8,100 hackers + Your apps = ???

•

2 j'aime•1,420 vues

There's an asymmetry in the way we approach security today... The threat takes the form of lots of hackers, with lots of different skill-sets and diverse motivations - And the majority of them aren't being paid by the hour to attack your stuff. Contrast this with the paid by the hour consultants and in-house resources. It's not that the good guys aren't smart, it's that the model is fundamentally disadvantaged. Crowdsourcing security testing through bug bounty programs engages a crowd of "good guys who think like bad guys" and economically incentivizes them the same way the bad guys are. Casey likes solving problems. He's the Founder and CEO of Bugcrowd, a company which provides a platform to manage bug bounty programs. He's also an Aussie who has difficulty with words that end with "er".

Technologie Business

8,100 hackers + Your apps = ???
SourceCONF Boston 2014

About me
@caseyjohnellis
JABAH (Just Another Blonde Aussie Hacker)
Recovering pentester turned solution architect turned entrepreneur
Wife and two kids now living in San Francisco
Founder and CEO of Bugcrowd

History
0
125
250
375
500
1995 2000 2005 2010 2015

It’s not just about being
cheap, or loud…

Black/gray hat economics
!
Goal: Exploit the bug and keep it alive
Resources: Many hackers/skill-sets/motivations/time
Incentive: Paid for results

White hat economics
!
Goal: Find the bug and kill it
Resources: Single sets of eyes
Incentive: Paid for effort

Bug bounty economics
!
A white hat goal with black/gray market economics
and resourcing.

Reward pool: $10,000
2 weeks elapsed
CASE STUDY
Wordpress Sprint Bounty + 5 Plugins
$2,500
1st
$1,000
2nd
$500
3rd
$250
All Others 
or the remainder divided by
number of valid unique
bugs… Which ever is lower)

CASE STUDY
Wordpress Sprint Bounty + 5 Plugins
349 researchers participated.
243 security submissions from 23 countries.
7 unauth’d to full privilege 0-day vulnerabilities.

CASE STUDY
Wordpress Sprint Bounty + 5 Plugins
67 rewardable Issues
$142.86 deduplicated cost per issue
16 active security researchers in first hour
8 hours effort in first elapsed hour

CASE STUDY
Wordpress Sprint Bounty + 5 Plugins
$10,000
5 days of effort in the
first 8 hours of the
bounty… Across 349
separate sets of eyes
5 days of effort
VS

With many eyes all bugs are shallow
- Linus’ Law
“

Really?
Credit: Veracode
GnuTLS goto fail
Credit: Veracode
Heartbleed

Security Incentive
“…but what if nothing happens?”

With many eyes and the right incentive
all bugs are shallow
- Linus’ Amended Law
“

Bug bounties repurpose the economics
of offense to the defensive side.

So how do you get more eyes
on security bugs?
Cash Soft Incentives Kudos
Swag, challenge coins,
points systems,
exclusive opportunities
Hall of Fame, job
prospects, contract
prospects, community
kudos, general swagger

The mistake *everyone* makes:
!
VULNERABILITY DATA
PEOPLE

If you touch the code, pay
the researcher

Be upfront and clear about
what you will and won’t
pay

Be transparent about
duplicate and won’t ﬁx
issues

Controlled incidents
improve your dev team

Remember that bounty
hunting is casual (vs
committed)

Conclusion
• Bug bounties are cost effective, and highly
marketable… but that’s not the full story…
• …this shift in strategy is necessary to address the
fundamental asymmetries in the way we do things
today.
• Go start one.
• More tips and tricks at https://blog.bugcrowd.com

@caseyjohnellis
https://bugcrowd.com
casey@bugcrowd.com
!
Greets to Chris, Rob and SourceCONF crew, builditsecure.ly, Rapid7,
iamthecavalry.com, @treyford, @k8em0, @codesoda and the
@bugcrowd team.

Contenu connexe

Plus de bugcrowd

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel

bugcrowd

Ekoparty 2017 - The Bug Hunter's Methodology

bugcrowd

3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program

bugcrowd

[Webinar] Building a Product Security Incident Response Team: Learnings from ...

bugcrowd

Writing vuln reports that maximize payouts - Nullcon 2016

bugcrowd

Bug Bounty Hunter Methodology - Nullcon 2016

bugcrowd

Zephyr Health, a quickly growing company harnessing the power of global healthcare data, has spent the last year augmenting its’ product security efforts. With Bugcrowd’s help, they have transformed their development and overarching culture to prioritize security. Bugcrowd joins Zephyr Health’s CISO, Kim Green, to hear about how she came to understand and implement crowdsourced security testing within the organization.

Revitalizing Product Securtiy at Zephyr Health

bugcrowd

Kymberlee Price's Presentation from Black Hat 2015 In this presentation, Kymberlee discusses several highly critical vulnerabilities that have been uncovered through a variety of bug bounty programs and their impact on the customers. With participation from researchers and vendors, attendees will not only see some sweet vulnerabilities broken down, but also why wading through another submission from @CluelessSec might be worth it.

HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs

bugcrowd

How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV

bugcrowd

WATCH JASON'S TALK LIVE, 8/14 @ 11AM PDT - Register Here: http://bgcd.co/DEFCON23-haddix Jason Haddix explores successful tactics and tools used by himself and the best bug hunters. Practical methodologies, tools and tips that make you better at hacking websites and mobile apps to claim those bounties. Follow Jason on Twitter: http://twitter.com/jhaddix Follow Bugcrowd on Twitter: http://twitter.com/bugcrowd Check out the latest bug bounties on Bugcrowd: https://bugcrowd.com/programs

How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...

bugcrowd

4 Reasons to Crowdsource Your Pen Test

bugcrowd

Mobile Application Security Threats through the Eyes of the Attacker

bugcrowd

5 Tips to Successfully Running a Bug Bounty Program

bugcrowd

[Webinar] The Art & Value of Bug Bounty Programs

bugcrowd

Plus de bugcrowd (14)

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel

Ekoparty 2017 - The Bug Hunter's Methodology

3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program

[Webinar] Building a Product Security Incident Response Team: Learnings from ...

Writing vuln reports that maximize payouts - Nullcon 2016

Bug Bounty Hunter Methodology - Nullcon 2016

Revitalizing Product Securtiy at Zephyr Health

HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs

How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV

How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...

4 Reasons to Crowdsource Your Pen Test

Mobile Application Security Threats through the Eyes of the Attacker

5 Tips to Successfully Running a Bug Bounty Program

[Webinar] The Art & Value of Bug Bounty Programs

Dernier

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

Manulife - Insurer Innovation Award 2024

The Digital Insurer

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

The presentation explores the development and application of artificial intelligence (AI) from its inception to its current status in the modern world. The term "artificial intelligence" was first coined by John McCarthy in 1956 to describe efforts to develop computer programs capable of performing tasks that typically require human intelligence. This concept was first introduced at a conference held at Dartmouth College, where programs demonstrated capabilities such as playing chess, proving theorems, and interpreting texts. In the early stages, Alan Turing contributed to the field by defining intelligence as the ability of a being to respond to certain questions intelligently, proposing what is now known as the Turing Test to evaluate the presence of intelligent behavior in machines. As the decades progressed, AI evolved significantly. The 1980s focused on machine learning, teaching computers to learn from data, leading to the development of models that could improve their performance based on their experiences. The 1990s and 2000s saw further advances in algorithms and computational power, which allowed for more sophisticated data analysis techniques, including data mining. By the 2010s, the proliferation of big data and the refinement of deep learning techniques enabled AI to become mainstream. Notable milestones included the success of Google's AlphaGo and advancements in autonomous vehicles by companies like Tesla and Waymo. A major theme of the presentation is the application of generative AI, which has been used for tasks such as natural language text generation, translation, and question answering. Generative AI uses large datasets to train models that can then produce new, coherent pieces of text or other media. The presentation also discusses the ethical implications and the need for regulation in AI, highlighting issues such as privacy, bias, and the potential for misuse. These concerns have prompted calls for comprehensive regulations to ensure the safe and equitable use of AI technologies. Artificial intelligence has also played a significant role in healthcare, particularly highlighted during the COVID-19 pandemic, where it was used in drug discovery, vaccine development, and analyzing the spread of the virus. The capabilities of AI in healthcare are vast, ranging from medical diagnostics to personalized medicine, demonstrating the technology's potential to revolutionize fields beyond just technical or consumer applications. In conclusion, AI continues to be a rapidly evolving field with significant implications for various aspects of society. The development from theoretical concepts to real-world applications illustrates both the potential benefits and the challenges that come with integrating advanced technologies into everyday life. The ongoing discussion about AI ethics and regulation underscores the importance of managing these technologies responsibly to maximize their their benefits while minimizing potential harms.

Artificial Intelligence: Facts and Myths

Joaquim Jorge

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

Scaling API-first – The story of a global engineering organization

Radu Cotescu

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

🐬 The future of MySQL is Postgres 🐘

RTylerCroy

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

A Principled Technologies deployment guide Conclusion Deploying VMware Cloud Foundation 5.1 on next gen Dell PowerEdge servers brings together critical virtualization capabilities and high-performing hardware infrastructure. Relying on our hands-on experience, this deployment guide offers a comprehensive roadmap that can guide your organization through the seamless integration of advanced VMware cloud solutions with the performance and reliability of Dell PowerEdge servers. In addition to the deployment efficiency, the Cloud Foundation 5.1 and PowerEdge solution delivered strong performance while running a MySQL database workload. By leveraging VMware Cloud Foundation 5.1 and PowerEdge servers, you could help your organization embrace cloud computing with confidence, potentially unlocking a new level of agility, scalability, and efficiency in your data center operations.

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...

Principled Technologies

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Dernier (20)

Why Teams call analytics are critical to your entire business

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Manulife - Insurer Innovation Award 2024

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

Artificial Intelligence: Facts and Myths

How to Troubleshoot Apps for the Modern Connected Worker

Artificial Intelligence Chap.5 : Uncertainty

Scaling API-first – The story of a global engineering organization

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Automating Google Workspace (GWS) & more with Apps Script

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Boost Fertility New Invention Ups Success Rates.pdf

🐬 The future of MySQL is Postgres 🐘

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...

Axa Assurance Maroc - Insurer Innovation Award 2024

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

8,100 hackers + Your apps = ???

1. 8,100 hackers + Your apps = ??? SourceCONF Boston 2014

2. Why are we here?

3. About me @caseyjohnellis JABAH (Just Another Blonde Aussie Hacker) Recovering pentester turned solution architect turned entrepreneur Wife and two kids now living in San Francisco Founder and CEO of Bugcrowd

4. What’s a bug bounty program?

5. History 0 125 250 375 500 1995 2000 2005 2010 2015

6. It’s not just about being cheap, or loud…

7. It’s about levelling the playing ﬁeld.

8. Black/gray hat economics ! Goal: Exploit the bug and keep it alive Resources: Many hackers/skill-sets/motivations/time Incentive: Paid for results

9. White hat economics ! Goal: Find the bug and kill it Resources: Single sets of eyes Incentive: Paid for effort

10. Bug bounty economics ! A white hat goal with black/gray market economics and resourcing.

11. Reward pool: $10,000 2 weeks elapsed CASE STUDY Wordpress Sprint Bounty + 5 Plugins $2,500 1st $1,000 2nd $500 3rd $250 All Others  or the remainder divided by number of valid unique bugs… Which ever is lower)

12. CASE STUDY Wordpress Sprint Bounty + 5 Plugins 349 researchers participated. 243 security submissions from 23 countries. 7 unauth’d to full privilege 0-day vulnerabilities.

13. CASE STUDY Wordpress Sprint Bounty + 5 Plugins 67 rewardable Issues $142.86 deduplicated cost per issue 16 active security researchers in first hour 8 hours effort in first elapsed hour

14. CASE STUDY Wordpress Sprint Bounty + 5 Plugins $10,000 5 days of effort in the first 8 hours of the bounty… Across 349 separate sets of eyes 5 days of effort VS

15. With many eyes all bugs are shallow - Linus’ Law “

16. Really? Credit: Veracode GnuTLS goto fail Credit: Veracode Heartbleed

17. Linus was (a little bit) wrong.

18. Developer Incentive Make it work.

19. Security Incentive “…but what if nothing happens?”

20. Who is doing this well right now?

21. With many eyes and the right incentive all bugs are shallow - Linus’ Amended Law “

22. Sound familiar?

23. Bug bounties repurpose the economics of offense to the defensive side.

24. So how do you get more eyes on security bugs? Cash Soft Incentives Kudos Swag, challenge coins, points systems, exclusive opportunities Hall of Fame, job prospects, contract prospects, community kudos, general swagger

25. Ready to start?

26. Bug bounties are awesome…

27. …but hard.

28. Tips from the trenches

29. The mistake *everyone* makes: ! VULNERABILITY DATA PEOPLE

30. The Golden Rule: Respect the researcher

31. If you touch the code, pay the researcher

32. Be upfront and clear about what you will and won’t pay

33. Be transparent about duplicate and won’t ﬁx issues

34. Fix quick, pay quick.

35. Expect front loading

36. Controlled incidents improve your dev team

37. Remember that bounty hunting is casual (vs committed)

38. Conclusion • Bug bounties are cost effective, and highly marketable… but that’s not the full story… • …this shift in strategy is necessary to address the fundamental asymmetries in the way we do things today. • Go start one. • More tips and tricks at https://blog.bugcrowd.com

39. Questions?

40. @caseyjohnellis https://bugcrowd.com casey@bugcrowd.com ! Greets to Chris, Rob and SourceCONF crew, builditsecure.ly, Rapid7, iamthecavalry.com, @treyford, @k8em0, @codesoda and the @bugcrowd team.

8,100 hackers + Your apps = ???

Recommandé

Recommandé

Contenu connexe

Plus de bugcrowd

Plus de bugcrowd (14)

Dernier

Dernier (20)

8,100 hackers + Your apps = ???