital locksmith hadn't been established in the consumer yet, and the Internet was generally a smaller and less politicized place. Casey Ellis decided it might be a good idea to "release the hounds" into the status quo, launching Bugcrowd and kicking off the crowdsourced security as a service market category, and it's safe to say that a fair bit has happened since. This keynote is for infosec practitioners and budding cybersecurity entrepreneurs, talking through what we've learned, what's changed, where I think it's all going next, and where we can position ourselves to continue making the Internet a more resilient place.

KEYNOTE: Nullcon 2021 - Security Research and Disclosure - The Unauthorized B...

Casey Ellis

TechCrunch Early Stage 2020 - How to prioritize security at your startup

Casey Ellis

GRIMMCon: disclose.io - Taking the Internet's Immune System to the Next Level

Casey Ellis

Of all the problems the internet has, there seems to be one that rules them all: It doesn’t understand how to work with it’s immune system. In this talk I’ll run through the past/present/future of the vulnerability disclosure, and give a run-through of disclose.io: an open-source and vendor-agnostic initiative to make conversations between builders and breakers safe, standardized, and simple. I’ll close with a Call To Action for all participants with simple ways to help and get involved.

KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...

Casey Ellis

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel

Casey Ellis

Full Disclosure Debate - NBT 5

Casey Ellis

KEYNOTE: The Unlikely Romance: Part 2 - What Now?

Casey Ellis

Webinar kym-casey-bug bounty tipping point webcast - po edits

Casey Ellis

Our 2016 State of Bug Bounty Report announced that bug bounty programs adoption has increased 210% since 2013. As more and more companies leverage the capabilities of the global researcher community to identify critical vulnerabilities, we must ask...has the bug bounty economy reached a tipping point? Join Bugcrowd as we unpack the top trends in crowdsourced cybersecurity and review the key findings from The State of Bug Bounty Report 2016. Webinar: https://www.brighttalk.com/webcast/14415/221275/the-bug-bounty-tipping-point-strength-in-numbers

NodeSummit 2016 - WELCOME TO THE BLUE TEAM! CREATING “OH SHIT” MOMENTS FOR FU...

Casey Ellis

Exploring the dynamics and relationship between the hacker community and the engineering coalface. Today’s cybersecurity battle is not a fair fight. The attackers — growing in numbers and sophistication — have overwhelmed the comparatively small pool of defenders. Add an engineering team that’s economically incentivized to ignore security, and you’re off to a bad start. This talk is story of what happens to engineers the first time some random kid 8,000 miles away hacks their stuff as a part of their bug bounty. It’s about its outsourcing the creation of the “oh shit” moment, and seeing your engineering team become a blue team. Why is this about pairing engineering teams with hackers specifically? Because it addresses a marked gap: people who build things for a living paired with people who break things for a living.

AppSecUSA - Your License for Bug Hunting Season

Casey Ellis

Tweet Share You don’t need a license for bug hunting season anymore. Bug bounty programs are becoming well established as a valuable tool in identifying vulnerabilities early. The Department of Defense has authorized its first bug bounty program, and many vendors are taking a fresh look. While the programs are highly effective, many questions remain about how to structure bug bounty programs to address the concerns that vendors and researchers have about controlling bug hunters, security and privacy, contractual issues with bug hunters, what happens if there is a rogue hacker in the crowd, and liability and compliance concerns. This presentation will cover the best practices for structuring effective bug bounty programs. Video: https://www.youtube.com/watch?v=ziUUyA0-zwg

Introducing Bugcrowd

Casey Ellis

MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...

Casey Ellis

More from Casey Ellis (20)

Hack The Capitol - The Unlikely Romance - Critical Infrastructure Edition

Release The Hounds: Part 2 “11 Years Is A Long Ass Time”

CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd

Bug bounty or beg bounty?

ACRNA Webinar #5: Cyber Security – The Unlikely Romance

Corncon 2021 - Inside the Unlikely Romance

#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...

RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME

KEYNOTE: Nullcon 2021 - Security Research and Disclosure - The Unauthorized B...

TechCrunch Early Stage 2020 - How to prioritize security at your startup

GRIMMCon: disclose.io - Taking the Internet's Immune System to the Next Level

KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel

Full Disclosure Debate - NBT 5

KEYNOTE: The Unlikely Romance: Part 2 - What Now?

Webinar kym-casey-bug bounty tipping point webcast - po edits

NodeSummit 2016 - WELCOME TO THE BLUE TEAM! CREATING “OH SHIT” MOMENTS FOR FU...

AppSecUSA - Your License for Bug Hunting Season

Introducing Bugcrowd

MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...

Recently uploaded

FIDO Alliance Osaka Seminar: Overview.pdf

FIDO Alliance

Elevating Tactical DDD Patterns Through Object Calisthenics

Dorra BARTAGUIZ

After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!

Securing your Kubernetes cluster_ a step-by-step guide to success !

KatiaHIMEUR1

Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster. However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks. In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.

UiPath Test Automation using UiPath Test Suite series, part 4

DianaGray10

Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap. The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies. Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques What will you get from this session? 1. Insights into SAP testing best practices 2. Heatmap utilization for testing 3. Optimization of testing processes 4. Demo Topics covered: Execution from the test manager Orchestrator execution result Defect reporting SAP heatmap example with demo Speaker: Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

Epistemic Interaction - tuning interfaces to provide information for AI support

Alan Dix

Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024 https://alandix.com/academic/papers/synergy2024-epistemic/ As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.

By Design, not by Accident - Agile Venture Bolzano 2024

Pierluigi Pugliese

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...

SOFTTECHHUB

The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing. One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.

National Security Agency - NSA mobile device best practices

Quotidiano Piemontese

Video Streaming: Then, Now, and in the Future

Alpen-Adria-Universität

In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

FIDO Alliance

Introduction to CHERI technology - Cybersecurity

mikeeftimakis1

GridMate - End to end testing is a critical piece to ensure quality and avoid...

ThomasParaiso2

PHP Frameworks: I want to break free (IPC Berlin 2024)

Ralf Eggert

In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development. This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.

Essentials of Automations: The Art of Triggers and Actions in FME

Safe Software

In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation. We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios. Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!

Uni Systems Copilot event_05062024_C.Vlachos.pdf

Uni Systems S.M.S.A.

DevOps and Testing slides at DASA Connect

Kari Kakkonen

The Art of the Pitch: WordPress Relationships and Sales

Laura Byrne

Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes? All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.

PCI PIN Basics Webinar from the Controlcase Team

ControlCase

Microsoft - Power Platform_G.Aspiotis.pdf

Uni Systems S.M.S.A.

Generative AI Deep Dive: Advancing from Proof of Concept to Production

Aggregage

Recently uploaded (20)

FIDO Alliance Osaka Seminar: Overview.pdf

Elevating Tactical DDD Patterns Through Object Calisthenics

Securing your Kubernetes cluster_ a step-by-step guide to success !

UiPath Test Automation using UiPath Test Suite series, part 4

Epistemic Interaction - tuning interfaces to provide information for AI support

By Design, not by Accident - Agile Venture Bolzano 2024

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...

National Security Agency - NSA mobile device best practices

Video Streaming: Then, Now, and in the Future

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

Introduction to CHERI technology - Cybersecurity

GridMate - End to end testing is a critical piece to ensure quality and avoid...

PHP Frameworks: I want to break free (IPC Berlin 2024)

Essentials of Automations: The Art of Triggers and Actions in FME

Uni Systems Copilot event_05062024_C.Vlachos.pdf

DevOps and Testing slides at DASA Connect

The Art of the Pitch: WordPress Relationships and Sales

PCI PIN Basics Webinar from the Controlcase Team

Microsoft - Power Platform_G.Aspiotis.pdf

Generative AI Deep Dive: Advancing from Proof of Concept to Production

AusCERT 2016 - An Unlikely Romance: The Current State of Bug Bounties

1. September 2016 AN UNLIKELY ROMANCE THE CURRENT STATE OF BUG BOUNTIES

2. 1/24/172 FOUNDER & CEO FORMER PENTESTER HACKER DAD YOUR SPEAKER

3. Financial Services Consumer Tech Retail & Ecommerce Infrastructure Technology Automotive Security Technology Other WIDE ADOPTION OF CROWDSOURCED SECURITY

4. WHAT IS A BUG BOUNTY? 4

5. THE HISTORY OF BUG BOUNTIES: 1995 TO PRESENT 5

6. REALLY, IT’S ABOUT PROTECTING THE INTERNET 6 “The Internet was so new back then… We knew from day one that the commercial web was going to need security” Jeff Treuhaft, formerly of Netscape, talking about the first technology bug bounty program

7. 7 112 Countries 50K+ Researchers $5M+ Paid out 110 Employees 90K Submissions 450+ Programs

8. WHY IS THERE AN ISSUE TO ADDRESS? 8 Ballooning attack surface Cybersecurity resource shortage Broken status-quo Active, efficient adversaries Application Security is Broken

9. BROKEN STATUS QUO 9 $7.8B Estimated Security Assessment Market Size by 2021 Source: http://cybersecurityventures.com/cybersecurity-market-report/

10. BALLOONING ATTACK SURFACE 10 20B+ Websites and Internet connected devices Sources: http://www.internetlivestats.com/total-number-of-websites/ https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/

11. CYBERSECURITY RESOURCE SHORTAGE 11 209K Unfilled cybersecurity jobs as of 2015 Source: http://peninsulapress.com/2015/03/31/cybersecurity-jobs-growth/

12. ACTIVE AND EFFICIENT ADVERSARIES 12 350% Increase of breaches caused by hacking from 2007 to 2015 Source: http://www.idtheftcenter.org/2016databreaches.html

13. A SIMPLE SOLUTION… 13

14. September 2016

15. 15

16. 16 Only crazy tech companies run bug bounty programs Bug bounties don’t attract talented testers or results They’re too hard to manage and too expensive Running a bounty program is too risky OBJECTIONS If the model makes sense, what is stopping you?

17. IT’S WORTH IT. 17

18. OBJECTION: “ONLY TECH COMPANIES RUN BUG BOUNTY PROGRAMS” 18 30% of all bug bounty programs are run by Traditional organizations.

19. OBJECTION: “THEY DON’T ATTRACT TALENTED TESTERS OR RESULTS” 19 13 HRS In 2016, a critical issue was reported every...

20. OBJECTION: “THEY DON’T ATTRACT TALENTED TESTERS OR RESULTS” 20 KNOWLEDGE SEEKERS HOBBYISTS FULL-TIMERS VIRTUOSOS PROTECTORS

21. 21 “We decided to run a bug bounty program to get access to a wide variety of security testers. Hiring security researchers is very difficult in today’s market...” Jon Green Sr. Director of Security Architecture

22. OBJECTION: “THEY’RE TOO HARD TO MANAGE AND TOO EXPENSIVE” 22 68% of all bug bounty programs are private, invite-only.

23. OBJECTION: “THEY’RE TOO HARD TO MANAGE AND TOO EXPENSIVE” (cont.) 23

24. 24 Efficiency and effectiveness of the crowd is really why we bring them on… it’s helped in expanding our team for a fraction of the cost. Now my internal resources are better utilized. David Baker Former CSO

25. 25 For us, the managed approach reduced our required time and effort by at least 80% allowing us to not only focus on what matters the most, implementing the remediations but also freeing up our security team to focus on other components of our security program.” Johnathan Hunt VP of Information Security

26. OBJECTION: “RUNNING A BOUNTY PROGRAM IS TOO RISKY” 1/24/1726 Time Pen Test Pen Test Zone of Vulnerability Blindness Zone of Vulnerability Blindness Code Release Code Release Coverage Automation

27. In reality, public disclosure incidents occur less than .0005% of the time 27

28. HOW TO HAVE A HEALTHY RELATIONSHIP... 1/24/1728

29. ALIGN EXPECTATIONS 1/24/1729

30. COMMUNICATE OPENLY 1/24/1730

31. PAY FAST, PAY WELL 1/24/1731

32. QUESTIONS? 1/24/1732

33. WHAT ARE YOU WAITING FOR? 33

34. 13 HRS In 2016, a critical issue was reported every... 34

35. 35 Time Pen Test Pen Test Zone of Vulnerability Blindness Zone of Vulnerability Blindness Code Release Code Release Coverage Automation BROKEN STATUS QUO (cont.)

AusCERT 2016 - An Unlikely Romance: The Current State of Bug Bounties

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to AusCERT 2016 - An Unlikely Romance: The Current State of Bug Bounties

Similar to AusCERT 2016 - An Unlikely Romance: The Current State of Bug Bounties (20)

More from Casey Ellis

More from Casey Ellis (20)

Recently uploaded

Recently uploaded (20)

AusCERT 2016 - An Unlikely Romance: The Current State of Bug Bounties