SlideShare une entreprise Scribd logo

Are You Vulnerability Blind? 3 Reasons to Reconsider a Bug Bounty

bugcrowd
bugcrowd

For the ondemand version of the webinar, visit: https://www.brighttalk.com/webcast/14415/242115 Bug Bounty programs are critical to the security programs of thousands of organizations, but many still have not embraced them. Join security leader Johnathan Hunt, VP Information Security at InVision, Paul Ross, SVP of Marketing at Bugcrowd to discuss why that situation must change, through topics including: - How a security expert changed his mind about bug bounties - Why no bug bounty means missed vulnerabilities - How Bugcrowd finds a P1 bug every 27 hours We will explore InVision’s bug bounty experience from conception to being critical to their customers’ confidence in their security. *Register for the webinar now* “Whether or not you’re going to have the good guys working for you or not, doesn’t mean the bad guys are going to stop working” - Johnathan Hunt, Invision

Technologie
1  sur  23
Télécharger pour lire hors ligne
S e p t emb er 20 16 ARE YOU VULNERABILITY BLIND? 3 REASONS TO RECONSIDER A BUG BOUNTY
1/25/172 PAUL ROSS SVP MARKETING JOHNATHAN HUNT VP INFORMATION SECURITY SPEAKERS
AGENDA • Vulnerability Blindness • 3 Reasons to Reconsider a Bug Bounty 1. How a security expert changed his mind about bug bounties 2. Why no bug bounty means missed vulnerabilities 3. How Bugcrowd finds a P1 bug every 13 hours* 1/25/173 *Increase from 1 every 27 hours earlier in 2016
WHY IS THERE AN ISSUE TO ADDRESS? 1/25/174 Ballooning attack surface Cybersecurity resource shortage Broken status-quo Active, efficient adversaries Breaking The Vulnerability Cycle
MYTHS OF BUG BOUNTY (OR WHY YOU MIGHT HAVE DISMISSED THEM IN THE PAST) 1/25/175
6 POLL 1/25/17 | ESCAPE VELOCITY
CONTINUOUS VULNERABILITY ASSESSMENT HAS NOT BEEN A THING 1/25/177 Zone of Vulnerability Blindness Zone of Vulnerability Blindness Code Release Code Release Vulnerability Awareness
BUG BOUNTY & CONTINUOUS ASSESSMENT AS THE SOLUTION 1/25/178
WHAT IS A BUG BOUNTY? 1/25/179 (Think of it as a competition)
Financial Services Consumer Tech Retail & Ecommerce Infrastructure Technology Automotive Security Technology Other 2/3rd of Programs are Private WIDE ADOPTION OF CROWDSOURCED SECURITY
THE REHABILITATION OF A BUG BOUNTY SKEPTIC 1/25/1711 Reason 1
INTRODUCING INVISION Award-winning product design collaboration platform • Provide two million people with the power to prototype, review, refine, manage and user test web and mobile products. • Drives the product design process at leading Fortune 100 companies, including at Disney, IBM, Walmart, Apple, Verizon and General Motors. 1/25/1712
INVISION SECURITY PROGRAM BEFORE BUG BOUNTY • Monthly internal vulnerability scans • Monthly external vulnerability scans • Annual Third-Party Penetration Test • 30-day patch cycle • Web Application Firewall • DDoS Protection 1/25/1713
‘WHETHER OR NOT YOU’RE GOING TO HAVE THE GOOD GUYS WORKING FOR YOU, DOESN’T MEAN THE BAD GUYS ARE GOING TO STOP WORKING’ — JOHNATHAN HUNT 1/25/1714
WHY NO BUG BOUNTY MEANS MISSED VULNERABILITIES 1/25/1715 Reason 2
CONTINUOUS VULNERABILITY ASSESSMENT HAS NOT BEEN A THING 1/25/1716 Zone of Vulnerability Blindness Zone of Vulnerability Blindness Code Release Code Release Vulnerability Awareness
BUG BOUNTY DELIVERS CONTINUOUS VULNERABILITY ASSESSMENT 1/25/1717 Code Release Code Release Vulnerability Awareness
HOW BUGCROWD FINDS A P1 BUG EVERY 13 HOURS 1/25/1718 Reason 3
A RADICAL CYBER SECURITY ADVANTAGE: Enterprise Bug Bounty Solutions & Hackers On-Demand • 300+ Programs run • Every program is managed by Bugcrowd • Deep researcher engagement and support • No confusing pricing models and no bounty commissions • 45,000+ researchers 1/25/1719 Curated Crowd that Thinks like an Adversary but acts as an ally to Find Vulnerabilities A Platform That Simplifies Connecting Researchers to Organizations, Saving You Time and Money Security Expertise To Design, Support, and Manage Crowd Security Programs
TIMELINE OF A SUCCESSFUL BUG BOUNTY PROGRAM 1/25/1720 Launches private bounty program Receives first P1 submission Receives 100th Submission Runs On-Demand program Adds 100 additional researchers Receives 500th submission
CONCLUSION Avoiding Vulnerability Blindness • Reality of modern development pipeline dictates a new approach • Continuous vulnerability assessment is real and achievable through bug bounty model • Bugcrowd delivers the radical cybersecurity advantage of the crowd 1/25/1721 Curated Crowd Simple-to-use platform Expertise to ensure success
NEXT STEPS TALK WITH A BUG BOUNTY EXPERT HTTPS://PAGES.BUGCROWD.COM/TALK-WITH-A-BUG-BOUNTY-EXPERT 1/25/17 | ESCAPE VELOCITY22
1/25/1723 PAUL ROSS JOHNATHAN HUNT @pjross01 @JHuntSecurity Q&A

Recommandé

7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED
bugcrowd
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
HackerOne
 
HackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning WangHackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning Wang
HackerOne
 
Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Build or Buy: The Barracuda Bug Bounty Story [Webinar]Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Build or Buy: The Barracuda Bug Bounty Story [Webinar]
bugcrowd
 
If You Can't Beat 'Em, Join 'Em
If You Can't Beat 'Em, Join 'Em If You Can't Beat 'Em, Join 'Em
If You Can't Beat 'Em, Join 'Em
bugcrowd
 
Bug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in NumbersBug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in Numbers
bugcrowd
 
Key Takeaways from Instructure's Successful Bug Bounty Program
Key Takeaways from Instructure's Successful Bug Bounty ProgramKey Takeaways from Instructure's Successful Bug Bounty Program
Key Takeaways from Instructure's Successful Bug Bounty Program
bugcrowd
 
AppSecUSA 2016: 'Your License for Bug Hunting Season'
AppSecUSA 2016: 'Your License for Bug Hunting Season'AppSecUSA 2016: 'Your License for Bug Hunting Season'
AppSecUSA 2016: 'Your License for Bug Hunting Season'
bugcrowd
 

Recommandé

7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED
bugcrowd
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
HackerOne
 
HackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning WangHackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning Wang
HackerOne
 
Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Build or Buy: The Barracuda Bug Bounty Story [Webinar]Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Build or Buy: The Barracuda Bug Bounty Story [Webinar]
bugcrowd
 
If You Can't Beat 'Em, Join 'Em
If You Can't Beat 'Em, Join 'Em If You Can't Beat 'Em, Join 'Em
If You Can't Beat 'Em, Join 'Em
bugcrowd
 
Bug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in NumbersBug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in Numbers
bugcrowd
 
Key Takeaways from Instructure's Successful Bug Bounty Program
Key Takeaways from Instructure's Successful Bug Bounty ProgramKey Takeaways from Instructure's Successful Bug Bounty Program
Key Takeaways from Instructure's Successful Bug Bounty Program
bugcrowd
 
AppSecUSA 2016: 'Your License for Bug Hunting Season'
AppSecUSA 2016: 'Your License for Bug Hunting Season'AppSecUSA 2016: 'Your License for Bug Hunting Season'
AppSecUSA 2016: 'Your License for Bug Hunting Season'
bugcrowd
 
Hackfest presentation.pptx
Hackfest presentation.pptxHackfest presentation.pptx
Hackfest presentation.pptx
Peter Yaworski
 
Tejido muscular y tejido nervioso
Tejido muscular y tejido nerviosoTejido muscular y tejido nervioso
Tejido muscular y tejido nervioso
Imelda Sánchez Cabuto
 
17420 geotechnical engineering
17420 geotechnical engineering17420 geotechnical engineering
17420 geotechnical engineering
soni_nits
 
Tejido muscular y tejido nervioso
Tejido muscular y tejido nerviosoTejido muscular y tejido nervioso
Tejido muscular y tejido nervioso
E. Alondra Martínez Gómez
 
17415 d.c.machnes and transformer
17415 d.c.machnes and transformer17415 d.c.machnes and transformer
17415 d.c.machnes and transformer
soni_nits
 
17438 communication techniques
17438 communication techniques17438 communication techniques
17438 communication techniques
soni_nits
 
Talleres didácticos de arqueología
Talleres didácticos de arqueologíaTalleres didácticos de arqueología
Talleres didácticos de arqueología
José Carlos Sastre Blanco
 
Ti ta-ge
Ti ta-geTi ta-ge
Ti ta-ge
nivashanand
 
Icfes ejemplode preguntasfilosofía2010 (1)
Icfes ejemplode preguntasfilosofía2010 (1)Icfes ejemplode preguntasfilosofía2010 (1)
Icfes ejemplode preguntasfilosofía2010 (1)
luzdary1998
 
17442 biosensors
17442 biosensors17442 biosensors
17442 biosensors
soni_nits
 
Security Meetup 22 октября. «Опасное видео». Максим Андреев. Облако Mail.Ru
Security Meetup 22 октября. «Опасное видео». Максим Андреев. Облако Mail.RuSecurity Meetup 22 октября. «Опасное видео». Максим Андреев. Облако Mail.Ru
Security Meetup 22 октября. «Опасное видео». Максим Андреев. Облако Mail.Ru
Mail.ru Group
 
How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013
bugcrowd
 
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
bugcrowd
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
bugcrowd
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
bugcrowd
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
bugcrowd
 
Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016
bugcrowd
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Revitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr HealthRevitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr Health
bugcrowd
 
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty ProgramsHI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
bugcrowd
 
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLVHow Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
bugcrowd
 

Contenu connexe

En vedette

En vedette (13)

Hackfest presentation.pptx
Hackfest presentation.pptxHackfest presentation.pptx
Hackfest presentation.pptx
 
Tejido muscular y tejido nervioso
Tejido muscular y tejido nerviosoTejido muscular y tejido nervioso
Tejido muscular y tejido nervioso
 
17420 geotechnical engineering
17420 geotechnical engineering17420 geotechnical engineering
17420 geotechnical engineering
 
Tejido muscular y tejido nervioso
Tejido muscular y tejido nerviosoTejido muscular y tejido nervioso
Tejido muscular y tejido nervioso
 
17415 d.c.machnes and transformer
17415 d.c.machnes and transformer17415 d.c.machnes and transformer
17415 d.c.machnes and transformer
 
17438 communication techniques
17438 communication techniques17438 communication techniques
17438 communication techniques
 
Talleres didácticos de arqueología
Talleres didácticos de arqueologíaTalleres didácticos de arqueología
Talleres didácticos de arqueología
 
Ti ta-ge
Ti ta-geTi ta-ge
Ti ta-ge
 
Icfes ejemplode preguntasfilosofía2010 (1)
Icfes ejemplode preguntasfilosofía2010 (1)Icfes ejemplode preguntasfilosofía2010 (1)
Icfes ejemplode preguntasfilosofía2010 (1)
 
17442 biosensors
17442 biosensors17442 biosensors
17442 biosensors
 
Security Meetup 22 октября. «Опасное видео». Максим Андреев. Облако Mail.Ru
Security Meetup 22 октября. «Опасное видео». Максим Андреев. Облако Mail.RuSecurity Meetup 22 октября. «Опасное видео». Максим Андреев. Облако Mail.Ru
Security Meetup 22 октября. «Опасное видео». Максим Андреев. Облако Mail.Ru
 
How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013How to run a kick ass bug bounty program - Node Summit 2013
How to run a kick ass bug bounty program - Node Summit 2013
 
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
 

Plus de bugcrowd

Plus de bugcrowd (14)

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
 
Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Revitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr HealthRevitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr Health
 
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty ProgramsHI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
 
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLVHow Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Test4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Test
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attacker
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program
 
[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs
 

Dernier

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Dernier (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Are You Vulnerability Blind? 3 Reasons to Reconsider a Bug Bounty

  • 1. S e p t emb er 20 16 ARE YOU VULNERABILITY BLIND? 3 REASONS TO RECONSIDER A BUG BOUNTY
  • 2. 1/25/172 PAUL ROSS SVP MARKETING JOHNATHAN HUNT VP INFORMATION SECURITY SPEAKERS
  • 3. AGENDA • Vulnerability Blindness • 3 Reasons to Reconsider a Bug Bounty 1. How a security expert changed his mind about bug bounties 2. Why no bug bounty means missed vulnerabilities 3. How Bugcrowd finds a P1 bug every 13 hours* 1/25/173 *Increase from 1 every 27 hours earlier in 2016
  • 4. WHY IS THERE AN ISSUE TO ADDRESS? 1/25/174 Ballooning attack surface Cybersecurity resource shortage Broken status-quo Active, efficient adversaries Breaking The Vulnerability Cycle
  • 5. MYTHS OF BUG BOUNTY (OR WHY YOU MIGHT HAVE DISMISSED THEM IN THE PAST) 1/25/175
  • 7. CONTINUOUS VULNERABILITY ASSESSMENT HAS NOT BEEN A THING 1/25/177 Zone of Vulnerability Blindness Zone of Vulnerability Blindness Code Release Code Release Vulnerability Awareness
  • 8. BUG BOUNTY & CONTINUOUS ASSESSMENT AS THE SOLUTION 1/25/178
  • 9. WHAT IS A BUG BOUNTY? 1/25/179 (Think of it as a competition)
  • 10. Financial Services Consumer Tech Retail & Ecommerce Infrastructure Technology Automotive Security Technology Other 2/3rd of Programs are Private WIDE ADOPTION OF CROWDSOURCED SECURITY
  • 11. THE REHABILITATION OF A BUG BOUNTY SKEPTIC 1/25/1711 Reason 1
  • 12. INTRODUCING INVISION Award-winning product design collaboration platform • Provide two million people with the power to prototype, review, refine, manage and user test web and mobile products. • Drives the product design process at leading Fortune 100 companies, including at Disney, IBM, Walmart, Apple, Verizon and General Motors. 1/25/1712
  • 13. INVISION SECURITY PROGRAM BEFORE BUG BOUNTY • Monthly internal vulnerability scans • Monthly external vulnerability scans • Annual Third-Party Penetration Test • 30-day patch cycle • Web Application Firewall • DDoS Protection 1/25/1713
  • 14. ‘WHETHER OR NOT YOU’RE GOING TO HAVE THE GOOD GUYS WORKING FOR YOU, DOESN’T MEAN THE BAD GUYS ARE GOING TO STOP WORKING’ — JOHNATHAN HUNT 1/25/1714
  • 15. WHY NO BUG BOUNTY MEANS MISSED VULNERABILITIES 1/25/1715 Reason 2
  • 16. CONTINUOUS VULNERABILITY ASSESSMENT HAS NOT BEEN A THING 1/25/1716 Zone of Vulnerability Blindness Zone of Vulnerability Blindness Code Release Code Release Vulnerability Awareness
  • 17. BUG BOUNTY DELIVERS CONTINUOUS VULNERABILITY ASSESSMENT 1/25/1717 Code Release Code Release Vulnerability Awareness
  • 18. HOW BUGCROWD FINDS A P1 BUG EVERY 13 HOURS 1/25/1718 Reason 3
  • 19. A RADICAL CYBER SECURITY ADVANTAGE: Enterprise Bug Bounty Solutions & Hackers On-Demand • 300+ Programs run • Every program is managed by Bugcrowd • Deep researcher engagement and support • No confusing pricing models and no bounty commissions • 45,000+ researchers 1/25/1719 Curated Crowd that Thinks like an Adversary but acts as an ally to Find Vulnerabilities A Platform That Simplifies Connecting Researchers to Organizations, Saving You Time and Money Security Expertise To Design, Support, and Manage Crowd Security Programs
  • 20. TIMELINE OF A SUCCESSFUL BUG BOUNTY PROGRAM 1/25/1720 Launches private bounty program Receives first P1 submission Receives 100th Submission Runs On-Demand program Adds 100 additional researchers Receives 500th submission
  • 21. CONCLUSION Avoiding Vulnerability Blindness • Reality of modern development pipeline dictates a new approach • Continuous vulnerability assessment is real and achievable through bug bounty model • Bugcrowd delivers the radical cybersecurity advantage of the crowd 1/25/1721 Curated Crowd Simple-to-use platform Expertise to ensure success
  • 22. NEXT STEPS TALK WITH A BUG BOUNTY EXPERT HTTPS://PAGES.BUGCROWD.COM/TALK-WITH-A-BUG-BOUNTY-EXPERT 1/25/17 | ESCAPE VELOCITY22
  • 23. 1/25/1723 PAUL ROSS JOHNATHAN HUNT @pjross01 @JHuntSecurity Q&A