Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
7 Bug Bounty Myths
What Is a Bug Bounty?
3
What is a Bug Bounty?
For Those of You Who Are New
To companies and
their applications
in exchange for…
Where
independen...
Poll
(Single Select)
Question: I believe our organization’s security could be improved with the
addition of a bug bounty p...
5
Why Are More Organizations Doing Bug Bounty Programs?
Ballooning attack surface
We have debt to clear and we need to be ...
A New Way to Run Bug Bounties
7
Why Do We Exist?
Platform That Connects Organizations to the Researcher Community
40,000+ Researchers
With specialized s...
A Radical Cyber Security Advantage
A Crowd That Thinks Like An
Adversary But Acts Like an Ally to Find
Vulnerabilities
A P...
7 Bug Bounty Myths
10
Myth #1: All bug bounty programs are ‘public’
False. Today, the majority of bug bounty programs are invite-only program...
11
Myth #2: Only tech companies run bug bounties
False. The bug bounty model has evolved to be effective and flexible for ...
12
Myth #3: Running a bounty program is too risky
False. With a trusted partner, running a bug bounty program is no more r...
13
Myth #4: Bug bounties don’t attract talented testers
False. Many of our bug hunters are the most talented security rese...
14
Myth #5: They don’t yield high-value results
False. Bug bounties help organizations uncover high-quality vulnerabilitie...
15
Myth #6: They’re too costly and hard to budget for
False. You can control your bug bounty budget, and we help make the ...
Poll
(Single Select)
Question: I believe we have enough staff and resources to deal with all of
our security challenges
• ...
17
Myth #7: Bounty programs are too hard to manage
False. With a trusted partner, bug bounty programs are easy, efficient ...
18
Multi Solution Bug Bounty Model Gaining Traction
Not Just About Public Programs
Engage the collective intelligence of
t...
Key Takeaways
A Radical Cyber Security Advantage
A Crowd That Thinks Like An
Adversary But Acts Like an Ally to Find
Vulnerabilities
A P...
7 Bug Bounty Myths
Next Steps
Talk with a bug bounty expert:
 Bugcrowd.com/chat-with-us
Ha terminado este documento.
Descárguela y léala sin conexión.
Próximo SlideShare
5 Critical Security Issues for 2017—And How to Address Them
Siguiente
Próximo SlideShare
5 Critical Security Issues for 2017—And How to Address Them
Siguiente
Descargar para leer sin conexión y ver en pantalla completa.

Compartir

7 Bug Bounty Myths, BUSTED

Descargar para leer sin conexión

View this ondemand webinar here: https://pages.bugcrowd.com/7-bug-bounty-myths-busted-ondemand-webinar

About the content:
Despite thousands of large and small organizations running bug bounty programs, there is still a lot of fear and uncertainty about these in the cybersecurity community. In this recorded webinar we will explore 7 myths about Bug Bounty programs, the hackers who are involved, and the impact they are having on the security posture of organizations around the world.

After viewing this presentation and ondemand webinar you will:

1. Learn if a bug bounty program is right for your organization
2. Understand if a bug bounty encourages hackers to attack your systems
3. Explore the real benefits of bug bounty programs – and find out if they actually work
4. Get insight on whether these programs are too hard and costly to manage

  • Sé el primero en recomendar esto

7 Bug Bounty Myths, BUSTED

  1. 1. 7 Bug Bounty Myths
  2. 2. What Is a Bug Bounty?
  3. 3. 3 What is a Bug Bounty? For Those of You Who Are New To companies and their applications in exchange for… Where independent security researchers all over the word f Think of it as a competition… Find & report vulnerabilities Rewards
  4. 4. Poll (Single Select) Question: I believe our organization’s security could be improved with the addition of a bug bounty program? • Strongly agree • Somewhat agree • Neither agree or disagree • Somewhat disagree • Strongly disagree
  5. 5. 5 Why Are More Organizations Doing Bug Bounty Programs? Ballooning attack surface We have debt to clear and we need to be able to plan for the future Active, efficient adversaries Well developed “offensive” economic Broken status quo Automation doesn’t provide enough coverage, reliance on one off conusulting engagements Cybersecurity resource shortage 209,000 in the USA alone
  6. 6. A New Way to Run Bug Bounties
  7. 7. 7 Why Do We Exist? Platform That Connects Organizations to the Researcher Community 40,000+ Researchers With specialized skills including web, mobile and IoT hacking. Our community is made up of tens of thousands of the hackers from around the world. f Organizations Both Big and Small Making Bug Bounties easy for ever type of company through a variety of Bug Bounty Solutions.
  8. 8. A Radical Cyber Security Advantage A Crowd That Thinks Like An Adversary But Acts Like an Ally to Find Vulnerabilities A Platform That Simplifies Connecting Researchers to Organizations Security Expertise To Design, Support, and Manage Crowd Security Programs Enterprise Bug Bounty Solutions & Hackers-On Demand 7 Bug Bounty Myths
  9. 9. 7 Bug Bounty Myths
  10. 10. 10 Myth #1: All bug bounty programs are ‘public’ False. Today, the majority of bug bounty programs are invite-only programs. 68% Of Programs Are Private Best Practice: Start with private program • Learn how to scope and define program with fewer researchers • Build processes and experience in receiving submissions • Address specific security needs with curated crowd
  11. 11. 11 Myth #2: Only tech companies run bug bounties False. The bug bounty model has evolved to be effective and flexible for organizations of virtually any size or type. Growth in programs is being driven by adoption across industries Top Emerging segments: • Automotive • Medical Device • Government
  12. 12. 12 Myth #3: Running a bounty program is too risky False. With a trusted partner, running a bug bounty program is no more risky than other, traditional security assessment methods. Public Disclosure Incidents .0005% “YOU CAN VERY WELL QUANTIFY AND CONTROL FOR THE RISKS AND REWARDS OF USING THE CROWD, SUCH THAT IN THE END, THE LEGAL EXPOSURE THAT AN ORGANIZATION HAS FROM USING THE CROWD IS BASICALLY THE SAME AS IT WOULD HAVE FROM ANY OTHER MEANS OF PEN TESTING THAT YOU MIGHT TRADITIONALLY BUY FROM A PEN TESTING PROVIDER.” JAMES DENARO, FOUNDER OF CIPHERLAW • Programs incentivize good behavior • Researchers want to do the right thing • Using a platform where your program and researchers are managed “out of the box” is key
  13. 13. 13 Myth #4: Bug bounties don’t attract talented testers False. Many of our bug hunters are the most talented security researchers in the world, and many are full-time security professionals. “WE DECIDED TO RUN A BUG BOUNTY PROGRAM TO GET ACCESS TO A WIDE VARIETY OF SECURITY TESTERS. HIRING SECURITY RESEARCHERS IS VERY DIFFICULT IN TODAY’S MARKET... WE HAVE PRODUCTS THAT COVER A WIDE VARIETY OF APPLICATIONS, USING A WIDE VARIETY OF TECHNOLOGIES, SO WE NEED SECURITY TESTING THAT CAN COVER ALL THOSE AREAS.” JON GREEN, SR. DIRECTOR OF SECURITY ARCHITECTURE, ARUBA“Inside the Mind of a Hacker” https://pages.bugcrowd.com/inside-the-mind-of- a-hacker-2016
  14. 14. 14 Myth #5: They don’t yield high-value results False. Bug bounties help organizations uncover high-quality vulnerabilities missed by traditional security assessment methods. Vulnerability Rating Taxonomy: http://bgcd.co/vrt-2016 “WE THINK OF THE BUG BOUNTY PROGRAM AS ‘PART OF THIS COMPLETE BREAKFAST.’ YOU HAVE ALL THESE INTERNAL ACTIVITIES, AND THE BUGCROWD PROGRAM FOR US... IS A NICE SUPPLEMENT TO THOSE THINGS, IT CATCHES BUGS THAT OUR INTERNAL TESTING DIDN’T CATCH.” JIM HEBERT, SR. SECURITY ENGINEER, FITBIT P1, P2, P3 % of Submissions Increasing Dramatically
  15. 15. 15 Myth #6: They’re too costly and hard to budget for False. You can control your bug bounty budget, and we help make the best suggestion for your organization. “EFFICIENCY AND EFFECTIVENESS OF THE CROWD IS REALLY WHY WE BRING THEM ON... BECAUSE WE HAVE THE CROWD INVOLVED IN THE VULNERABILITY MANAGEMENT PROGRAM, IT’S HELPED IN EXPANDING OF OUR TEAM FOR A FRACTION OF THE COST. NOW MY INTERNAL RESOURCES ARE BETTER UTILIZED.” DAVID BAKER, CSO, OKTA https://pages.bugcrowd.c om/whats-a-bug-worth 15 Hours Avg Time Spent 220+ # of Researchers 3500 Hours Total Testing Time 2 Full Time heads Okta’s Bug Bounty Throughput
  16. 16. Poll (Single Select) Question: I believe we have enough staff and resources to deal with all of our security challenges • Strongly agree • Somewhat agree • Neither agree or disagree • Somewhat disagree • Strongly disagree
  17. 17. 17 Myth #7: Bounty programs are too hard to manage False. With a trusted partner, bug bounty programs are easy, efficient and effective. You receive ready-to-fix, high value bugs. Crowd + Platform + Expertise • Reduce the program management load on your security team with an easy to use platform to manage programs and communicate with researchers • Only receive and act on real vulnerabilities with automated triage and expert validation of submissions • Incentivize and reward researchers globally with automated, direct payment through our platform with no commission on payouts
  18. 18. 18 Multi Solution Bug Bounty Model Gaining Traction Not Just About Public Programs Engage the collective intelligence of thousands of security researchers worldwide. The perfect solution to incentivize the continuous testing of main web properties, self-sign up apps, or anything already publicly accessible. Private Ongoing Program Public Ongoing Program Continuous testing using a private, invite-only, crowd of researchers. Incentivize the continuous testing of main web properties, self-signup apps, or anything publically accessible. Project based testing using a private, invite-only, crowd of researchers. Target new products, major releases, or anything requiring a short period of testing. Replace costly pen-tests. On-Demand Program Many organizations are utilizing different types of Bug Bounty Solutions
  19. 19. Key Takeaways
  20. 20. A Radical Cyber Security Advantage A Crowd That Thinks Like An Adversary But Acts Like an Ally to Find Vulnerabilities A Platform That Simplifies Connecting Researchers to Organizations Security Expertise To Design, Support, and Manage Crowd Security Programs Enterprise Bug Bounty Solutions & Hackers-On Demand 7 Bug Bounty Myths
  21. 21. 7 Bug Bounty Myths
  22. 22. Next Steps Talk with a bug bounty expert:  Bugcrowd.com/chat-with-us

View this ondemand webinar here: https://pages.bugcrowd.com/7-bug-bounty-myths-busted-ondemand-webinar About the content: Despite thousands of large and small organizations running bug bounty programs, there is still a lot of fear and uncertainty about these in the cybersecurity community. In this recorded webinar we will explore 7 myths about Bug Bounty programs, the hackers who are involved, and the impact they are having on the security posture of organizations around the world. After viewing this presentation and ondemand webinar you will: 1. Learn if a bug bounty program is right for your organization 2. Understand if a bug bounty encourages hackers to attack your systems 3. Explore the real benefits of bug bounty programs – and find out if they actually work 4. Get insight on whether these programs are too hard and costly to manage

Vistas

Total de vistas

600

En Slideshare

0

De embebidos

0

Número de embebidos

0

Acciones

Descargas

25

Compartidos

0

Comentarios

0

Me gusta

0

×