Slides used during Bugcrowd's 3/5/2015 webinar with Instructure, the innovative company behind Canvas Learning Management System. Learn why they turned to crowdsourced security, and how Bugcrowd's Flex program gave them great results.
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
Key Takeaways from Instructure's Successful Bug Bounty Program
1.
2. Key Takeaways from
Instructure’s Bug Bounty
Program
Presenters:
Q. Wade Billings, Sr. Director of Global IT Shared Services : Instructure
Jonathan Cran, VP Operations : Bugcrowd
3. Your Presenters
• Q. Wade Billings, Sr. Director of Global IT Shared Services
Instructure
• IT leadership career spanning over 20 years. Held high level
positions with Excite@Home, lowermybills.com, Medicity and
most recently WorkFront (fka AtTask)
• Involved in the Utah InfoSec community with ties to
BSidesSLC and UtahSec.org
• Jonathan Cran, VP Operations Bugcrowd
• Security Assessment Startups. Leadership positions with
Rapid7, Pwnie Express, Metasploit.
4. About Instructure
• Instructure makes smart software that makes people smarter
• Instructure is a fast growing, education technology SaaS
company serving multiple global markets
• Our growth since launch in 2011
• 18+ million users
• 1,200 institutions under contract
• 500+ employees
• Global offices and five hosting platforms worldwide
5. About Bugcrowd
• Your Elastic Security Team
• Founded in 2012, based in San Francisco, 20
employees
• 15,000 Researchers, $400,000 in researcher payments
in 2014, 150 programs
• Provider of Crowdcontrol, the platform for Bug Bounty
and Flex Bounty programs
• We help you start and manage your bug bounty program
6. Annual Assessment
• We update our platform every three weeks and users
benefit from features and bug fixes.
• Starting in 2011, Instructure took a proactive approach to
security.
• We publicly published results after the first security audit
• When vulnerabilities were found, we fixed them and put
them into production as quickly as possible
• We even embedded a blogger to observe and document
the process!!
7. Why Bugcrowd?
• This year we wanted to take it a step further.
• Economics of bug bounties promised better results
compared to the traditional approach
• Large researcher community, strong engagement
• Flex bounty met the “Annual Assessment” format
8. Bugcrowd Flex
• Two week bug bounty
• Private with vetted researchers
• Top placed rewards (35%), Others (65%)
• Flex Bounty Report
• Access to researchers and management platform
12. Flex Results
• Instead of two or three security
researchers, we had 63+
researchers active during the test
• 10x the number of vulnerabilities
identified
• This is NOT because Instructure is
less secure - we have been doing
these open audits each year for
three years
• Each researcher comes at the
problem with a different perspective
14. Key Takeaways
• Security is a process, and you can benefit by being
transparent about your assessment process
• Flex bounties work! More, high-quality results by
engaging with the research community vs traditional
methods
• Bugcrowd is helping make the bug bounty programs
accessible to organizations
• Download the report: https://blog.bugcrowd.com/
increased-pen-test-results-instructure-flex/
15. What’s next
• We’ve launched a new ongoing bug bounty
program in partnership with Bugcrowd
• Our overarching goal is to create the most secure
learning and engagement platform for teachers
and corporate trainers across the world.
• We do this by being proactive and playing offense
when it comes to security, not defense.