For the ondemand version of the webinar, visit:
https://www.brighttalk.com/webcast/14415/242115
Bug Bounty programs are critical to the security programs of thousands of organizations, but many still have not embraced them. Join security leader Johnathan Hunt, VP Information Security at InVision, Paul Ross, SVP of Marketing at Bugcrowd to discuss why that situation must change, through topics including:
- How a security expert changed his mind about bug bounties
- Why no bug bounty means missed vulnerabilities
- How Bugcrowd finds a P1 bug every 27 hours
We will explore InVision’s bug bounty experience from conception to being critical to their customers’ confidence in their security.
*Register for the webinar now*
“Whether or not you’re going to have the good guys working for you or not, doesn’t mean the bad guys are going to stop working”
- Johnathan Hunt, Invision
3. AGENDA
• Vulnerability Blindness
• 3 Reasons to Reconsider a Bug Bounty
1. How a security expert changed his mind about bug bounties
2. Why no bug bounty means missed vulnerabilities
3. How Bugcrowd finds a P1 bug every 13 hours*
1/25/173
*Increase from 1 every 27 hours earlier in 2016
4. WHY IS THERE AN ISSUE TO
ADDRESS?
1/25/174
Ballooning
attack surface
Cybersecurity
resource
shortage
Broken
status-quo
Active, efficient
adversaries
Breaking The Vulnerability Cycle
5. MYTHS OF BUG BOUNTY
(OR WHY YOU MIGHT HAVE DISMISSED THEM IN THE PAST)
1/25/175
7. CONTINUOUS VULNERABILITY ASSESSMENT HAS NOT BEEN A THING
1/25/177
Zone of
Vulnerability
Blindness
Zone of
Vulnerability
Blindness
Code
Release
Code
Release
Vulnerability
Awareness
8. BUG BOUNTY & CONTINUOUS
ASSESSMENT AS THE SOLUTION
1/25/178
9. WHAT IS A BUG BOUNTY?
1/25/179
(Think of it as a competition)
10. Financial Services Consumer Tech Retail & Ecommerce Infrastructure Technology
Automotive Security Technology Other
2/3rd of
Programs are
Private
WIDE ADOPTION OF CROWDSOURCED SECURITY
12. INTRODUCING INVISION
Award-winning product design collaboration platform
• Provide two million people with the
power to prototype, review, refine,
manage and user test web and
mobile products.
• Drives the product design process at
leading Fortune 100 companies,
including at Disney, IBM, Walmart,
Apple, Verizon and General Motors.
1/25/1712
13. INVISION SECURITY PROGRAM BEFORE BUG BOUNTY
• Monthly internal vulnerability scans
• Monthly external vulnerability scans
• Annual Third-Party Penetration Test
• 30-day patch cycle
• Web Application Firewall
• DDoS Protection
1/25/1713
14. ‘WHETHER OR NOT YOU’RE GOING TO HAVE THE GOOD GUYS
WORKING FOR YOU, DOESN’T MEAN THE BAD GUYS ARE GOING TO
STOP WORKING’
— JOHNATHAN HUNT
1/25/1714
15. WHY NO BUG BOUNTY MEANS
MISSED VULNERABILITIES
1/25/1715
Reason 2
16. CONTINUOUS VULNERABILITY ASSESSMENT HAS NOT BEEN A THING
1/25/1716
Zone of
Vulnerability
Blindness
Zone of
Vulnerability
Blindness
Code
Release
Code
Release
Vulnerability
Awareness
19. A RADICAL CYBER SECURITY
ADVANTAGE:
Enterprise Bug Bounty Solutions & Hackers On-Demand
• 300+ Programs run
• Every program is managed by Bugcrowd
• Deep researcher engagement and support
• No confusing pricing models and no bounty
commissions
• 45,000+ researchers
1/25/1719
Curated Crowd that
Thinks like an
Adversary but acts as
an ally to Find
Vulnerabilities
A Platform That
Simplifies Connecting
Researchers to
Organizations, Saving
You Time and Money
Security Expertise To
Design, Support, and
Manage Crowd Security
Programs
20. TIMELINE OF A SUCCESSFUL BUG BOUNTY PROGRAM
1/25/1720
Launches private bounty program
Receives first P1 submission
Receives 100th Submission Runs On-Demand program
Adds 100 additional researchers
Receives 500th submission
21. CONCLUSION
Avoiding Vulnerability Blindness
• Reality of modern development pipeline
dictates a new approach
• Continuous vulnerability assessment is real and
achievable through bug bounty model
• Bugcrowd delivers the radical cybersecurity
advantage of the crowd
1/25/1721
Curated
Crowd
Simple-to-use
platform
Expertise to
ensure
success
22. NEXT STEPS
TALK WITH A BUG BOUNTY EXPERT
HTTPS://PAGES.BUGCROWD.COM/TALK-WITH-A-BUG-BOUNTY-EXPERT
1/25/17 | ESCAPE VELOCITY22