VoIP Service and Marketing using Odoo and Asterisk PBX
Crowdsourced Vulnerability Testing
1. Reward
Programs
as
a
Service
A
fresh
approach
to
security
tes8ng!
”Bugcrowd and similar marketplaces, such as Danish firm CrowdCurity and Synack, are
democratising the crowdsourced penetration testing model which has previously been only
available to the biggest software companies that can afford to pay out millions of dollars”
2. CrowdCurity
CrowdCurity
•
•
•
•
•
•
•
A
Service
Pla,orm
for
Vulnerability
Reward
Programs
Founded
in
July
2013
3
months
bootstrapping
in
ArgenCna
Pla,orm
Launched
September
2013
5
Programs
Runned
300+
Testers
Part
of
Boost.vc
in
Sillicon
Valley
for
the
next
4
months
Jacob
Chris8an
Jakob
Esben
Michael
3. CrowdCurity
The Risks of Online Business
$$$
Credit
Card
Fraud
Credit
cards
are
targeted
Online
businesses
have
a
high
risk
of
aNacks
by
intruders
who
steal
credit
card
informaCon
from
the
sites
to
sell
it
on
the
black
market.
There
is
plenty
to
steal
In
2012
the
european
online
B2C
sites
had
an
income
of
€312
billion
(3,5%
of
BNP).
The
transacCons
are
typically
handled
with
credit
cards.*
*Source
FDIH
Data
Disclosure
Forced
Crashes
Harmed
customers
Big
data
=
Big
risk
To
enable
a
high
service
level
sensiCve
data
is
being
stored
online.
If
this
data
is
disclosed
to
the
wrong
people
it
could
have
strong
negaCve
impact.
Integrity
Loss
When
private
data
is
disclosed
it
leads
to
an
integrity
loss
for
the
business
keeping
the
data
and
could
harm
the
customer
owning
it.
Loss
of
Service
Many
shops
and
services
put
a
pride
in
being
available
online
24-‐7.
But
evil
aNackers
can
crash
a
site
in
minutes
if
it
is
not
protected.
Loss
of
income
and
integrity
When
a
site
is
forced
to
crash
the
business
lose
potenCal
income
and
the
integrity
of
the
site
and
the
business
is
seriously
harmed.
Viruses
and
Malware
On
vulnerable
sites
aNackers
can
implement
virusses
and
other
malware
which
infects
and
potenCally
damages
the
systems
of
the
customers
Customers
Lost
If
a
customer
is
infected
by
a
virus
or
malware
on
a
site,
there
is
a
high
chance
that
they
will
not
feel
safe
about
using
that
site
again.
4. CrowdCurity
Why is it Difficult to Solve?
The
security
threat
of
being
hacked
which
online
businesses
are
facing,
is
a
distributed
and
self-‐organizing
threat.
Most
of
the
tools
that
online
businesses
have
today
to
fight
aNacks,
are
stuff
like
code
reviews,
automaCc
scanners
and
corporate
security
experts.
All
of
these
soluCons
will
be
fighCng
a
loosing
baNle
against
the
aNacks.
By
nature
of
the
threat
it
is
difficult
to
solve
completely
by
using
centralized
and
automaCc
soluCons.
6. CrowdCurity
The Solution
Crowdsourced
Security
Tes8ng
1
ENGAGE
HACKERS
WITH
REWARD
PROGRAMS!
• By
running
a
vulnerability
reward
program
you
engage
a
crowd
of
skilled
hackers
with
good
intenCons
to
to
earn
rewards
and
recogniCon
by
tesCng
the
security
of
your
web
applicaCons
2
IT’S
SMARTER!
• Instead
of
1
set
of
eyes
you
can
get
100+
• MulCple
aNack
angles
gets
covered
by
moCvated
testers
3
IT’S
CHEAPER!
• You
only
pay
for
valid
vulnerabiliCes–
No
bugs,
No
cost
• You
get
100+
testers
cheaper
than
the
price
of
1
consultant
4
ALL
THE
BIG
GUYS
ARE
DOING
IT!
• In
3
years
Google
has
paid
crowdsourced
researchers
over
$2
million
in
security
rewards
and
fixed
more
than
2,000
bugs*
*Source
thenextweb
8. CrowdCurity
Reward Program Challenges
Security
Research
Community
• How to get businesses to
understand the value-add
of a reward program?
•
•
•
•
Attract Skilled researchers?
Rules?
Reporting?
Payments?
Online
busineses
9. CrowdCurity
Reward Programs as a Service
Security
Research
Community
• Connecting businesses to
the research community
and promoting the valueadd of reward programs
Service
Pla,orm
• One place to find programs
for skilled researchers
• Best Practice Rules
• Best Practice Reporting
• Reward/Payment Mgmt.
Online
busineses
10. CrowdCurity
How it works
1.
Security
Test
Needed
An
owner
of
a
successful
online
business
wants
to
test
the
security
of
his
web
applicaCon.
7.
Fix
and
con8nue
CrowdCurity
$
2.
Create
Reward
Program
He
creates
a
vulnerability
reward
program
through
an
easy
to
use
submission
form
at
crowdcurity.com
3.
Marke8ng
to
testers
The
reward
program
is
marketed
to
the
crowd
of
skilled
testers
from
around
the
world
The
business
fixes
the
vulnerability
and
the
business
owner
keeps
the
reward
program
to
discover
more
vulnerabiliCes
6.
Payment
Mgmt.
If
a
reward
is
given
CrowdCurity
handles
the
payment
to
the
tester
and
charges
the
business
a
20%
service
fee.
5.Business
Evaluates
4.
Tester
finds
vulnerability
A
tester
finds
a
vulnerability
in
the
web
applicaCon,
and
submits
the
details
of
it
through
an
easy
to
use
form
at
crowdcurity.com
The
business
evaluates
the
vulnerability
and
decide
if
it
is
eligible
for
a
cash
reward.
The
feedback
is
given
through
crowdcurity.com
11. CrowdCurity
A Customer Case
•
•
•
•
Cloud
service
<10
Employees
Many
big
customers
Already
focused
on
security
AnC-‐aNack
measures
installed
Business Ready to Test
•
•
•
•
Reward
Program
AdverCsed
to
Full
crowd
Reward
sizes
$300/$100/$25
Focus
on
Customer
Portal
Best
PracCce
Rules
Best Practice Setup
•
•
•
•
The
Test
50+
testers
parCcipated
6
conCnents
represented
$1500
given
in
rewards
19
vulnerabiliCes
rewarded
High Value at a Low Cost
12. CrowdCurity
The Future of Reward Programs
• A
standard
part
of
the
security
toolbox
• Used
by
online
businesses
of
all
sizes
• A
way
for
security
researchers
to
promote
themselves
for
e.g.
recruitment
• Rewards
will
increase
with
the
popularity
13. CrowdCurity
WWW.CROWDCURITY.COM
Simple
intui8ve
layout
and
instruc8ve
videos
Forms
for
submi`ng
programs
and
vulnerabili8es
Nice
dashboard
with
an
overview
of
the
tests
Easy
to
use
views
of
programs
and
vulnerabili8es