TechCrunch Early Stage 2020 - How to prioritize security at your startup

•

0 likes•829 views

Security is one of the most important things for a startup to focus on, but many struggle to dedicate time, resources, or budget to protect against something you never want to happen. How should startups prioritize security, and what do emerging companies need to know?

Technology

bugcrowd.com/try-bugcrowd
How to prioritize security
for your startup
Casey John Ellis
TechCrunch Early Stage
July 2020

bugcrowd.com/try-bugcrowd
You’re probably *not* prioritizing
security at your startup…

bugcrowd.com/try-bugcrowd
…this workshop will help.

bugcrowd.com/try-bugcrowd
whoami
Founder/Chairman/CTO of Bugcrowd
20 years in information security
Hacker >> Pentester >> Solution Architect >> Entrepreneur
Pioneered Crowdsourced Security as-a-Service
Proud Australian, husband, and father of two
Based in San Francisco, CA
$ sudo hack.sh $ sudo hustle.sh

bugcrowd.com/try-bugcrowd
…what is Bugcrowd?

bugcrowd.com/try-bugcrowd
> Contain a army of hackers
> Ask the entire Internet to try and break in to us 24x7
> Convince the market that hackers are OK
> Safely store customer vulnerability data
> Lead the category in our own cybersecurity
Our ﬁrst day…

bugcrowd.com/try-bugcrowd
…as well as the normal stuﬀ

bugcrowd.com/try-bugcrowd
> Create and validate a category
> Move fast and break things
> Nail product/market ﬁt
> Fundraise and hire
> Out-execute the eventual competition
> Figure out how to immigrate
> Comply with privacy and security regulation
> Get mad write-ups in Techcrunch
> Convince big customer we aren't going to get hacked
> etc, etc, etc...

bugcrowd.com/try-bugcrowd
Sounds crazy, right?

bugcrowd.com/try-bugcrowd
8 years later
> 80M USD raised
> 100,000s of vulnerabilities annihilated
> 1,000s of hackers paid
> Oﬃces in 5 countries
> Customers from DoD to 10-person upstarts

bugcrowd.com/try-bugcrowd
Takeaway #1
Teach your business to wash it’s
hands while it’s still young.

bugcrowd.com/try-bugcrowd
Kill password re-use:
Use an enterprise password manager.

bugcrowd.com/try-bugcrowd
Use two-factor authentication:
Force it where you can.

bugcrowd.com/try-bugcrowd
Apply updates:
Automate them wherever you can.

bugcrowd.com/try-bugcrowd
Use platforms:
Insource your core, outsource your context.

bugcrowd.com/try-bugcrowd
Takeaway #2
Make secure easy
and insecure obvious.

bugcrowd.com/try-bugcrowd
Avoid singular failure:
Have two primary owners on key service accounts.

bugcrowd.com/try-bugcrowd
Instill productive paranoia in your entire team.
Security isn’t just an engineering problem.

bugcrowd.com/try-bugcrowd
Get your sales, marketing, and ﬁnance people on
Chromebooks BEFORE you hit 20 employees…
Just trust me on this one.

bugcrowd.com/try-bugcrowd
Takeaway #3
Security sells product.

bugcrowd.com/try-bugcrowd
Be ready for security feedback from the Internet with
a vulnerability disclosure program.
https://www.bugcrowd.com/try-bugcrowd

bugcrowd.com/try-bugcrowd
COMPLIANCE IS AWESOME!!!
Pick a requirement that makes sense, meet it, ﬁnd the
next one, lather, rinse, repeat.

bugcrowd.com/try-bugcrowd
Startups are all about managing
risks.
Which ones to take.
Which ones to avoid.

bugcrowd.com/try-bugcrowd
Cybersecurity is just another risk.

Start working on it today!
https://www.bugcrowd.com/try-bugcrowd

bugcrowd.com/try-bugcrowd
Thankyou!
Questions?
@caseyjohnellis
casey@bugcrowd.com
@bugcrowd
www.bugcrowd.com
greetz to @zackwhittaker and the @techcrunch team, the bugcrowders,
@codesoda, @wendynather and the duo crew, and @haroonmeer

Just over 8 years ago bug bounty was a shiny security thing that crazy tech companies did sometimes, the concept of a digital locksmith hadn't been established in the consumer yet, and the Internet was generally a smaller and less politicized place. Casey Ellis decided it might be a good idea to "release the hounds" into the status quo, launching Bugcrowd and kicking off the crowdsourced security as a service market category, and it's safe to say that a fair bit has happened since. This keynote is for infosec practitioners and budding cybersecurity entrepreneurs, talking through what we've learned, what's changed, where I think it's all going next, and where we can position ourselves to continue making the Internet a more resilient place.

#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...

Casey Ellis

It has been 20 years since Rainforest Puppy released the RFPolicy responsible disclosure policy, 11 years since Google and Facebook brought the concept of bug bounty into the eye of the security industry, and 9 years since Bugcrowd pioneered the concept of inserting a platform in the process to facilitate conversations between builders and breakers in order to level the skill and resourcing playing field against our adversaries. So, how’s it all going? Did it all turn out to be a “tech company” thing? What have the results, and the impact on cybersecurity defense been on more traditionally conservative industries, like financial services? What can the history of the relationship between helpful hackers and organizations tell us about what we’ll need for the future? In this talk, Casey Ellis (Founder, Chairman, and CTO of Bugcrowd) will unpack some salient lessons after nearly 10 years building Bugcrowd.

Corncon 2021 - Inside the Unlikely Romance

Casey Ellis

KEYNOTE: Nullcon 2021 - Security Research and Disclosure - The Unauthorized B...

Casey Ellis

Bug bounty or beg bounty?

Casey Ellis

The first security technology bug bounty predated the Internet by over one hundred years: Alfred C Hobbs breaking an unbreakable lock at the Great Exhibition of 1851 for the princely sum of 200 Guineas. With the acceleration of technology adoption, unintended consequences, our adversaries, and the need to quickly understand how "unhackable" things really are, it's safe to say that things have escalated since then. In 2021, there as many who benefit from engaging the good-faith hacker community as there are folks who find themselves lost in a mish-mash of term confusion, unclear expectations, and general reservations - in spite of the increasingly obvious truth that "it takes an army of allies to overcome an army of adversaries". This breakout is for both. Casey John Ellis, the Founder, Chairman, and CTO of Bugcrowd, pioneer of the crowdsourced security as-a-service category, and co-founder of The Disclose.io Project will unpack the "family tree" of vulnerability disclosure, bug bounty, and crowdsourced security testing, frame up how we got here, and facilitate a discussion from the group about where it all goes next.

ACRNA Webinar #5: Cyber Security – The Unlikely Romance

Casey Ellis

When most folks hear the word “hacker” their reaction is one of fear, but those responsible for cybersecurity are increasingly understanding the role of the “digital locksmiths” amongst us. In this talk, Casey Ellis will unpack the unlikely romance between trusted, good-faith computer hackers, and the people who build and defend software infrastructure. He’ll share insights on how this feedback loop between builders and breakers has broken out of the early-adopter technology bubble to create a more resilient Internet for more traditionally conservative industries, including those where ICS/SCADA make up the core of their business. There will also be plenty of time for Q&A, so get your questions ready!

KEYNOTE: The Unlikely Romance: Part 2 - What Now?

Casey Ellis

How to steal and modify data using Business Logic flaws - Insecure Direct Obj...

Frans Rosén

This document discusses insecure direct object references (IDOR), which occur when a developer exposes references like file or database keys without access control. This allows attackers to access unauthorized data by manipulating the references. The document provides examples of IDOR vulnerabilities found in Twitter, Oculus, Square, Zapier, and WordPress. It emphasizes having a generic access control model, using user IDs instead of numeric IDs, and thoroughly reviewing code to prevent IDOR issues.

Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.

20160613 TNC TERENA

University of Twente

Top 10 Web Hacking Techniques of 2014

Quick Heal Technologies Ltd.

WordPress Security 2014 - The Basics of Security

Tony Perez

The document discusses WordPress security best practices. It outlines 5 key challenges: knowledge/awareness, administration, extensibility, credentials, and end-users. Some recommendations include employing a website firewall, filtering access by IP, keeping software updated, disabling PHP execution and plugin/theme editing, using secure connections like SFTP/SSH, and backing up sites including databases. The goal is risk reduction through defense in depth using multiple layers of security.

Hackfest presentation.pptx

Peter Yaworski

NetVU Tech-4290/4390

jreverri

This document provides a list of security resources and blogs that can be used to stay informed about the latest threats and best practices for securing a network. It includes over 20 links to sites run by organizations like the Sans Internet Storm Center, Microsoft Malware Protection Center, and various security experts. The document also provides photo credits for any images used in an accompanying presentation.

Community Career Center: The Beginner’s Guide to LastPass

Keitaro Matsuoka

You know you are supposed to use a password manager. In my workshops, attendees often ask me how I manage my passwords, and my answer is to use LastPass. At first glance, it seems like password managers are a pain to set up. Good news: getting started with a password manager is easier than you think. In this workshop, I will cover the basics of LastPass and what makes it my favorite. How to: Log in to LastPass Save a Site Create a Form Fill Generate a Password Share a Password Secure Your LastPass Account How to Use LastPass on Your Smartphone

WordPress Security - Learning From Hacks

Tony Perez

This document discusses strategies for WordPress website security based on common attack scenarios. It describes how phishing attacks target users and how hackers have compromised websites by infecting plugins or exploiting vulnerabilities in connected applications like vBulletin forums. The key lessons are to verify all software sources, implement layered defenses like two-factor authentication, web application firewalls, integrity monitoring and backups, and isolate applications when possible. A defense-in-depth approach is necessary as no single measure prevents all attacks.

Sucuri Webinar: How to Clean a Hacked Magento Website

Sucuri

TIP: Make sure you scroll to the last slide to view the video recording. On Feb 22, 2017, Sucuri Incident Responder, Cesar Anjos, presented this webinar as a step by step guide on how to clean a hacked Magento website. If your Magento website has been hacked, learn how to appropriately deal with the security incident, fix the hack, and secure your ecommerce website against future breaches. This webinar will take place on Wednesday, Feb 22nd at 11am PST. Following his presentation, Cesar will take questions from participants. Please complete the form to register. In this webinar you will learn how to: - Understand if there has been a compromise - Beginner - Determine the presence of credit card stealers - Intermediate/Advanced - Look for the most common credit card stealers - Intermediate - Handle potential data breaches - Intermediate - Remove most Magento infections - Beginner

Final Presentation

Lani-Girl Petrulo

Two-Factor Authentication Presentation

SamSmith537

This document provides sources for slides related to two-factor authentication and cybersecurity best practices. Sources include websites for authentication plugins and services, articles about password security and common passwords, images of authentication methods and phishing examples, and stock photos. The sources cover topics like hardware security keys, phone-based authentication, location-based authentication, and multi-factor vs two-factor authentication.

Sammy Virus

coolkyle

WordPress Security - Dealing With Today's Hacks

Tony Perez

The document discusses various security issues related to WordPress websites and provides recommendations for improving WordPress security. It covers common attacks like defacements, backdoors, phishing injections and malicious redirects. It demonstrates how commands like grep, curl and find can be used to detect these issues. The document emphasizes the importance of access control and updating WordPress and plugins. It also recommends security-focused plugins and resources.

Microblogging Fast Fast Good Good

Dave Delaney

Httpd sys content_t_apache_linux

James Jara

Sucuri Webinar: Understand and Fix Google Blacklist Warnings

Sucuri

Sucuri Webinar: How Websites Get Hacked

Sucuri

Sucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports

Sucuri

Hacked - What do you do now?

Tony Perez

Release The Hounds: Part 2 “11 Years Is A Long Ass Time”

Casey Ellis

Bugcrowd was founded at an inflection point in the history of the Internet and awareness of cybersecurity. A lot has changed since 2012 - to the cybersecurity industry, to the technology landscape, to the view of hackers as helpful and not just harmful, and - importantly - to the awareness of cybersecurity as "everyone's problem". In 2023, we find ourselves at a similar inflection point for our space. This keynote unpacks the last 11 years as a predictor of what is next, and as an encouragement and roadmap for budding cybersecurity entrepreneurs and solutioneers.

Bug Bounty #Defconlucknow2016

Shubham Gupta

The document discusses bug bounty hunting. It introduces Shubham Gupta and Yash Pandya who are security consultants and top bug hunters. It outlines the agenda which includes an introduction to bug bounty programs, reasons for bug hunting, how to find bugs, quick tips, proofs of concept, pros and cons, and a Q&A. It provides a brief history of bug bounty programs and notes that now anyone can participate from home. It discusses types of bugs and tools used for hunting. Quick tips include using Google dorks, testing for information disclosure vulnerabilities, and completing challenges to improve skills. Examples are provided of unique bugs found like SVG XSS and an IDOR issue found in Google.

What's hot

Writing vuln reports that maximize payouts - Nullcon 2016

bugcrowd

The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

Frans Rosén

20160613 TNC TERENA

University of Twente

Top 10 Web Hacking Techniques of 2014

Quick Heal Technologies Ltd.

WordPress Security 2014 - The Basics of Security

Tony Perez

Hackfest presentation.pptx

Peter Yaworski

NetVU Tech-4290/4390

jreverri

Community Career Center: The Beginner’s Guide to LastPass

Keitaro Matsuoka

WordPress Security - Learning From Hacks

Tony Perez

Sucuri Webinar: How to Clean a Hacked Magento Website

Sucuri

Final Presentation

Lani-Girl Petrulo

Two-Factor Authentication Presentation

SamSmith537

Sammy Virus

coolkyle

WordPress Security - Dealing With Today's Hacks

Tony Perez

Microblogging Fast Fast Good Good

Dave Delaney

Httpd sys content_t_apache_linux

James Jara

Sucuri Webinar: Understand and Fix Google Blacklist Warnings

Sucuri

Sucuri Webinar: How Websites Get Hacked

Sucuri

Sucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports

Sucuri

Hacked - What do you do now?

Tony Perez

What's hot (20)

Writing vuln reports that maximize payouts - Nullcon 2016

The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016

20160613 TNC TERENA

Top 10 Web Hacking Techniques of 2014

WordPress Security 2014 - The Basics of Security

Hackfest presentation.pptx

NetVU Tech-4290/4390

Community Career Center: The Beginner’s Guide to LastPass

WordPress Security - Learning From Hacks

Sucuri Webinar: How to Clean a Hacked Magento Website

Final Presentation

Two-Factor Authentication Presentation

Sammy Virus

WordPress Security - Dealing With Today's Hacks

Microblogging Fast Fast Good Good

Httpd sys content_t_apache_linux

Sucuri Webinar: Understand and Fix Google Blacklist Warnings

Sucuri Webinar: How Websites Get Hacked

Sucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports

Hacked - What do you do now?

Similar to TechCrunch Early Stage 2020 - How to prioritize security at your startup

Release The Hounds: Part 2 “11 Years Is A Long Ass Time”

Casey Ellis

Bug Bounty #Defconlucknow2016

Shubham Gupta

How to Incorporate a Security-First Approach to Your Products by spiderSlik C...

Product School

This document discusses how product managers, engineers, and business stakeholders can incorporate security-first approaches into their work. It provides background on the speaker and outlines several trends in cybersecurity, such as misconfigurations becoming a major risk. It then offers specific actions each group can take, such as product managers nominating a security champion, engineers following the OWASP Top 10 guidelines and limiting permissions, and business stakeholders developing an emergency plan. Useful resources for further learning are also included.

Guy Rombaut - Security in the IoT generation & End of Cloud - Codemotion Mila...

Codemotion

The growth of Internet of Things (IoT) in our daily life creates immense opportunities and benefits for our society. However, IoT security has not kept up with the same rapid pace of innovation and development. This situation creates substantial security flaws and putting our privacy at risk. This talk will present the new challenges we are facing with the new revolution of IoT, including concrete demonstrations. In addition, we will present possible solutions how to deal with those challenges. Finally, we will do some fun coding by a POC on one of these solutions.

eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...

Kevin M. Moker, CFE, CISSP, ISSMP, CISM

The document describes how to steal Gmail credentials using social engineering and the Social Engineering Toolkit (SET). It involves tricking a victim into entering their login credentials on a spoofed Gmail login page hosted on the attacker's machine. The attacker first sets up Kali Linux in a virtual machine and launches SET. They then change the victim's Gmail bookmark to point to the attacker's IP address hosting the fake login page. When the victim tries to access Gmail, they enter their credentials which are stolen by SET. The document warns readers to be vigilant against these kind of social engineering attacks.

Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...

Mazin Ahmed

IT Security for Nonprofits

Community IT Innovators

Bug Bounty - Play For Money

Shubham Gupta

This document provides an overview of bug bounty hunting. It discusses: - What bug bounty programs are and how they work - A brief history of major bug bounty programs from the 1990s to present day - Reasons to participate in bug bounty hunting like money, career opportunities, and enjoyment - Popular bug bounty platforms and programs - How to get started with the process of bug hunting - Tips for writing bug reports that document the issue and steps to reproduce it - Examples of past bug bounty finds, like an SVG XSS filter bypass and a tapjacking proof of concept

Blue team reboot - HackFest

Haydn Johnson

Co Speaker: Cheryl Biswas Talk Description: How about this: a blue team talk given by red teamers. But here’s our rationale - your best defence right now is a strategic offence. The rules of the game have changed and we need to get defence up to speed. We’ll show you what the key elements are in a good defence strategy; what you can and need to be using to full advantage. We’ll talk about the new “buzzwords” and how they apply: visibility; patterns; big data. There’s a whole lotta data to wrangle, and you aren’t seeing the whole picture if you aren’t doing things right. Threat intel is about getting the big picture as it applies to you. You’ll learn the importance of context and prioritization so that you can manipulate intel feeds to do your bidding. And then we’ll take things further and talk about hunting the adversary, using an update on proven methodologies. We’ll show you how to understand your data, correlate threats and pin point attacks. Attendees will leave with a new understanding of the resources they have on hand, and how to leverage those into an Adaptive Proactive Defense Strategy.

Creating a Safe and Secure Website Experience For You and Your Readers - Tony...

DesignBloggersConference

The document discusses creating a safe website experience for readers. It provides tips for improving website security posture, including employing defense in depth concepts, prioritizing good administration, recognizing threats from software vulnerabilities, controlling access, registering the website with search engines, and leveraging security professionals. The key message is that website security is an ongoing process of risk reduction, not a single action, and requires ongoing maintenance.

DrupalCamp London 2017 - Web site insecurity

George Boobyer

Common threats to web security with real world case studies of compromised sites, - A 'dissection' of a typical common exploit tool and how it operates, - Simple approaches to mitigating common threats/vulnerabilities, - Defence in depth – an overview of the various components of web security, - Drupal specific measures that standard penetration testing often does not account for. An overview of how to benefit from: - Security monitoring and log analysis - Intrusion Detection Systems & Firewalls - Security headers and Content Security Policies (CSP). see Drupal Camp London for full details: http://drupalcamp.london/session/web-site-insecurity-how-your-cms-site-will-get-hacked-and-how-prevent-it

Bug Bounty

Hariprasad KA

This document discusses bug bounty programs and how to become a bug bounty hunter. It defines a bug bounty as a program where websites and software developers offer recognition and compensation to individuals who report software bugs and vulnerabilities. It explains that security bugs can be exploited to gain unauthorized access. Bug bounty programs benefit companies by providing an inexpensive way to identify vulnerabilities through independent security researchers. The document outlines the history of bug bounty programs and provides tips for bug hunters, such as setting up tools and environments and understanding a company's bug reporting workflow before submitting reports.

Defcamp 2013 - Does it pay to be a blackhat hacker

DefCamp

The document discusses different types of hackers - white hat, grey hat, and black hat. A white hat hacker conducts ethical hacking and security testing, while a black hat hacker violates security for personal gain or maliciousness. The document uses a real Apache PHP vulnerability as an example to show how a black hat hacker could potentially exploit it at large scale to infect millions of servers and earn millions setting up a powerful botnet to perform DDoS attacks and other illicit activities for profit, though this scenario is more science fiction. While financially lucrative, being a black hat hacker risks legal consequences like jail time.

Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker

Dan Vasile

This document summarizes a presentation about different types of hackers - white hat, grey hat, and black hat. White hats follow ethical practices like responsible disclosure. Grey hats sometimes act illegally but with good intentions. Black hats hack for personal gain or maliciousness. The document describes a real PHP vulnerability in Apache that allows remote code execution. It then discusses the potential financial gains but legal risks of different approaches like responsible disclosure, selling the exploit, or creating a large botnet to exploit it at scale for ongoing profits from criminal activities.

How not to suck at Cyber Security

Chris Watts

The document discusses various cybersecurity risks and best practices to address them. It covers topics like information leakage, outdated software, authorization bypass, cross-site request forgery (CSRF), cross-site scripting (XSS), social engineering, and the importance of user training. The key message is that while technology is important, humans are often the weakest link and most common cause of breaches. Organizations must have security awareness programs to educate employees on threats like phishing.

Security Testing

BJ Edward Taduran

This document discusses cyber security and vulnerability scanning. It introduces the author, Bujo Taduran, and their goal of helping secure government systems. It then covers various cyber security issues like outdated systems, irresponsible IoT manufacturers, and lack of user awareness. The document outlines security tools that can be used like surveillance, firewalls, host hardening, and vulnerability scanning tools like OWASP ZAP and YASCA. It provides instructions for installing and using ZAP and explains how to interpret and prioritize the results of vulnerability scans. Finally, it discusses integrating vulnerability scanning into the software development lifecycle.

Automotive Cybersecurity: Test Like a Hacker

ForAllSecure

Learn the techniques used by award-winning hacking teams (as well as in some real-world attacks) to identify and exploit vulnerabilities in OEM components and other automotive software. This presentation covers fundamental principles, as well as how to easily incorporate these techniques into unit or functional test stages - bringing an extra layer of protection to connected automobiles. We'll cover both how to best fit this type of testing into your pipeline to maximize speed and coverage, as well as discuss how to fit this offensive cyber security approach alongside your existing vulnerability scanning programs. Whether you're a vehicle manufacturer, integrator, or OEM - we'll discuss how to leverage hacking-based security techniques to improve protection across the supply chain and keep vehicles and drivers safer. What we'll cover: - Successful exploits of components and vehicles - what these attacks had in common - Layering offensive techniques atop existing security programs - what to do and what to avoid - How to test integrated systems with multiple components from different OEMs working in tandem - Integrating offensive testing into different stages in software development and component integration Originally presented at https://www.automotive-iq.com/events-automotive-cybersecurity

Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned

fangjiafu

This document discusses penetration testing approaches from the past compared to today. It notes that in the past, penetration testing was easier because networks had fewer security controls like firewalls and patches. The document then provides tips and techniques for identifying security controls like load balancers, intrusion prevention systems, and web application firewalls that may be in place on modern networks. It also discusses ways to potentially bypass these controls like using encryption, proxies, or virtual private networks.

5 Tips to Successfully Running a Bug Bounty Program

bugcrowd

Hack The Capitol - The Unlikely Romance - Critical Infrastructure Edition

Casey Ellis

The document discusses the increasing adoption of crowdsourced security practices like vulnerability disclosure programs (VDP) and bug bounty programs within critical infrastructure sectors. It notes that while conservative sectors are slower to adopt these practices, regulatory pressure is accelerating their adoption. The document also observes that aging critical infrastructure organizations tend to have many publicly accessible initial access vectors, and that digital transformation compounds this issue. Finally, it discusses moving security practices from a "broke" to "woke" approach, emphasizing the human aspects of security rather than just technology.

Similar to TechCrunch Early Stage 2020 - How to prioritize security at your startup (20)

Release The Hounds: Part 2 “11 Years Is A Long Ass Time”

Bug Bounty #Defconlucknow2016

How to Incorporate a Security-First Approach to Your Products by spiderSlik C...

Guy Rombaut - Security in the IoT generation & End of Cloud - Codemotion Mila...

eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...

Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...

IT Security for Nonprofits

Bug Bounty - Play For Money

Blue team reboot - HackFest

Creating a Safe and Secure Website Experience For You and Your Readers - Tony...

DrupalCamp London 2017 - Web site insecurity

Bug Bounty

Defcamp 2013 - Does it pay to be a blackhat hacker

Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker

How not to suck at Cyber Security

Security Testing

Automotive Cybersecurity: Test Like a Hacker

Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned

5 Tips to Successfully Running a Bug Bounty Program

Hack The Capitol - The Unlikely Romance - Critical Infrastructure Edition

More from Casey Ellis

CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd

Casey Ellis

GRIMMCon: disclose.io - Taking the Internet's Immune System to the Next Level

Casey Ellis

Of all the problems the internet has, there seems to be one that rules them all: It doesn’t understand how to work with it’s immune system. In this talk I’ll run through the past/present/future of the vulnerability disclosure, and give a run-through of disclose.io: an open-source and vendor-agnostic initiative to make conversations between builders and breakers safe, standardized, and simple. I’ll close with a Call To Action for all participants with simple ways to help and get involved.

KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...

Casey Ellis

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel

Casey Ellis

This document summarizes a presentation on cybersecurity legal issues for companies. It discusses the growing costs and impacts of cyberattacks like data breaches and ransomware. Bug bounty programs that hire security researchers are presented as a way for companies to find vulnerabilities, but they may also increase legal obligations to notify breaches. The role of legal counsel in addressing these issues is examined, including maintaining technical competence. Elements of effective cybersecurity programs and incident response planning are outlined to help mitigate risks and consequences.

Full Disclosure Debate - NBT 5

Casey Ellis

The document discusses the debate between full disclosure and proactive vulnerability disclosure. It defines full disclosure as publicly disclosing a vulnerability before notifying the vendor. The document argues that full disclosure is like an unavoidable aspect like death and taxes because parts of the internet will always be poor at proactive disclosure. It lists several reasons why full disclosure is considered bad, such as giving unsophisticated actors access to exploits, reinforcing negative stereotypes of hackers, and scaring people away from supporting proactive disclosure programs. The document concludes by arguing that hyping up low criticality vulnerabilities and clickbaity journalism can hurt the reputation and progress of the security community overall.

Webinar kym-casey-bug bounty tipping point webcast - po edits

Casey Ellis

Our 2016 State of Bug Bounty Report announced that bug bounty programs adoption has increased 210% since 2013. As more and more companies leverage the capabilities of the global researcher community to identify critical vulnerabilities, we must ask...has the bug bounty economy reached a tipping point? Join Bugcrowd as we unpack the top trends in crowdsourced cybersecurity and review the key findings from The State of Bug Bounty Report 2016. Webinar: https://www.brighttalk.com/webcast/14415/221275/the-bug-bounty-tipping-point-strength-in-numbers

NodeSummit 2016 - WELCOME TO THE BLUE TEAM! CREATING “OH SHIT” MOMENTS FOR FU...

Casey Ellis

Exploring the dynamics and relationship between the hacker community and the engineering coalface. Today’s cybersecurity battle is not a fair fight. The attackers — growing in numbers and sophistication — have overwhelmed the comparatively small pool of defenders. Add an engineering team that’s economically incentivized to ignore security, and you’re off to a bad start. This talk is story of what happens to engineers the first time some random kid 8,000 miles away hacks their stuff as a part of their bug bounty. It’s about its outsourcing the creation of the “oh shit” moment, and seeing your engineering team become a blue team. Why is this about pairing engineering teams with hackers specifically? Because it addresses a marked gap: people who build things for a living paired with people who break things for a living.

AppSecUSA - Your License for Bug Hunting Season

Casey Ellis

Tweet Share You don’t need a license for bug hunting season anymore. Bug bounty programs are becoming well established as a valuable tool in identifying vulnerabilities early. The Department of Defense has authorized its first bug bounty program, and many vendors are taking a fresh look. While the programs are highly effective, many questions remain about how to structure bug bounty programs to address the concerns that vendors and researchers have about controlling bug hunters, security and privacy, contractual issues with bug hunters, what happens if there is a rogue hacker in the crowd, and liability and compliance concerns. This presentation will cover the best practices for structuring effective bug bounty programs. Video: https://www.youtube.com/watch?v=ziUUyA0-zwg

ISSA CISO Summit 2017 - AN UNLIKELY ROMANCE THE CURRENT STATE OF BUG BOUNTIES

Casey Ellis

This document discusses bug bounty programs and their growing adoption. It addresses common objections to running bug bounty programs, such as them being too risky, expensive, or hard to manage. Data is presented showing bug bounties attract talented researchers who find critical issues quickly. Stories from companies highlight how bug bounties help expand security teams cost effectively. The document concludes by advising companies to align expectations, communicate openly, and pay bounty hunters fast and well to have healthy bug bounty relationships.

Introducing Bugcrowd

Casey Ellis

MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...

Casey Ellis

This document summarizes key topics from a presentation on cybersecurity issues and legal considerations, including: 1) Cyberattacks pose a significant and growing threat, with annual global costs of cybercrime estimated to rise from $3 trillion currently to $6 trillion by 2021. Data breaches continue to mount in size and frequency. 2) Responding to cyber incidents involves substantial costs beyond direct remediation, including brand impact, lost revenue, legal claims, and government fines. Companies are often under-resourced to address cybersecurity issues fully. 3) Bug bounty programs and security researchers can help companies identify vulnerabilities, but legal risks remain around disclosure of vulnerabilities to regulators or the public. Careful management

AusCERT 2016 - An Unlikely Romance: The Current State of Bug Bounties

Casey Ellis

Our current approach to security assessment is inherently flawed; automation tools only find what they are programmed to find and penetration testing is extremely limited. Bug bounties build upon and improve upon these existing application security testing tools by harnessing the human creativity of the whitehat researcher community with a pay-for-results rewards model. As a cyber security veteran, Casey will analyze the evolution of the application security industry over the past several years and address why the existing tools and practices are falling short. With data from hundreds of bug bounty programs, he will also show how bug bounties are bridging the gap between companies who need to find security flaws before they’re exploited, and the hackers at the table ready to help. https://2017.conference.auscert.org.au/speaker/casey-ellis/

Enigma 2018 - Combining the Power of Builders and Breakers

Casey Ellis

This document discusses bug bounty programs and crowdsourced security. It begins by introducing the founder and background of bug bounty programs. Then it discusses the problems they address like growing attack surfaces and skilled labor shortages. It outlines the current state of vulnerability disclosure programs, public and private bug bounties, and crowdsourced security. Case studies show bug bounties are effective at finding complex issues. Researchers tend to be educated with security experience. The future of these programs is seen as addressing consumer and legislative pressures. Tips are provided like starting small, aligning expectations, open communication, fast payment, and getting legal advice. It closes by calling for continued cooperation across stakeholders.

Welcome to the blue team! How building a better hacker accidentally built a b...

Casey Ellis

Security practitioners know that the threats that face an organization are always active, and that while defenders need to get everything right, a good attacker only needs to get one thing right. That’s all well and good for security practitioners, but what about the rest of the company? How do you transform security from a rather inconvenient checklist, to a nascent awareness of the threat? How do you get those responsible for providing your attack surface to ‘actually care about whether it’s secure or not?

More from Casey Ellis (14)

CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd

GRIMMCon: disclose.io - Taking the Internet's Immune System to the Next Level

KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel

Full Disclosure Debate - NBT 5

Webinar kym-casey-bug bounty tipping point webcast - po edits

NodeSummit 2016 - WELCOME TO THE BLUE TEAM! CREATING “OH SHIT” MOMENTS FOR FU...

AppSecUSA - Your License for Bug Hunting Season

ISSA CISO Summit 2017 - AN UNLIKELY ROMANCE THE CURRENT STATE OF BUG BOUNTIES

Introducing Bugcrowd

MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...

AusCERT 2016 - An Unlikely Romance: The Current State of Bug Bounties

Enigma 2018 - Combining the Power of Builders and Breakers

Welcome to the blue team! How building a better hacker accidentally built a b...

Recently uploaded

Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...

saastr

Serial Arm Control in Real Time Presentation

tolgahangng

Artificial Intelligence for XMLDevelopment

Octavian Nadolu

In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject. We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup. Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved. The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring. The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise. By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.

Best 20 SEO Techniques To Improve Website Visibility In SERP

Pixlogix Infotech

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf

Chart Kalyan

Choosing The Best AWS Service For Your Website + API.pptx

Brandon Minnick, MBA

Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API? Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose? Which one is cheapest? Which one is fastest? Which one will scale to meet our needs? Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!

Driving Business Innovation: Latest Generative AI Advancements & Success Story

Safe Software

Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency. During the hour, we’ll take you through: Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board. Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes. Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI. We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI. This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!

Programming Foundation Models with DSPy - Meetup Slides

Zilliz

Skybuffer SAM4U tool for SAP license adoption

Tatiana Kojar

Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool. SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.

AWS Cloud Cost Optimization Presentation.pptx

HarisZaheer8

This presentation provides valuable insights into effective cost-saving techniques on AWS. Learn how to optimize your AWS resources by rightsizing, increasing elasticity, picking the right storage class, and choosing the best pricing model. Additionally, discover essential governance mechanisms to ensure continuous cost efficiency. Whether you are new to AWS or an experienced user, this presentation provides clear and practical tips to help you reduce your cloud costs and get the most out of your budget.

Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...

Tatiana Kojar

Skybuffer AI, built on the robust SAP Business Technology Platform (SAP BTP), is the latest and most advanced version of our AI development, reaffirming our commitment to delivering top-tier AI solutions. Skybuffer AI harnesses all the innovative capabilities of the SAP BTP in the AI domain, from Conversational AI to cutting-edge Generative AI and Retrieval-Augmented Generation (RAG). It also helps SAP customers safeguard their investments into SAP Conversational AI and ensure a seamless, one-click transition to SAP Business AI. With Skybuffer AI, various AI models can be integrated into a single communication channel such as Microsoft Teams. This integration empowers business users with insights drawn from SAP backend systems, enterprise documents, and the expansive knowledge of Generative AI. And the best part of it is that it is all managed through our intuitive no-code Action Server interface, requiring no extensive coding knowledge and making the advanced AI accessible to more users.

Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...

Jeffrey Haguewood

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on integration of Salesforce with Bonterra Impact Management. Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Letter and Document Automation for Bonterra Impact Management (fka Social Sol...

Jeffrey Haguewood

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on automated letter generation for Bonterra Impact Management using Google Workspace or Microsoft 365. Interested in deploying letter generation automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

June Patch Tuesday

Ivanti

Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.

GraphRAG for Life Science to increase LLM accuracy

Tomaz Bratanic

UI5 Controls simplified - UI5con2024 presentation

Wouter Lemaire

Presentation of the OECD Artificial Intelligence Review of Germany

innovationoecd

5th LF Energy Power Grid Model Meet-up Slides

DanBrown980551

5th Power Grid Model Meet-up It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology. Power Grid Model The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services. Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability. Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization. What to expect For the upcoming meetup we are organizing, we have an exciting lineup of activities planned: -Insightful presentations covering two practical applications of the Power Grid Model. -An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024. -An interactive brainstorming session to discuss and propose new feature requests. -An opportunity to connect with fellow Power Grid Model enthusiasts and users.

Building Production Ready Search Pipelines with Spark and Milvus

Zilliz

dbms calicut university B. sc Cs 4th sem.pdf

Shinana2

Recently uploaded (20)

Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...

Serial Arm Control in Real Time Presentation

Artificial Intelligence for XMLDevelopment

Best 20 SEO Techniques To Improve Website Visibility In SERP

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf

Choosing The Best AWS Service For Your Website + API.pptx

Driving Business Innovation: Latest Generative AI Advancements & Success Story

Programming Foundation Models with DSPy - Meetup Slides

Skybuffer SAM4U tool for SAP license adoption

AWS Cloud Cost Optimization Presentation.pptx

Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...

Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...

Letter and Document Automation for Bonterra Impact Management (fka Social Sol...

June Patch Tuesday

GraphRAG for Life Science to increase LLM accuracy

UI5 Controls simplified - UI5con2024 presentation

Presentation of the OECD Artificial Intelligence Review of Germany

5th LF Energy Power Grid Model Meet-up Slides

Building Production Ready Search Pipelines with Spark and Milvus

dbms calicut university B. sc Cs 4th sem.pdf

TechCrunch Early Stage 2020 - How to prioritize security at your startup

1. The Crowdsourced Security Platform

2. bugcrowd.com/try-bugcrowd How to prioritize security for your startup Casey John Ellis TechCrunch Early Stage July 2020

3. bugcrowd.com/try-bugcrowd #realtalk

4. bugcrowd.com/try-bugcrowd You’re probably *not* prioritizing security at your startup…

5. bugcrowd.com/try-bugcrowd …this workshop will help.

6. bugcrowd.com/try-bugcrowd whoami Founder/Chairman/CTO of Bugcrowd 20 years in information security Hacker >> Pentester >> Solution Architect >> Entrepreneur Pioneered Crowdsourced Security as-a-Service Proud Australian, husband, and father of two Based in San Francisco, CA $ sudo hack.sh $ sudo hustle.sh

7. bugcrowd.com/try-bugcrowd …what is Bugcrowd?

8. bugcrowd.com/try-bugcrowd

9. bugcrowd.com/try-bugcrowd > Contain a army of hackers > Ask the entire Internet to try and break in to us 24x7 > Convince the market that hackers are OK > Safely store customer vulnerability data > Lead the category in our own cybersecurity Our ﬁrst day…

10. bugcrowd.com/try-bugcrowd …as well as the normal stuﬀ

11. bugcrowd.com/try-bugcrowd > Create and validate a category > Move fast and break things > Nail product/market ﬁt > Fundraise and hire > Out-execute the eventual competition > Figure out how to immigrate > Comply with privacy and security regulation > Get mad write-ups in Techcrunch > Convince big customer we aren't going to get hacked > etc, etc, etc...

12. bugcrowd.com/try-bugcrowd Sounds crazy, right?

13. bugcrowd.com/try-bugcrowd 8 years later > 80M USD raised > 100,000s of vulnerabilities annihilated > 1,000s of hackers paid > Oﬃces in 5 countries > Customers from DoD to 10-person upstarts

14. bugcrowd.com/try-bugcrowd Takeaway #1 Teach your business to wash it’s hands while it’s still young.

15. bugcrowd.com/try-bugcrowd Kill password re-use: Use an enterprise password manager.

16. bugcrowd.com/try-bugcrowd Use two-factor authentication: Force it where you can.

17. bugcrowd.com/try-bugcrowd Apply updates: Automate them wherever you can.

18. bugcrowd.com/try-bugcrowd Use platforms: Insource your core, outsource your context.

19. bugcrowd.com/try-bugcrowd Takeaway #2 Make secure easy and insecure obvious.

20. bugcrowd.com/try-bugcrowd Avoid singular failure: Have two primary owners on key service accounts.

21. bugcrowd.com/try-bugcrowd Instill productive paranoia in your entire team. Security isn’t just an engineering problem.

22. bugcrowd.com/try-bugcrowd Get your sales, marketing, and ﬁnance people on Chromebooks BEFORE you hit 20 employees… Just trust me on this one.

23. bugcrowd.com/try-bugcrowd Takeaway #3 Security sells product.

24. bugcrowd.com/try-bugcrowd Be ready for security feedback from the Internet with a vulnerability disclosure program. https://www.bugcrowd.com/try-bugcrowd

25. bugcrowd.com/try-bugcrowd COMPLIANCE IS AWESOME!!! Pick a requirement that makes sense, meet it, ﬁnd the next one, lather, rinse, repeat.

26. bugcrowd.com/try-bugcrowd Startups are all about managing risks. Which ones to take. Which ones to avoid.

27. bugcrowd.com/try-bugcrowd Cybersecurity is just another risk.

28. Start working on it today! https://www.bugcrowd.com/try-bugcrowd

29. bugcrowd.com/try-bugcrowd Thankyou! Questions? @caseyjohnellis casey@bugcrowd.com @bugcrowd www.bugcrowd.com greetz to @zackwhittaker and the @techcrunch team, the bugcrowders, @codesoda, @wendynather and the duo crew, and @haroonmeer

TechCrunch Early Stage 2020 - How to prioritize security at your startup

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to TechCrunch Early Stage 2020 - How to prioritize security at your startup

Similar to TechCrunch Early Stage 2020 - How to prioritize security at your startup (20)

More from Casey Ellis

More from Casey Ellis (14)

Recently uploaded

Recently uploaded (20)

TechCrunch Early Stage 2020 - How to prioritize security at your startup