Recorded on September 21, 2016, Casey Ellis, Bugcrowd CEO and Kymberlee Price, Sr. Director of Researcher Operations, explore current trends in the bug bounty market.
AppSecUSA 2016: 'Your License for Bug Hunting Season'bugcrowd
You don’t need a license for bug hunting season anymore. Bug bounty programs are becoming well established as a valuable tool in identifying vulnerabilities early. The Department of Defense has authorized its first bug bounty program, and many vendors are taking a fresh look. While the programs are highly effective, many questions remain about how to structure bug bounty programs to address the concerns that vendors and researchers have about controlling bug hunters, security and privacy, contractual issues with bug hunters, what happens if there is a rogue hacker in the crowd, and liability and compliance concerns. This presentation will cover the best practices for structuring effective bug bounty programs.
Talk originally given at AppSecUSA 2016 | October 13, 2016
View this ondemand webinar here: https://pages.bugcrowd.com/7-bug-bounty-myths-busted-ondemand-webinar
About the content:
Despite thousands of large and small organizations running bug bounty programs, there is still a lot of fear and uncertainty about these in the cybersecurity community. In this recorded webinar we will explore 7 myths about Bug Bounty programs, the hackers who are involved, and the impact they are having on the security posture of organizations around the world.
After viewing this presentation and ondemand webinar you will:
1. Learn if a bug bounty program is right for your organization
2. Understand if a bug bounty encourages hackers to attack your systems
3. Explore the real benefits of bug bounty programs – and find out if they actually work
4. Get insight on whether these programs are too hard and costly to manage
[Webinar] The Art & Value of Bug Bounty Programsbugcrowd
Her TED talk on the power of bug bounties has over a million views, on May 20, 2015, cybersecurity expert Keren Elazari joined Bugcrowd for an exclusive webinar. We did some bug bounty myth busting and trend spotting and had a great turnout. Keren's slides are here.
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Programbugcrowd
This webcast will analyze the key differences between the penetration testing and bug bounty models and explore why one company replaced their pen tests over the last three years.
Build or Buy: The Barracuda Bug Bounty Story [Webinar]bugcrowd
We sat down with two members of the Barracuda security team to talk about the evolution of their bug bounty program since its inception in 2010, to its current space with Bugcrowd.
Penetration testing is a security standard, but that doesn't mean it's the most effective means of assessment.
We'll discuss why crowdsourcing your security results in increased coverage and more complex security vulnerabilites while meeting your compliance requirements. We'll also introduce Flex, our crowdsourced pen test that provides increased results.
Key Takeaways from Instructure's Successful Bug Bounty Programbugcrowd
Slides used during Bugcrowd's 3/5/2015 webinar with Instructure, the innovative company behind Canvas Learning Management System. Learn why they turned to crowdsourced security, and how Bugcrowd's Flex program gave them great results.
Ever wonder who runs the biggest, fastest, and most lucrative bug bounty programs on the HackerOne platform? In this list, you’ll see which programs on the HackerOne platform ranked highest on the total amount of bounties awarded to hackers over the life of the program. You’ll also be able to compare and contrast these top programs by other speed, volume, and bounty metrics.
AppSecUSA 2016: 'Your License for Bug Hunting Season'bugcrowd
You don’t need a license for bug hunting season anymore. Bug bounty programs are becoming well established as a valuable tool in identifying vulnerabilities early. The Department of Defense has authorized its first bug bounty program, and many vendors are taking a fresh look. While the programs are highly effective, many questions remain about how to structure bug bounty programs to address the concerns that vendors and researchers have about controlling bug hunters, security and privacy, contractual issues with bug hunters, what happens if there is a rogue hacker in the crowd, and liability and compliance concerns. This presentation will cover the best practices for structuring effective bug bounty programs.
Talk originally given at AppSecUSA 2016 | October 13, 2016
View this ondemand webinar here: https://pages.bugcrowd.com/7-bug-bounty-myths-busted-ondemand-webinar
About the content:
Despite thousands of large and small organizations running bug bounty programs, there is still a lot of fear and uncertainty about these in the cybersecurity community. In this recorded webinar we will explore 7 myths about Bug Bounty programs, the hackers who are involved, and the impact they are having on the security posture of organizations around the world.
After viewing this presentation and ondemand webinar you will:
1. Learn if a bug bounty program is right for your organization
2. Understand if a bug bounty encourages hackers to attack your systems
3. Explore the real benefits of bug bounty programs – and find out if they actually work
4. Get insight on whether these programs are too hard and costly to manage
[Webinar] The Art & Value of Bug Bounty Programsbugcrowd
Her TED talk on the power of bug bounties has over a million views, on May 20, 2015, cybersecurity expert Keren Elazari joined Bugcrowd for an exclusive webinar. We did some bug bounty myth busting and trend spotting and had a great turnout. Keren's slides are here.
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Programbugcrowd
This webcast will analyze the key differences between the penetration testing and bug bounty models and explore why one company replaced their pen tests over the last three years.
Build or Buy: The Barracuda Bug Bounty Story [Webinar]bugcrowd
We sat down with two members of the Barracuda security team to talk about the evolution of their bug bounty program since its inception in 2010, to its current space with Bugcrowd.
Penetration testing is a security standard, but that doesn't mean it's the most effective means of assessment.
We'll discuss why crowdsourcing your security results in increased coverage and more complex security vulnerabilites while meeting your compliance requirements. We'll also introduce Flex, our crowdsourced pen test that provides increased results.
Key Takeaways from Instructure's Successful Bug Bounty Programbugcrowd
Slides used during Bugcrowd's 3/5/2015 webinar with Instructure, the innovative company behind Canvas Learning Management System. Learn why they turned to crowdsourced security, and how Bugcrowd's Flex program gave them great results.
Ever wonder who runs the biggest, fastest, and most lucrative bug bounty programs on the HackerOne platform? In this list, you’ll see which programs on the HackerOne platform ranked highest on the total amount of bounties awarded to hackers over the life of the program. You’ll also be able to compare and contrast these top programs by other speed, volume, and bounty metrics.
Best Practice Next-Generation Vulnerability Management to Identify Threats, ...Skybox Security
Speaker: Gidi Chen, CEO & Founder Skybox Security
Infosec Europe 2013
In order to effectively reduce the risks of cyber-attacks, comply with continuous monitoring requirements, and provide visibility to executives, organizations need to manage their vulnerabilities and associated risks on an on-going basis. This is required in order to match or exceed the daily rate of attacks. Why bother to assess your risks every 90 days, if you are attacked daily, given your frequently changed infrastructure? The session will tackle next-generation vulnerability management strategies and best practices to: ensure that vulnerability data is current and accurate; prioritize based on risk to the business; develop a remediation strategy that works and make vulnerability management an essential part of daily change management processes.
• Understand how to link vulnerability discovery, risk-based prioritization, and remediation activities to effectively mitigate risks
• Have real-world examples of organizations that implemented vulnerability management best practices to effectively and measurably reduce risk
• Be armed with pragmatic steps to implement next-generation vulnerability management to eliminate risks and prevent cyber attacks
International ICT Conference 2018
Sustainable Development Goals for Smart society
Kathmandu, Nepal
June 17-18, 2018
Source: https://ictframe.com/wp-content/uploads/Risk-Based-Approach-in-Cyber-Security-In-Nepal.pdf
Containing the outbreak: The healthcare security pandemicAvecto
James Maude, Senior Security Engineer at Avecto examines the security state of play in the healthcare industry and why it’s now a prime target for hackers.
Revitalizing Product Securtiy at Zephyr Healthbugcrowd
Zephyr Health, a quickly growing company harnessing the power of global healthcare data, has spent the last year augmenting its’ product security efforts. With Bugcrowd’s help, they have transformed their development and overarching culture to prioritize security. Bugcrowd joins Zephyr Health’s CISO, Kim Green, to hear about how she came to understand and implement crowdsourced security testing within the organization.
Live 2014 Survey Results: Open Source Development and Application Security Su...Sonatype
Over 3,300 participated! The final results of our 4th Annual Open Source and Application Security Survey are in. Adrian Lane from Securosis and Brian Fox from Sonatype provide a detailed breakdown of the findings from a developer and an application security perspective. They discuss policies, practices, and breaches as well as how organizations can use these results to create constructive conversations to feed their open source security management practices. Get more details on the survey - http://www.sonatype.com/about/2014-open-source-software-development-survey
Over 9 billion components will be downloaded this year from the Sonatype Central Repository, representing a fundamental shift from "writing" to "assembling" applications.
Three thousand (3000) respondents to Sonatype's 2013 OSS Software Survey reported that at least 80% of their applications are comprised of components. Learn how this major shift to component assembly is driving the need for much more sophisticated component management. http://www.sonatype.com/clm/why-clm
With 74% of organizations more concerned with cybersecurity attacks than they were last year, it is important to understand the factors raising these concerns.
Why security is the kidney not the tail of the dog v3Ernest Staats
Security is sometimes thought of being the tail that wags the Dog. A better analogy is that Cyber Security should be the Kidneys of the organization taking out the waste while allowing the useful information to pass.
Reinforcing the Revolution: The Promise and Perils of Digital TransformationProofpoint
Digital transformation is changing the way we do business. More than ever, your success hinges on the strength and reliability of your connections— between your workers, with your business partners, and to your customers.
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadOpenDNS
Practice makes perfect. And unfortunately for security professionals, attackers have realized that persistence is a powerful approach to breaching an organization's defenses.
Focusing on prevention alone is no longer a sufficient strategy for securing your organization against the business risks of a breach. Our current security environment demands an approach less centered on ideal prevention and more focused on reality. During this webcast, we discussed key strategies that limit your risk and exposure to unrelenting threats.
Some highlighted topics include:
- How the shift in attacker motivations has impacted today's threat landscape
- Why preventative techniques alone can no longer ensure a secure environment
- Which strategies need to be considered for a holistic approach to security
- What next steps you can take towards identifying your best strategy against attacks
The Four(ish) Appsec Metrics You Can’t IgnoreVeracode
Which metrics should we use? You might expect an “it depends” answer, but there are some metrics that are important for any application security program, regardless of audience or goals. We’ll take a look at a few of them in this post.
Webinar kym-casey-bug bounty tipping point webcast - po editsCasey Ellis
Our 2016 State of Bug Bounty Report announced that bug bounty programs adoption has increased 210% since 2013.
As more and more companies leverage the capabilities of the global researcher community to identify critical vulnerabilities, we must ask...has the bug bounty economy reached a tipping point?
Join Bugcrowd as we unpack the top trends in crowdsourced cybersecurity and review the key findings from The State of Bug Bounty Report 2016.
Webinar: https://www.brighttalk.com/webcast/14415/221275/the-bug-bounty-tipping-point-strength-in-numbers
HACKERONE
HACKER-POWERED SECURITY REPORT
2017
Executive Summary
Hacker-Powered Security: a report drawn from 800+ programs
and nearly 50,000 resolved security vulnerabilities.
Bug bounty and hacker-powered security programs are becoming the norm, used by organizations as diverse as Facebook and the U.S. government. Forty-one percent of bug bounty programs were from industries other than technology in 2016. Top companies are rewarding hackers up to $900,000 a year in bounties and bounty rewards on average have increased 16 percent for critical issues since 2015. Despite
bug bounty program adoption and increased reward competitiveness, vulnerability disclosure programs still lag behind. Ninety-four percent of the Forbes Global 2000 companies do not have policies.
It’s time to give security teams the tools they need to keep up with ever-faster development. This report examines the broadest platform data set available and explains why organizations like General Motors, Starbucks,
Uber, the U.S. Department of Defense, Lufthansa, and Nintendo have embraced continuous, hacker-powered security.
Go to www.esgjrconsultinginc.com to learn more about Software/Network Engineering Solutions for the 21st Century Digital Economy, IoT and IoE Concepts.
Best Practice Next-Generation Vulnerability Management to Identify Threats, ...Skybox Security
Speaker: Gidi Chen, CEO & Founder Skybox Security
Infosec Europe 2013
In order to effectively reduce the risks of cyber-attacks, comply with continuous monitoring requirements, and provide visibility to executives, organizations need to manage their vulnerabilities and associated risks on an on-going basis. This is required in order to match or exceed the daily rate of attacks. Why bother to assess your risks every 90 days, if you are attacked daily, given your frequently changed infrastructure? The session will tackle next-generation vulnerability management strategies and best practices to: ensure that vulnerability data is current and accurate; prioritize based on risk to the business; develop a remediation strategy that works and make vulnerability management an essential part of daily change management processes.
• Understand how to link vulnerability discovery, risk-based prioritization, and remediation activities to effectively mitigate risks
• Have real-world examples of organizations that implemented vulnerability management best practices to effectively and measurably reduce risk
• Be armed with pragmatic steps to implement next-generation vulnerability management to eliminate risks and prevent cyber attacks
International ICT Conference 2018
Sustainable Development Goals for Smart society
Kathmandu, Nepal
June 17-18, 2018
Source: https://ictframe.com/wp-content/uploads/Risk-Based-Approach-in-Cyber-Security-In-Nepal.pdf
Containing the outbreak: The healthcare security pandemicAvecto
James Maude, Senior Security Engineer at Avecto examines the security state of play in the healthcare industry and why it’s now a prime target for hackers.
Revitalizing Product Securtiy at Zephyr Healthbugcrowd
Zephyr Health, a quickly growing company harnessing the power of global healthcare data, has spent the last year augmenting its’ product security efforts. With Bugcrowd’s help, they have transformed their development and overarching culture to prioritize security. Bugcrowd joins Zephyr Health’s CISO, Kim Green, to hear about how she came to understand and implement crowdsourced security testing within the organization.
Live 2014 Survey Results: Open Source Development and Application Security Su...Sonatype
Over 3,300 participated! The final results of our 4th Annual Open Source and Application Security Survey are in. Adrian Lane from Securosis and Brian Fox from Sonatype provide a detailed breakdown of the findings from a developer and an application security perspective. They discuss policies, practices, and breaches as well as how organizations can use these results to create constructive conversations to feed their open source security management practices. Get more details on the survey - http://www.sonatype.com/about/2014-open-source-software-development-survey
Over 9 billion components will be downloaded this year from the Sonatype Central Repository, representing a fundamental shift from "writing" to "assembling" applications.
Three thousand (3000) respondents to Sonatype's 2013 OSS Software Survey reported that at least 80% of their applications are comprised of components. Learn how this major shift to component assembly is driving the need for much more sophisticated component management. http://www.sonatype.com/clm/why-clm
With 74% of organizations more concerned with cybersecurity attacks than they were last year, it is important to understand the factors raising these concerns.
Why security is the kidney not the tail of the dog v3Ernest Staats
Security is sometimes thought of being the tail that wags the Dog. A better analogy is that Cyber Security should be the Kidneys of the organization taking out the waste while allowing the useful information to pass.
Reinforcing the Revolution: The Promise and Perils of Digital TransformationProofpoint
Digital transformation is changing the way we do business. More than ever, your success hinges on the strength and reliability of your connections— between your workers, with your business partners, and to your customers.
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadOpenDNS
Practice makes perfect. And unfortunately for security professionals, attackers have realized that persistence is a powerful approach to breaching an organization's defenses.
Focusing on prevention alone is no longer a sufficient strategy for securing your organization against the business risks of a breach. Our current security environment demands an approach less centered on ideal prevention and more focused on reality. During this webcast, we discussed key strategies that limit your risk and exposure to unrelenting threats.
Some highlighted topics include:
- How the shift in attacker motivations has impacted today's threat landscape
- Why preventative techniques alone can no longer ensure a secure environment
- Which strategies need to be considered for a holistic approach to security
- What next steps you can take towards identifying your best strategy against attacks
The Four(ish) Appsec Metrics You Can’t IgnoreVeracode
Which metrics should we use? You might expect an “it depends” answer, but there are some metrics that are important for any application security program, regardless of audience or goals. We’ll take a look at a few of them in this post.
Webinar kym-casey-bug bounty tipping point webcast - po editsCasey Ellis
Our 2016 State of Bug Bounty Report announced that bug bounty programs adoption has increased 210% since 2013.
As more and more companies leverage the capabilities of the global researcher community to identify critical vulnerabilities, we must ask...has the bug bounty economy reached a tipping point?
Join Bugcrowd as we unpack the top trends in crowdsourced cybersecurity and review the key findings from The State of Bug Bounty Report 2016.
Webinar: https://www.brighttalk.com/webcast/14415/221275/the-bug-bounty-tipping-point-strength-in-numbers
HACKERONE
HACKER-POWERED SECURITY REPORT
2017
Executive Summary
Hacker-Powered Security: a report drawn from 800+ programs
and nearly 50,000 resolved security vulnerabilities.
Bug bounty and hacker-powered security programs are becoming the norm, used by organizations as diverse as Facebook and the U.S. government. Forty-one percent of bug bounty programs were from industries other than technology in 2016. Top companies are rewarding hackers up to $900,000 a year in bounties and bounty rewards on average have increased 16 percent for critical issues since 2015. Despite
bug bounty program adoption and increased reward competitiveness, vulnerability disclosure programs still lag behind. Ninety-four percent of the Forbes Global 2000 companies do not have policies.
It’s time to give security teams the tools they need to keep up with ever-faster development. This report examines the broadest platform data set available and explains why organizations like General Motors, Starbucks,
Uber, the U.S. Department of Defense, Lufthansa, and Nintendo have embraced continuous, hacker-powered security.
Go to www.esgjrconsultinginc.com to learn more about Software/Network Engineering Solutions for the 21st Century Digital Economy, IoT and IoE Concepts.
Today’s marketers must embrace a new engagement strategy to adapt, anticipate, and deliver in mobile moments. Placing mobile bets solely on ads or one-off purchases isn’t enough to secure revenue and engagement—marketers have to embrace continual cycles of real-time, two-way consumer engagement.
This webinar will show marketers how to create and deliver these experiences and campaigns.
Three Mobile User Acquisition Megatrends for 2017Eric Seufert
I gave this presentation at Pocket Gamer Connects in London on January 16, 2017. This presentation contains three predictions of user acquisition megatrends in mobile advertising for 2017.
Executive Summary
This year’s key developments will centre on online video, mobile apps and further moves towards
distributed content. Mounting problems around online display advertising will lead to a burst of
innovation around journalism business models.
More specifically …
· Facebook/Google/Apple battle intensifies over the future of mobile and the discovery of content
· Messaging apps continue to drive the next phase of the social revolution
· Mobile browsing speeds up thanks to initiatives by platforms and publishers
· Ad-blocker/publisher wars move to mobile - they rage through 2016
· Fraud and fake traffic further undermine faith in online advertising
· Renewed focus on paid content of different flavours (given above) including crowd funding,
membership and micropayment
· Explosion of 360° video, auto-play video and vertical video (get used to it!)
· Growth of identified web (sign in and registration will be critical to delivering cross platform
personal content and notifications)
· Breakthrough year for Robo-journalism– strikes in newsrooms over job losses
· Another year of spectacular cyber attacks and privacy breaches
· More measurement of attention/impact, less measurement of clicks
· Messaging apps go mainstream at work (eg Slack, Hipchat, FB at work)
· Scheduled TV viewing on the slide as more viewing shifts to on-demand
· Rebirth of audio driven by internet delivery to mobile devices
Technology to watch for
· Virtual Reality (VR) hype goes into overdrive; leaves non-gamers cold
· Artificial intelligence (AI) and messaging bots
· Bendy and flexible phones; wireless charging finally takes off
· Drones go mainstream with registration required in most countries
· Smart mirrors just one example of growing visibility of the Internet of Things
Everywhere we will see the growth of analytics and data-informed decision-making in technology,
marketing and even publishing. In a few years’ time, it will seem extraordinary how uninformed we once
were.
Reuters Institute e Digital News Report 2016 Media, Journalism and Technology Predictions 2016 - This year’s key developments will centre on online video, mobile apps and further moves towards distributed content. Mounting problems around online display advertising will lead to a burst of innovation around journalism business models.
THOMSON REUTERS FOUNDATION
Using Social Media to your advantage, whether it's promoting a business or building a career. Find out the basic steps of setting up a Facebook Ad Campaign. | Training session at AIESEC Cluj 10.09.2013
mHealth and Digital Masters : Novartis Vs KodakJoseph Pategou
During years, pharma companies have been trying to bring more value to patients and physicians by using mHealth.
In this study we observed the consequences of a slow transition to digital on a leader in his sector (Novartis Vs Kodak). We also think that pharma companies need to move from mHealth to Digital Masters to bring the best value to all stakeholders.
Some facts:
Digital Masters outperform their peers*
-26% more profitable than their average industry competitors
-9% percent more revenue with their existing physical capacity
-More efficiency in their existing products and processes
-More Productivity
(*): LEADING DIGITAL: Turning technology into business transformation, Havard Business Review press
Adobe Digital Insights Advertising Demand Report 2016: North AmericaAdobe
Adobe Digital Insight’s latest report, the Advertising Demand Report 2016: North America, reveals new trends around internet saturation and the now competitive space that websites face. This report dives into which advertising channels have been most beneficial to websites and consumer sentiment regarding different forms of advertising within the United States, including thoughts around personalization and what consumers are most annoyed with when it comes to advertising.
This is a version of the presentation I created to apply for a job at Duo Security for a Product Marketing position. Feel free to use the ideas whatever you like.
When something goes wrong in your software, you fix it. When something is wrong in an OSS package you’re beholden to community fixes and web search - neither cares about your needs or your timeline.
In this webinar, our director of product management and OSS expert, Richard Sherrard, examines: How to know exactly what packages are used in your company; Specific technical, security, and licensing hurdles that many organizations face; and
What “free” actually means when it comes to OSS.
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
Goals of this Presentation:
- Outline and provide an actionable methodology for effectively and efficiently testing for, and finding security vulnerabilities in web applications
- Cover common vulnerability classes/types/categories from a high level
- Provide useful tools and processes that you can take right out into the world to immediately improve your own bug hunting abilities
If You Can't Beat 'Em, Join 'Em (AppSecUSA)bugcrowd
Grant McCracken and Daniel Trauner's presentation on setting up and managing a successful bug bounty program. Having a bug bounty program is one of the most efficient methods of finding security vulnerabilities today. But, as anyone who has tried to run a bug bounty program knows, it's not a trivial undertaking... As professionals who have helped to manage hundreds of bug bounty programs, we're uniquely positioned to provide advice on how to succeed. Whether you're already running a bug bounty program, are looking to run a bug bounty program, or are a researcher, this talk aims to deepen your knowledge of the subject.
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
Kymberlee Price's Black Hat 2016 talk in a live webcast. This presentation will address some best practices and templates to help security teams build or scale their incident response practices.
Grant Mccracken and Daniel Trauner give tips for running a successful bug bounty program. From writing a clear bounty brief, to communicating efficiently and effectively with researchers, this presentation, given originally at BSides Austin on April 1, 2016, is a great first step in thinking about running a bug bounty program.
Writing vuln reports that maximize payouts - Nullcon 2016bugcrowd
Writing Vuln Submissions that Maximize Your Payouts - presentation given at Nullcon 2016 by Bugcrowd's Kymberlee Price.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programsbugcrowd
Kymberlee Price's Presentation from Black Hat 2015 In this presentation, Kymberlee discusses several highly critical vulnerabilities that have been uncovered through a variety of bug bounty programs and their impact on the customers. With participation from researchers and vendors, attendees will not only see some sweet vulnerabilities broken down, but also why wading through another submission from @CluelessSec might be worth it.
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLVbugcrowd
When used correctly, gamification can be one of the most effective tools for changing behavior on a large scale, but it requires more than just designing a few digital merit badges for doing security training. In this talk Kati Rodzon will discuss how games like Portal and Candy Crush were able to make millions and how those same techniques can be used to change security as we know it.
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
WATCH JASON'S TALK LIVE, 8/14 @ 11AM PDT - Register Here: http://bgcd.co/DEFCON23-haddix
Jason Haddix explores successful tactics and tools used by himself and the best bug hunters. Practical methodologies, tools and tips that make you better at hacking websites and mobile apps to claim those bounties.
Follow Jason on Twitter: http://twitter.com/jhaddix
Follow Bugcrowd on Twitter: http://twitter.com/bugcrowd
Check out the latest bug bounties on Bugcrowd: https://bugcrowd.com/programs
Mobile Application Security Threats through the Eyes of the Attackerbugcrowd
As an active security researcher with immense professional expertise in application security, Jason Haddix joins us to explain the common attack vectors that face today’s mobile applications -- from a hacker’s perspective.
5 Tips to Successfully Running a Bug Bounty Programbugcrowd
Learn why bug bounties are great tools in application security, why they can be difficult, and how you can utilize them to start finding more critical vulnerabilities.
How to run a kick ass bug bounty program - Node Summit 2013bugcrowd
Bug bounty programs are all about getting good guys who think like bad guys to help you protect your business from application security flaws. In this workshop Casey Ellis and Chris Raethke from Bugcrowd, The Bug Bounty Company, will go through some of the tricks and tips of setting up and running a successful bug bounty program.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
2. September 2016 2
Folks Leading The Discussion Today
Quick Bios
@caseyjohnellis
Found and CEO, Bugcrowd
Recovering pentester turned solution
architect turned sales guy turned
entrepreneur
@kym_possible
Senior Director of Researcher
Operations, Bugcrowd
Data analyst, security evangelist,
behavioral psychologist, former director
of a Red Team
3. September 2016 3
Agenda
What Are We Covering Today?
1. What is a Bug Bounty?
2. Bug Bounty Industry Trends
3. Trends From the Researcher Community
5. September 2016 5
What is a Bug Bounty?
For Those of You Who Are New
To companies and
their applications in
exchange for…
Where independent
security researchers
all over the word
f
Think of it as a competition…
Find & report
vulnerabilities
Rewards
8. September 2016 8
What Does Bugcrowd Do?
Platform That Connects Organizations to the Researcher Community
38,000+ Researchers
With specialized skills including
web, mobile and IoT hacking.
Our community is made up of
tens of thousands of the
hackers from around the world.
f
Organizations Both Big
and Small
Making Bug Bounties easy for
ever type of company through a
variety of Bug Bounty Solutions.
9. CONFIDENTIALJULY 2016 GTM PLAYBOOK
State of Bug Bounty 2016
What Our Data Is Saying About the Industry
10. September 2016 11
Where Has All Our Data Come From?
Our Success So Far
300+total programs run on the
Bugcrowd platform
64%private programs
compared to 36% public
54K+Total vulnerability
submissions made as of
September 15, 2016
$3M+Paid out to the crowd as
of September 15, 2016
38K+researchers in the crowd
as of September 15, 2016
210%program growth
11. September 2016 10
What We Know Today
Bug Bounties Have Reached A Tipping Point
Quality
Compared with traditional testing
methods, bug bounties present a
significant advantage
Maturation
As this model matures, with private
programs gaining traction, more
organizations can tap into the
crowd
Growth
More organizations are adopting
this model, including large
enterprises and traditional
industries
Impact
Critical vulnerabilities are
increasing in volume along with
average payout per bug
12. September 2016 12
Considerable Growth In Program Types
Market Adopting Quickly
Total Number of Bounty Programs being ran are
on the rise. A 210% increase YOY
Private programs being adopted quicker than
public programs
63% of all launched programs are private
13. September 2016 13
Growth Across Many Verticals
Industries Utilizing A Bug Bounty
Companies of all industry types are running Bug
Bounty Programs
As expected, computer software and more internet
built companies having widest adoption
“Non-Traditional” industries (healthcare, financial
services) rapidly adopting over last 12 months
14. September 2016 14
Growth Across All Sizes of Organizations
SMB & Enterprise
Enterprise quickly adopting over last 12 months
accounting for 11% of programs
50% of programs ran by companies with 200
employees or less due to economical advantage
15. September 2016 15
What is Being Found?
Volume of Valid & Original Vulnerabilities Over Time
Vulnerability Rating Taxonomy: http://bgcd.co/vrt-2016
More critical vulnerabilities being submitted
Less non-critical vulnerabilities being submitted
Security researchers are getting more discerning with what
they submit
Organizations are getting more prescriptive with scope and
goals of programs
16. September 2016 16
What is Being Found?
Types of Vulnerabilities
Why So Much XXS: http://bgcd.co/xss-big-bugs
XSS accounts for 66% of all valid submissions
CSRF next highest at 20% of all valid
submissions
17. September 2016 17
Why Is This Adoption Happening?
Survey Results: Top value in running a bug bounty program
20. September 2016 20
Researchers Are Making Money
How Much Has Been Paid Out
$2,054,721 has been paid out to
date to the global researcher
community from 6,803 number of
valid vulnerabilities being found
Defensive Vulnerability Pricing Model: http://bgcd.co/dvpm-2016
22. September 2016 22
Different Types of Researchers
Survey Data: Wide Range of Age & Education
12.76%
4.10%
42.14%
28.70%
12.30%
Graduate Degree
Some Graduate School
College Degree
Some College
High School Degree
23. September 2016 23
Researcher Time Spent Hacking
Survey Data: Not Yet a Full Time Thing For Most
15% of the crowd is hacking on bug bounties as
primary source of income
24% of the crowd are full time developers
18% of the crowd are full time pen testers
Be on the look our for our upcoming report on the Bugcrowd community
26. September 2016 26
What We Know Today
Bug Bounties Have Reached A Tipping Point
Quality
Compared with traditional testing
methods, bug bounties present a
significant advantage
Maturation
As this model matures, with private
programs gaining traction, more
organizations can tap into the
crowd
Growth
More organizations are adopting
this model, including large
enterprises and traditional
industries
Impact
Critical vulnerabilities are
increasing in volume along with
average payout per bug
28. September 2016 28
Multi Solution Bug Bounty Model Gaining Traction
Not Just About Public Programs
Engage the collective intelligence of
thousands of security researchers
worldwide.
The perfect solution to incentivize the
continuous testing of main web
properties, self-sign up apps, or anything
already publicly accessible.
Private Ongoing ProgramPublic Ongoing Program
Continuous testing using a private, invite-
only, crowd of researchers.
The perfect solution to incentivize the
continuous testing of apps that require
specialized skill sets or that are harder to
access.
Project based testing using a private,
invite-only, crowd of researchers.
The perfect solution for testing new
products, major releases, new features,
or anything needing a quick test for up to
two weeks.
On-Demand Program
Many organizations are utilizing different types of Bug Bounty Solutions
29. September 2016 29
Predictions and Challenges
Bug Bounties Have Reached A Tipping Point
PREDICTION: The crowd will continue to diversify and mature, creating more
opportunities for organizations to utilize bug bounties for increasingly complex
applications
PREDICTION: Traditional testing methods will evolve to work alongside bug bounty
programs
PREDICTION: Bug bounties will shift from a “nice to have” to a “must have” for most
organizations
30. CONFIDENTIALJULY 2016 GTM PLAYBOOK
Q&A
Download the full report here: http://bgcd.co/state-of-bug-bounty-2016