SlideShare une entreprise Scribd logo
1  sur  13
Télécharger pour lire hors ligne
Reward	
  Programs	
  as	
  a	
  Service
	
  
A	
  fresh	
  approach	
  to	
  security	
  tes8ng!	
  
”Bugcrowd and similar marketplaces, such as Danish firm CrowdCurity and Synack, are
democratising the crowdsourced penetration testing model which has previously been only
available to the biggest software companies that can afford to pay out millions of dollars”
CrowdCurity

CrowdCurity
• 
• 
• 
• 
• 
• 
• 

A	
  Service	
  Pla,orm	
  for	
  Vulnerability	
  Reward	
  Programs	
  	
  
Founded	
  in	
  July	
  2013	
  
3	
  months	
  bootstrapping	
  in	
  ArgenCna	
  
Pla,orm	
  Launched	
  September	
  2013	
  
5	
  Programs	
  Runned	
  
300+	
  Testers	
  
Part	
  of	
  Boost.vc	
  in	
  Sillicon	
  Valley	
  for	
  the	
  next	
  4	
  months	
  

Jacob	
  	
  

Chris8an	
  	
  

Jakob	
  	
  

Esben	
  	
  

Michael	
  	
  
CrowdCurity

The Risks of Online Business
	
  $$$	
  

Credit	
  Card	
  Fraud	
  
Credit	
  cards	
  are	
  targeted	
  
Online	
  businesses	
  have	
  a	
  high	
  
risk	
  of	
  aNacks	
  by	
  intruders	
  
who	
  steal	
  credit	
  card	
  
informaCon	
  from	
  the	
  sites	
  to	
  
sell	
  it	
  on	
  the	
  black	
  market.	
  
	
  
There	
  is	
  plenty	
  to	
  steal	
  
In	
  2012	
  the	
  european	
  online	
  
B2C	
  sites	
  had	
  an	
  income	
  of	
  
€312	
  billion	
  (3,5%	
  of	
  BNP).	
  
The	
  transacCons	
  are	
  typically	
  
handled	
  with	
  credit	
  cards.*	
  

*Source	
  FDIH	
  

Data	
  Disclosure	
  

Forced	
  Crashes	
  

Harmed	
  customers	
  

Big	
  data	
  =	
  Big	
  risk	
  
To	
  enable	
  a	
  high	
  service	
  level	
  
sensiCve	
  data	
  is	
  being	
  stored	
  
online.	
  If	
  this	
  data	
  is	
  disclosed	
  
to	
  the	
  wrong	
  people	
  it	
  could	
  
have	
  strong	
  negaCve	
  impact.	
  
	
  
Integrity	
  Loss	
  
When	
  private	
  data	
  is	
  
disclosed	
  it	
  leads	
  to	
  an	
  
integrity	
  loss	
  for	
  the	
  business	
  
keeping	
  the	
  data	
  and	
  could	
  
harm	
  the	
  customer	
  owning	
  it.	
  

Loss	
  of	
  Service	
  
Many	
  shops	
  and	
  services	
  put	
  
a	
  pride	
  in	
  being	
  available	
  
online	
  24-­‐7.	
  But	
  evil	
  aNackers	
  
can	
  crash	
  a	
  site	
  in	
  minutes	
  if	
  
it	
  is	
  not	
  protected.	
  
	
  
Loss	
  of	
  income	
  and	
  integrity	
  
When	
  a	
  site	
  is	
  forced	
  to	
  crash	
  
the	
  business	
  lose	
  potenCal	
  
income	
  and	
  the	
  integrity	
  of	
  
the	
  site	
  and	
  the	
  business	
  is	
  
seriously	
  harmed.	
  

Viruses	
  and	
  Malware	
  
On	
  vulnerable	
  sites	
  aNackers	
  
can	
  implement	
  virusses	
  and	
  
other	
  malware	
  which	
  infects	
  
and	
  potenCally	
  damages	
  the	
  
systems	
  of	
  the	
  customers	
  
	
  
Customers	
  Lost	
  
If	
  a	
  customer	
  is	
  infected	
  by	
  a	
  
virus	
  or	
  malware	
  on	
  a	
  site,	
  
there	
  is	
  a	
  high	
  chance	
  that	
  
they	
  will	
  not	
  feel	
  safe	
  about	
  
using	
  that	
  site	
  again.	
  
	
  
CrowdCurity

Why is it Difficult to Solve?
	
  
The	
  security	
  threat	
  of	
  being	
  hacked	
  which	
  online	
  businesses	
  are	
  facing,	
  
is	
  a	
  distributed	
  and	
  self-­‐organizing	
  threat.	
  Most	
  of	
  the	
  tools	
  that	
  online	
  
businesses	
  have	
  today	
  to	
  fight	
  aNacks,	
  are	
  stuff	
  like	
  code	
  reviews,	
  
automaCc	
  scanners	
  and	
  corporate	
  security	
  experts.	
  All	
  of	
  these	
  
soluCons	
  will	
  be	
  fighCng	
  a	
  loosing	
  baNle	
  against	
  the	
  aNacks.	
  By	
  nature	
  
of	
  the	
  threat	
  it	
  is	
  difficult	
  to	
  solve	
  completely	
  by	
  using	
  centralized	
  and	
  
automaCc	
  soluCons.	
  	
  
	
  
CrowdCurity

The Solution

Crowdsourced Security Testing
"99designs	
  meets	
  IT	
  security	
  -­‐	
  
Crowdsource	
  security	
  testers	
  to	
  
discover	
  your	
  vulnerabiliCes"	
  
CrowdCurity

The Solution
Crowdsourced	
  
Security	
  Tes8ng	
  

1	
  
ENGAGE	
  HACKERS	
  WITH	
  REWARD	
  PROGRAMS!	
  
	
  

•  By	
  running	
  a	
  vulnerability	
  reward	
  program	
  you	
  engage	
  a	
  crowd	
  of	
  
skilled	
  hackers	
  with	
  good	
  intenCons	
  to	
  to	
  earn	
  rewards	
  and	
  
recogniCon	
  by	
  tesCng	
  the	
  security	
  of	
  your	
  web	
  applicaCons	
  

2	
  

IT’S	
  SMARTER!	
  
	
  

•  Instead	
  of	
  1	
  set	
  of	
  eyes	
  you	
  can	
  get	
  100+	
  
•  MulCple	
  aNack	
  angles	
  gets	
  covered	
  by	
  moCvated	
  testers	
  
	
  

3	
  

IT’S	
  CHEAPER!	
  
	
  

•  You	
  only	
  pay	
  for	
  valid	
  vulnerabiliCes–	
  No	
  bugs,	
  No	
  cost	
  
•  You	
  get	
  100+	
  testers	
  cheaper	
  than	
  the	
  price	
  of	
  1	
  consultant	
  
	
  

4	
  

ALL	
  THE	
  BIG	
  GUYS	
  ARE	
  DOING	
  IT!	
  
	
  

•  In	
  3	
  years	
  Google	
  has	
  paid	
  crowdsourced	
  researchers	
  over	
  $2	
  
million	
  in	
  security	
  rewards	
  and	
  fixed	
  more	
  than	
  2,000	
  bugs*	
  

	
  
	
  
*Source	
  thenextweb	
  
CrowdCurity

Reward Programs
• 

hNp://www.slideshare.net/michael_coates/bug-­‐bounty-­‐programs-­‐for-­‐the-­‐web	
  	
  
CrowdCurity

Reward Program Challenges
Security	
  Research	
  Community	
  
•  How to get businesses to
understand the value-add
of a reward program?

• 
• 
• 
• 

Attract Skilled researchers?
Rules?
Reporting?
Payments?

Online	
  busineses	
  
CrowdCurity

Reward Programs as a Service
Security	
  Research	
  Community	
  
•  Connecting businesses to
the research community
and promoting the valueadd of reward programs

Service	
  Pla,orm	
  

•  One place to find programs
for skilled researchers
•  Best Practice Rules
•  Best Practice Reporting
•  Reward/Payment Mgmt.

Online	
  busineses	
  
CrowdCurity

How it works
1.	
  Security	
  Test	
  Needed	
  
An	
  owner	
  of	
  a	
  successful	
  
online	
  business	
  wants	
  to	
  
test	
  the	
  security	
  of	
  his	
  web	
  
applicaCon.	
  

7.	
  Fix	
  and	
  con8nue	
  
CrowdCurity

$	
  

2.	
  Create	
  Reward	
  Program	
  
He	
  creates	
  a	
  vulnerability	
  
reward	
  program	
  through	
  an	
  
easy	
  to	
  use	
  submission	
  
form	
  at	
  crowdcurity.com	
  

3.	
  Marke8ng	
  to	
  testers	
  
The	
  reward	
  program	
  is	
  
marketed	
  to	
  the	
  crowd	
  of	
  
skilled	
  testers	
  from	
  around	
  
the	
  world	
  

The	
  business	
  fixes	
  the	
  
vulnerability	
  and	
  the	
  
business	
  owner	
  keeps	
  the	
  
reward	
  program	
  to	
  discover	
  
more	
  vulnerabiliCes	
  

6.	
  Payment	
  Mgmt.	
  
If	
  a	
  reward	
  is	
  given	
  
CrowdCurity	
  handles	
  the	
  
payment	
  to	
  the	
  tester	
  and	
  
charges	
  the	
  business	
  a	
  20%	
  
service	
  fee.	
  

5.Business	
  Evaluates	
  
4.	
  Tester	
  finds	
  vulnerability	
  
A	
  tester	
  finds	
  a	
  vulnerability	
  
in	
  the	
  web	
  applicaCon,	
  and	
  
submits	
  the	
  details	
  of	
  it	
  
through	
  an	
  easy	
  to	
  use	
  
form	
  at	
  crowdcurity.com	
  

The	
  business	
  evaluates	
  the	
  
vulnerability	
  and	
  decide	
  if	
  it	
  
is	
  eligible	
  for	
  a	
  cash	
  reward.	
  
The	
  feedback	
  is	
  given	
  
through	
  crowdcurity.com	
  
CrowdCurity

A Customer Case

• 
• 
• 
• 
	
  

	
  
Cloud	
  service	
  
<10	
  Employees	
  
Many	
  big	
  customers	
  
Already	
  focused	
  on	
  security	
  
AnC-­‐aNack	
  measures	
  installed	
  

Business Ready to Test

• 
• 
• 
• 
	
  

	
  
Reward	
  Program	
  
AdverCsed	
  to	
  Full	
  crowd	
  	
  
Reward	
  sizes	
  $300/$100/$25	
  
Focus	
  on	
  Customer	
  Portal	
  
Best	
  PracCce	
  Rules	
  

Best Practice Setup

• 
• 
• 
• 
	
  

	
  
The	
  Test	
  
50+	
  testers	
  parCcipated	
  
6	
  conCnents	
  represented	
  
$1500	
  given	
  in	
  rewards	
  
19	
  vulnerabiliCes	
  rewarded	
  

High Value at a Low Cost
CrowdCurity

The Future of Reward Programs
	
  

	
  

•  A	
  standard	
  part	
  of	
  the	
  security	
  toolbox	
  
•  Used	
  by	
  online	
  businesses	
  of	
  all	
  sizes	
  
•  A	
  way	
  for	
  security	
  researchers	
  to	
  promote	
  themselves	
  
for	
  e.g.	
  recruitment	
  
•  Rewards	
  will	
  increase	
  with	
  the	
  popularity	
  
CrowdCurity

WWW.CROWDCURITY.COM
Simple	
  intui8ve	
  layout	
  and	
  instruc8ve	
  videos	
  

	
  	
  Forms	
  for	
  submi`ng	
  programs	
  and	
  vulnerabili8es	
  

Nice	
  dashboard	
  with	
  an	
  overview	
  of	
  the	
  tests	
  

Easy	
  to	
  use	
  views	
  of	
  programs	
  and	
  vulnerabili8es	
  

Contenu connexe

Tendances

Cyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsUlf Mattsson
 
Impacts cloud remote_workforce
Impacts cloud remote_workforceImpacts cloud remote_workforce
Impacts cloud remote_workforceRodrigo Varas
 
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceDarren Argyle
 
The VOHO Campaign: An In Depth Analysis
The VOHO Campaign: An In Depth AnalysisThe VOHO Campaign: An In Depth Analysis
The VOHO Campaign: An In Depth AnalysisEMC
 
A Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceA Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceSymantec
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)Sarah Jarvis
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts finalDaren Dunkel
 
The Security Circle- Services Offered
The Security Circle- Services OfferedThe Security Circle- Services Offered
The Security Circle- Services OfferedRachel Anne Carter
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeErnst & Young
 
MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...
MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...
MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...Citrin Cooperman
 
10 best cybersecurity companies in healthcare for 2021
10 best cybersecurity companies in healthcare for 202110 best cybersecurity companies in healthcare for 2021
10 best cybersecurity companies in healthcare for 2021insightscare
 
Building Cyber Resilience in the Digital Economy
Building Cyber Resilience in the Digital EconomyBuilding Cyber Resilience in the Digital Economy
Building Cyber Resilience in the Digital EconomyAgus Wicaksono
 
Cyber Secuirty Visualization
Cyber Secuirty VisualizationCyber Secuirty Visualization
Cyber Secuirty VisualizationDoug Cogswell
 

Tendances (15)

Cyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & Recommendations
 
Impacts cloud remote_workforce
Impacts cloud remote_workforceImpacts cloud remote_workforce
Impacts cloud remote_workforce
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
 
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber Resilience
 
The VOHO Campaign: An In Depth Analysis
The VOHO Campaign: An In Depth AnalysisThe VOHO Campaign: An In Depth Analysis
The VOHO Campaign: An In Depth Analysis
 
A Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceA Manifesto for Cyber Resilience
A Manifesto for Cyber Resilience
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts final
 
The Security Circle- Services Offered
The Security Circle- Services OfferedThe Security Circle- Services Offered
The Security Circle- Services Offered
 
The artificial reality of cyber defense
The artificial reality of cyber defenseThe artificial reality of cyber defense
The artificial reality of cyber defense
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...
MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...
MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...
 
10 best cybersecurity companies in healthcare for 2021
10 best cybersecurity companies in healthcare for 202110 best cybersecurity companies in healthcare for 2021
10 best cybersecurity companies in healthcare for 2021
 
Building Cyber Resilience in the Digital Economy
Building Cyber Resilience in the Digital EconomyBuilding Cyber Resilience in the Digital Economy
Building Cyber Resilience in the Digital Economy
 
Cyber Secuirty Visualization
Cyber Secuirty VisualizationCyber Secuirty Visualization
Cyber Secuirty Visualization
 

En vedette

Community-oriented Computer Security Incident Response Teams (C-CSIRTS)
Community-oriented Computer Security Incident Response Teams (C-CSIRTS)Community-oriented Computer Security Incident Response Teams (C-CSIRTS)
Community-oriented Computer Security Incident Response Teams (C-CSIRTS)Security B-Sides
 
Microsoft Security Incident Report
Microsoft Security Incident ReportMicrosoft Security Incident Report
Microsoft Security Incident Reportukdpe
 
Security incident report
Security incident reportSecurity incident report
Security incident reportjohnkosonyhung
 
Incident Mgmt Nov 08
Incident Mgmt Nov 08Incident Mgmt Nov 08
Incident Mgmt Nov 08empower
 
Week 9 - eHealth in Ontario
Week 9 - eHealth in OntarioWeek 9 - eHealth in Ontario
Week 9 - eHealth in OntarioAlexandre Mayer
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Lancope, Inc.
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
 
ID IGF 2016 - Infrastruktur 3 - Tim Tanggap Darurat
ID IGF 2016 - Infrastruktur 3 - Tim Tanggap Darurat ID IGF 2016 - Infrastruktur 3 - Tim Tanggap Darurat
ID IGF 2016 - Infrastruktur 3 - Tim Tanggap Darurat IGF Indonesia
 
Incident report writing
Incident report writingIncident report writing
Incident report writingChris Beyer
 
ID IGF 2016 - Hukum 3 - Mewujudkan Kedaulatan dan Ketahanan Siber
ID IGF 2016 - Hukum 3 - Mewujudkan Kedaulatan dan Ketahanan SiberID IGF 2016 - Hukum 3 - Mewujudkan Kedaulatan dan Ketahanan Siber
ID IGF 2016 - Hukum 3 - Mewujudkan Kedaulatan dan Ketahanan SiberIGF Indonesia
 
ID IGF 2016 - Hukum 3 - Peran Negara dalam Kedaulatan Siber
ID IGF 2016 - Hukum 3 - Peran Negara dalam Kedaulatan SiberID IGF 2016 - Hukum 3 - Peran Negara dalam Kedaulatan Siber
ID IGF 2016 - Hukum 3 - Peran Negara dalam Kedaulatan SiberIGF Indonesia
 
Incident Response Swimlanes
Incident Response SwimlanesIncident Response Swimlanes
Incident Response SwimlanesDaniel P Wallace
 
Incident & Accident Reporting
Incident & Accident ReportingIncident & Accident Reporting
Incident & Accident Reporting87amanda
 
ID IGF 2016 - Infrastruktur 3 - Cyber Security Solution through Lemsaneg Fram...
ID IGF 2016 - Infrastruktur 3 - Cyber Security Solution through Lemsaneg Fram...ID IGF 2016 - Infrastruktur 3 - Cyber Security Solution through Lemsaneg Fram...
ID IGF 2016 - Infrastruktur 3 - Cyber Security Solution through Lemsaneg Fram...IGF Indonesia
 
7.incident reporting
7.incident reporting7.incident reporting
7.incident reportingitchomecare
 

En vedette (20)

Memory forensics and incident response
Memory forensics and incident responseMemory forensics and incident response
Memory forensics and incident response
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Community-oriented Computer Security Incident Response Teams (C-CSIRTS)
Community-oriented Computer Security Incident Response Teams (C-CSIRTS)Community-oriented Computer Security Incident Response Teams (C-CSIRTS)
Community-oriented Computer Security Incident Response Teams (C-CSIRTS)
 
Microsoft Security Incident Report
Microsoft Security Incident ReportMicrosoft Security Incident Report
Microsoft Security Incident Report
 
Defeating Drones
Defeating DronesDefeating Drones
Defeating Drones
 
Security incident report
Security incident reportSecurity incident report
Security incident report
 
Incident Mgmt Nov 08
Incident Mgmt Nov 08Incident Mgmt Nov 08
Incident Mgmt Nov 08
 
Week 9 - eHealth in Ontario
Week 9 - eHealth in OntarioWeek 9 - eHealth in Ontario
Week 9 - eHealth in Ontario
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
 
IT & Network Security Awareness
IT & Network Security AwarenessIT & Network Security Awareness
IT & Network Security Awareness
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
 
ID IGF 2016 - Infrastruktur 3 - Tim Tanggap Darurat
ID IGF 2016 - Infrastruktur 3 - Tim Tanggap Darurat ID IGF 2016 - Infrastruktur 3 - Tim Tanggap Darurat
ID IGF 2016 - Infrastruktur 3 - Tim Tanggap Darurat
 
Incident report writing
Incident report writingIncident report writing
Incident report writing
 
Incident report
Incident reportIncident report
Incident report
 
ID IGF 2016 - Hukum 3 - Mewujudkan Kedaulatan dan Ketahanan Siber
ID IGF 2016 - Hukum 3 - Mewujudkan Kedaulatan dan Ketahanan SiberID IGF 2016 - Hukum 3 - Mewujudkan Kedaulatan dan Ketahanan Siber
ID IGF 2016 - Hukum 3 - Mewujudkan Kedaulatan dan Ketahanan Siber
 
ID IGF 2016 - Hukum 3 - Peran Negara dalam Kedaulatan Siber
ID IGF 2016 - Hukum 3 - Peran Negara dalam Kedaulatan SiberID IGF 2016 - Hukum 3 - Peran Negara dalam Kedaulatan Siber
ID IGF 2016 - Hukum 3 - Peran Negara dalam Kedaulatan Siber
 
Incident Response Swimlanes
Incident Response SwimlanesIncident Response Swimlanes
Incident Response Swimlanes
 
Incident & Accident Reporting
Incident & Accident ReportingIncident & Accident Reporting
Incident & Accident Reporting
 
ID IGF 2016 - Infrastruktur 3 - Cyber Security Solution through Lemsaneg Fram...
ID IGF 2016 - Infrastruktur 3 - Cyber Security Solution through Lemsaneg Fram...ID IGF 2016 - Infrastruktur 3 - Cyber Security Solution through Lemsaneg Fram...
ID IGF 2016 - Infrastruktur 3 - Cyber Security Solution through Lemsaneg Fram...
 
7.incident reporting
7.incident reporting7.incident reporting
7.incident reporting
 

Similaire à Crowdsourced Vulnerability Testing

Keeping your business safe online cosy club
Keeping your business safe online cosy clubKeeping your business safe online cosy club
Keeping your business safe online cosy clubGet up to Speed
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Cenzic
 
7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTEDbugcrowd
 
Ecommerce(2)
Ecommerce(2)Ecommerce(2)
Ecommerce(2)ecommerce
 
Ransomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacksRansomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacksdinCloud Inc.
 
How to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdfHow to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdfMetaorange
 
How to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptxHow to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptxMetaorange
 
Introduction to PolySwarm
Introduction to PolySwarmIntroduction to PolySwarm
Introduction to PolySwarmBlakeReyes
 
Introduction to PolySwarm
Introduction to PolySwarmIntroduction to PolySwarm
Introduction to PolySwarmPolySwarm
 
Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+  Cyber Insurance Fina.pptxWebinar-MSP+  Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxControlCase
 
The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016Tudor Damian
 
Analytical Driven Security - Chip Copper
Analytical Driven Security - Chip CopperAnalytical Driven Security - Chip Copper
Analytical Driven Security - Chip Copperscoopnewsgroup
 
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsOpenDNS
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012DaveEdwards12
 
Convince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureConvince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureDave James
 
Cyber TPRM - the journey ahead
Cyber TPRM - the journey aheadCyber TPRM - the journey ahead
Cyber TPRM - the journey aheadKevin Duffey
 
Web Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowWeb Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowNarola Infotech
 

Similaire à Crowdsourced Vulnerability Testing (20)

Keeping your business safe online cosy club
Keeping your business safe online cosy clubKeeping your business safe online cosy club
Keeping your business safe online cosy club
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
 
7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED
 
Ecommerce(2)
Ecommerce(2)Ecommerce(2)
Ecommerce(2)
 
IT Security for Nonprofits
IT Security for NonprofitsIT Security for Nonprofits
IT Security for Nonprofits
 
Ransomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacksRansomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacks
 
How to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdfHow to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdf
 
How to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptxHow to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptx
 
Introduction to PolySwarm
Introduction to PolySwarmIntroduction to PolySwarm
Introduction to PolySwarm
 
Introduction to PolySwarm
Introduction to PolySwarmIntroduction to PolySwarm
Introduction to PolySwarm
 
Cyber Brochure_2015
Cyber Brochure_2015Cyber Brochure_2015
Cyber Brochure_2015
 
Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+  Cyber Insurance Fina.pptxWebinar-MSP+  Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptx
 
The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016
 
Analytical Driven Security - Chip Copper
Analytical Driven Security - Chip CopperAnalytical Driven Security - Chip Copper
Analytical Driven Security - Chip Copper
 
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
 
Convince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureConvince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cure
 
Cyber TPRM - the journey ahead
Cyber TPRM - the journey aheadCyber TPRM - the journey ahead
Cyber TPRM - the journey ahead
 
main project doument
main project doumentmain project doument
main project doument
 
Web Application Security - Everything You Should Know
Web Application Security - Everything You Should KnowWeb Application Security - Everything You Should Know
Web Application Security - Everything You Should Know
 

Plus de London School of Cyber Security

How To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsHow To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsLondon School of Cyber Security
 
Website Impersonation Attacks. Who is REALLY Behind That Mask?
Website Impersonation Attacks. Who is REALLY Behind That Mask?Website Impersonation Attacks. Who is REALLY Behind That Mask?
Website Impersonation Attacks. Who is REALLY Behind That Mask?London School of Cyber Security
 
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker HotshotsChanging the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker HotshotsLondon School of Cyber Security
 

Plus de London School of Cyber Security (19)

The Panama Papers Hack
The Panama Papers HackThe Panama Papers Hack
The Panama Papers Hack
 
ISIS and Cyber Terrorism
ISIS and Cyber TerrorismISIS and Cyber Terrorism
ISIS and Cyber Terrorism
 
Silk Road & Online Narcotic Distribution
Silk Road & Online Narcotic DistributionSilk Road & Online Narcotic Distribution
Silk Road & Online Narcotic Distribution
 
Ashely Madison Hack
Ashely Madison HackAshely Madison Hack
Ashely Madison Hack
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot Attacks
 
How To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and ForensicsHow To Defeat Advanced Malware. New Tools for Protection and Forensics
How To Defeat Advanced Malware. New Tools for Protection and Forensics
 
How To Catch a Phish: User Awareness and Training
How To Catch a Phish: User Awareness and TrainingHow To Catch a Phish: User Awareness and Training
How To Catch a Phish: User Awareness and Training
 
Advanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsAdvanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA Environments
 
What Everybody Ought to Know About PCI DSS and PA-DSS
What Everybody Ought to Know About PCI DSS and PA-DSSWhat Everybody Ought to Know About PCI DSS and PA-DSS
What Everybody Ought to Know About PCI DSS and PA-DSS
 
Building an Effective Cyber Intelligence Program
Building an Effective Cyber Intelligence ProgramBuilding an Effective Cyber Intelligence Program
Building an Effective Cyber Intelligence Program
 
Gauntlt Rugged By Example
Gauntlt Rugged By ExampleGauntlt Rugged By Example
Gauntlt Rugged By Example
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
 
Website Impersonation Attacks. Who is REALLY Behind That Mask?
Website Impersonation Attacks. Who is REALLY Behind That Mask?Website Impersonation Attacks. Who is REALLY Behind That Mask?
Website Impersonation Attacks. Who is REALLY Behind That Mask?
 
Sploitego
SploitegoSploitego
Sploitego
 
Legal Issues in Mobile Security Research
Legal Issues in Mobile Security ResearchLegal Issues in Mobile Security Research
Legal Issues in Mobile Security Research
 
Blind XSS
Blind XSSBlind XSS
Blind XSS
 
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker HotshotsChanging the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
 
Sploitego
SploitegoSploitego
Sploitego
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT Security
 

Dernier

Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 

Dernier (20)

Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 

Crowdsourced Vulnerability Testing

  • 1. Reward  Programs  as  a  Service   A  fresh  approach  to  security  tes8ng!   ”Bugcrowd and similar marketplaces, such as Danish firm CrowdCurity and Synack, are democratising the crowdsourced penetration testing model which has previously been only available to the biggest software companies that can afford to pay out millions of dollars”
  • 2. CrowdCurity CrowdCurity •  •  •  •  •  •  •  A  Service  Pla,orm  for  Vulnerability  Reward  Programs     Founded  in  July  2013   3  months  bootstrapping  in  ArgenCna   Pla,orm  Launched  September  2013   5  Programs  Runned   300+  Testers   Part  of  Boost.vc  in  Sillicon  Valley  for  the  next  4  months   Jacob     Chris8an     Jakob     Esben     Michael    
  • 3. CrowdCurity The Risks of Online Business  $$$   Credit  Card  Fraud   Credit  cards  are  targeted   Online  businesses  have  a  high   risk  of  aNacks  by  intruders   who  steal  credit  card   informaCon  from  the  sites  to   sell  it  on  the  black  market.     There  is  plenty  to  steal   In  2012  the  european  online   B2C  sites  had  an  income  of   €312  billion  (3,5%  of  BNP).   The  transacCons  are  typically   handled  with  credit  cards.*   *Source  FDIH   Data  Disclosure   Forced  Crashes   Harmed  customers   Big  data  =  Big  risk   To  enable  a  high  service  level   sensiCve  data  is  being  stored   online.  If  this  data  is  disclosed   to  the  wrong  people  it  could   have  strong  negaCve  impact.     Integrity  Loss   When  private  data  is   disclosed  it  leads  to  an   integrity  loss  for  the  business   keeping  the  data  and  could   harm  the  customer  owning  it.   Loss  of  Service   Many  shops  and  services  put   a  pride  in  being  available   online  24-­‐7.  But  evil  aNackers   can  crash  a  site  in  minutes  if   it  is  not  protected.     Loss  of  income  and  integrity   When  a  site  is  forced  to  crash   the  business  lose  potenCal   income  and  the  integrity  of   the  site  and  the  business  is   seriously  harmed.   Viruses  and  Malware   On  vulnerable  sites  aNackers   can  implement  virusses  and   other  malware  which  infects   and  potenCally  damages  the   systems  of  the  customers     Customers  Lost   If  a  customer  is  infected  by  a   virus  or  malware  on  a  site,   there  is  a  high  chance  that   they  will  not  feel  safe  about   using  that  site  again.    
  • 4. CrowdCurity Why is it Difficult to Solve?   The  security  threat  of  being  hacked  which  online  businesses  are  facing,   is  a  distributed  and  self-­‐organizing  threat.  Most  of  the  tools  that  online   businesses  have  today  to  fight  aNacks,  are  stuff  like  code  reviews,   automaCc  scanners  and  corporate  security  experts.  All  of  these   soluCons  will  be  fighCng  a  loosing  baNle  against  the  aNacks.  By  nature   of  the  threat  it  is  difficult  to  solve  completely  by  using  centralized  and   automaCc  soluCons.      
  • 5. CrowdCurity The Solution Crowdsourced Security Testing "99designs  meets  IT  security  -­‐   Crowdsource  security  testers  to   discover  your  vulnerabiliCes"  
  • 6. CrowdCurity The Solution Crowdsourced   Security  Tes8ng   1   ENGAGE  HACKERS  WITH  REWARD  PROGRAMS!     •  By  running  a  vulnerability  reward  program  you  engage  a  crowd  of   skilled  hackers  with  good  intenCons  to  to  earn  rewards  and   recogniCon  by  tesCng  the  security  of  your  web  applicaCons   2   IT’S  SMARTER!     •  Instead  of  1  set  of  eyes  you  can  get  100+   •  MulCple  aNack  angles  gets  covered  by  moCvated  testers     3   IT’S  CHEAPER!     •  You  only  pay  for  valid  vulnerabiliCes–  No  bugs,  No  cost   •  You  get  100+  testers  cheaper  than  the  price  of  1  consultant     4   ALL  THE  BIG  GUYS  ARE  DOING  IT!     •  In  3  years  Google  has  paid  crowdsourced  researchers  over  $2   million  in  security  rewards  and  fixed  more  than  2,000  bugs*       *Source  thenextweb  
  • 8. CrowdCurity Reward Program Challenges Security  Research  Community   •  How to get businesses to understand the value-add of a reward program? •  •  •  •  Attract Skilled researchers? Rules? Reporting? Payments? Online  busineses  
  • 9. CrowdCurity Reward Programs as a Service Security  Research  Community   •  Connecting businesses to the research community and promoting the valueadd of reward programs Service  Pla,orm   •  One place to find programs for skilled researchers •  Best Practice Rules •  Best Practice Reporting •  Reward/Payment Mgmt. Online  busineses  
  • 10. CrowdCurity How it works 1.  Security  Test  Needed   An  owner  of  a  successful   online  business  wants  to   test  the  security  of  his  web   applicaCon.   7.  Fix  and  con8nue   CrowdCurity $   2.  Create  Reward  Program   He  creates  a  vulnerability   reward  program  through  an   easy  to  use  submission   form  at  crowdcurity.com   3.  Marke8ng  to  testers   The  reward  program  is   marketed  to  the  crowd  of   skilled  testers  from  around   the  world   The  business  fixes  the   vulnerability  and  the   business  owner  keeps  the   reward  program  to  discover   more  vulnerabiliCes   6.  Payment  Mgmt.   If  a  reward  is  given   CrowdCurity  handles  the   payment  to  the  tester  and   charges  the  business  a  20%   service  fee.   5.Business  Evaluates   4.  Tester  finds  vulnerability   A  tester  finds  a  vulnerability   in  the  web  applicaCon,  and   submits  the  details  of  it   through  an  easy  to  use   form  at  crowdcurity.com   The  business  evaluates  the   vulnerability  and  decide  if  it   is  eligible  for  a  cash  reward.   The  feedback  is  given   through  crowdcurity.com  
  • 11. CrowdCurity A Customer Case •  •  •  •      Cloud  service   <10  Employees   Many  big  customers   Already  focused  on  security   AnC-­‐aNack  measures  installed   Business Ready to Test •  •  •  •      Reward  Program   AdverCsed  to  Full  crowd     Reward  sizes  $300/$100/$25   Focus  on  Customer  Portal   Best  PracCce  Rules   Best Practice Setup •  •  •  •      The  Test   50+  testers  parCcipated   6  conCnents  represented   $1500  given  in  rewards   19  vulnerabiliCes  rewarded   High Value at a Low Cost
  • 12. CrowdCurity The Future of Reward Programs     •  A  standard  part  of  the  security  toolbox   •  Used  by  online  businesses  of  all  sizes   •  A  way  for  security  researchers  to  promote  themselves   for  e.g.  recruitment   •  Rewards  will  increase  with  the  popularity  
  • 13. CrowdCurity WWW.CROWDCURITY.COM Simple  intui8ve  layout  and  instruc8ve  videos      Forms  for  submi`ng  programs  and  vulnerabili8es   Nice  dashboard  with  an  overview  of  the  tests   Easy  to  use  views  of  programs  and  vulnerabili8es