Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
S e p t emb er 20 16
ARE YOU VULNERABILITY BLIND?
3 REASONS TO RECONSIDER A BUG BOUNTY
1/25/172
PAUL ROSS
SVP MARKETING
JOHNATHAN HUNT
VP INFORMATION
SECURITY
SPEAKERS
AGENDA
• Vulnerability Blindness
• 3 Reasons to Reconsider a Bug Bounty
1. How a security expert changed his mind about bu...
WHY IS THERE AN ISSUE TO
ADDRESS?
1/25/174
Ballooning
attack surface
Cybersecurity
resource
shortage
Broken
status-quo
Act...
MYTHS OF BUG BOUNTY
(OR WHY YOU MIGHT HAVE DISMISSED THEM IN THE PAST)
1/25/175
6
POLL
1/25/17 | ESCAPE VELOCITY
CONTINUOUS VULNERABILITY ASSESSMENT HAS NOT BEEN A THING
1/25/177
Zone of
Vulnerability
Blindness
Zone of
Vulnerability
Bl...
BUG BOUNTY & CONTINUOUS
ASSESSMENT AS THE SOLUTION
1/25/178
WHAT IS A BUG BOUNTY?
1/25/179
(Think of it as a competition)
Financial Services Consumer Tech Retail & Ecommerce Infrastructure Technology
Automotive Security Technology Other
2/3rd o...
THE REHABILITATION OF A
BUG BOUNTY SKEPTIC
1/25/1711
Reason 1
INTRODUCING INVISION
Award-winning product design collaboration platform
• Provide two million people with the
power to pr...
INVISION SECURITY PROGRAM BEFORE BUG BOUNTY
• Monthly internal vulnerability scans
• Monthly external vulnerability scans
...
‘WHETHER OR NOT YOU’RE GOING TO HAVE THE GOOD GUYS
WORKING FOR YOU, DOESN’T MEAN THE BAD GUYS ARE GOING TO
STOP WORKING’
—...
WHY NO BUG BOUNTY MEANS
MISSED VULNERABILITIES
1/25/1715
Reason 2
CONTINUOUS VULNERABILITY ASSESSMENT HAS NOT BEEN A THING
1/25/1716
Zone of
Vulnerability
Blindness
Zone of
Vulnerability
B...
BUG BOUNTY DELIVERS CONTINUOUS VULNERABILITY ASSESSMENT
1/25/1717
Code
Release
Code
Release
Vulnerability
Awareness
HOW BUGCROWD FINDS A P1
BUG EVERY 13 HOURS
1/25/1718
Reason 3
A RADICAL CYBER SECURITY
ADVANTAGE:
Enterprise Bug Bounty Solutions & Hackers On-Demand
• 300+ Programs run
• Every progra...
TIMELINE OF A SUCCESSFUL BUG BOUNTY PROGRAM
1/25/1720
Launches private bounty program
Receives first P1 submission
Receive...
CONCLUSION
Avoiding Vulnerability Blindness
• Reality of modern development pipeline
dictates a new approach
• Continuous ...
NEXT STEPS
TALK WITH A BUG BOUNTY EXPERT
HTTPS://PAGES.BUGCROWD.COM/TALK-WITH-A-BUG-BOUNTY-EXPERT
1/25/17 | ESCAPE VELOCIT...
1/25/1723
PAUL ROSS JOHNATHAN HUNT
@pjross01 @JHuntSecurity
Q&A
Ha terminado este documento.
Descárguela y léala sin conexión.
Próximo SlideShare
Breaking the Vulnerability Cycle—Key Findings from 100 CISOs
Siguiente
Próximo SlideShare
Breaking the Vulnerability Cycle—Key Findings from 100 CISOs
Siguiente
Descargar para leer sin conexión y ver en pantalla completa.

Compartir

Are You Vulnerability Blind? 3 Reasons to Reconsider a Bug Bounty

Descargar para leer sin conexión

For the ondemand version of the webinar, visit:
https://www.brighttalk.com/webcast/14415/242115

Bug Bounty programs are critical to the security programs of thousands of organizations, but many still have not embraced them. Join security leader Johnathan Hunt, VP Information Security at InVision, Paul Ross, SVP of Marketing at Bugcrowd to discuss why that situation must change, through topics including:

- How a security expert changed his mind about bug bounties
- Why no bug bounty means missed vulnerabilities
- How Bugcrowd finds a P1 bug every 27 hours

We will explore InVision’s bug bounty experience from conception to being critical to their customers’ confidence in their security.

*Register for the webinar now*

“Whether or not you’re going to have the good guys working for you or not, doesn’t mean the bad guys are going to stop working”

- Johnathan Hunt, Invision

  • Sé el primero en recomendar esto

Are You Vulnerability Blind? 3 Reasons to Reconsider a Bug Bounty

  1. 1. S e p t emb er 20 16 ARE YOU VULNERABILITY BLIND? 3 REASONS TO RECONSIDER A BUG BOUNTY
  2. 2. 1/25/172 PAUL ROSS SVP MARKETING JOHNATHAN HUNT VP INFORMATION SECURITY SPEAKERS
  3. 3. AGENDA • Vulnerability Blindness • 3 Reasons to Reconsider a Bug Bounty 1. How a security expert changed his mind about bug bounties 2. Why no bug bounty means missed vulnerabilities 3. How Bugcrowd finds a P1 bug every 13 hours* 1/25/173 *Increase from 1 every 27 hours earlier in 2016
  4. 4. WHY IS THERE AN ISSUE TO ADDRESS? 1/25/174 Ballooning attack surface Cybersecurity resource shortage Broken status-quo Active, efficient adversaries Breaking The Vulnerability Cycle
  5. 5. MYTHS OF BUG BOUNTY (OR WHY YOU MIGHT HAVE DISMISSED THEM IN THE PAST) 1/25/175
  6. 6. 6 POLL 1/25/17 | ESCAPE VELOCITY
  7. 7. CONTINUOUS VULNERABILITY ASSESSMENT HAS NOT BEEN A THING 1/25/177 Zone of Vulnerability Blindness Zone of Vulnerability Blindness Code Release Code Release Vulnerability Awareness
  8. 8. BUG BOUNTY & CONTINUOUS ASSESSMENT AS THE SOLUTION 1/25/178
  9. 9. WHAT IS A BUG BOUNTY? 1/25/179 (Think of it as a competition)
  10. 10. Financial Services Consumer Tech Retail & Ecommerce Infrastructure Technology Automotive Security Technology Other 2/3rd of Programs are Private WIDE ADOPTION OF CROWDSOURCED SECURITY
  11. 11. THE REHABILITATION OF A BUG BOUNTY SKEPTIC 1/25/1711 Reason 1
  12. 12. INTRODUCING INVISION Award-winning product design collaboration platform • Provide two million people with the power to prototype, review, refine, manage and user test web and mobile products. • Drives the product design process at leading Fortune 100 companies, including at Disney, IBM, Walmart, Apple, Verizon and General Motors. 1/25/1712
  13. 13. INVISION SECURITY PROGRAM BEFORE BUG BOUNTY • Monthly internal vulnerability scans • Monthly external vulnerability scans • Annual Third-Party Penetration Test • 30-day patch cycle • Web Application Firewall • DDoS Protection 1/25/1713
  14. 14. ‘WHETHER OR NOT YOU’RE GOING TO HAVE THE GOOD GUYS WORKING FOR YOU, DOESN’T MEAN THE BAD GUYS ARE GOING TO STOP WORKING’ — JOHNATHAN HUNT 1/25/1714
  15. 15. WHY NO BUG BOUNTY MEANS MISSED VULNERABILITIES 1/25/1715 Reason 2
  16. 16. CONTINUOUS VULNERABILITY ASSESSMENT HAS NOT BEEN A THING 1/25/1716 Zone of Vulnerability Blindness Zone of Vulnerability Blindness Code Release Code Release Vulnerability Awareness
  17. 17. BUG BOUNTY DELIVERS CONTINUOUS VULNERABILITY ASSESSMENT 1/25/1717 Code Release Code Release Vulnerability Awareness
  18. 18. HOW BUGCROWD FINDS A P1 BUG EVERY 13 HOURS 1/25/1718 Reason 3
  19. 19. A RADICAL CYBER SECURITY ADVANTAGE: Enterprise Bug Bounty Solutions & Hackers On-Demand • 300+ Programs run • Every program is managed by Bugcrowd • Deep researcher engagement and support • No confusing pricing models and no bounty commissions • 45,000+ researchers 1/25/1719 Curated Crowd that Thinks like an Adversary but acts as an ally to Find Vulnerabilities A Platform That Simplifies Connecting Researchers to Organizations, Saving You Time and Money Security Expertise To Design, Support, and Manage Crowd Security Programs
  20. 20. TIMELINE OF A SUCCESSFUL BUG BOUNTY PROGRAM 1/25/1720 Launches private bounty program Receives first P1 submission Receives 100th Submission Runs On-Demand program Adds 100 additional researchers Receives 500th submission
  21. 21. CONCLUSION Avoiding Vulnerability Blindness • Reality of modern development pipeline dictates a new approach • Continuous vulnerability assessment is real and achievable through bug bounty model • Bugcrowd delivers the radical cybersecurity advantage of the crowd 1/25/1721 Curated Crowd Simple-to-use platform Expertise to ensure success
  22. 22. NEXT STEPS TALK WITH A BUG BOUNTY EXPERT HTTPS://PAGES.BUGCROWD.COM/TALK-WITH-A-BUG-BOUNTY-EXPERT 1/25/17 | ESCAPE VELOCITY22
  23. 23. 1/25/1723 PAUL ROSS JOHNATHAN HUNT @pjross01 @JHuntSecurity Q&A

For the ondemand version of the webinar, visit: https://www.brighttalk.com/webcast/14415/242115 Bug Bounty programs are critical to the security programs of thousands of organizations, but many still have not embraced them. Join security leader Johnathan Hunt, VP Information Security at InVision, Paul Ross, SVP of Marketing at Bugcrowd to discuss why that situation must change, through topics including: - How a security expert changed his mind about bug bounties - Why no bug bounty means missed vulnerabilities - How Bugcrowd finds a P1 bug every 27 hours We will explore InVision’s bug bounty experience from conception to being critical to their customers’ confidence in their security. *Register for the webinar now* “Whether or not you’re going to have the good guys working for you or not, doesn’t mean the bad guys are going to stop working” - Johnathan Hunt, Invision

Vistas

Total de vistas

597

En Slideshare

0

De embebidos

0

Número de embebidos

0

Acciones

Descargas

15

Compartidos

0

Comentarios

0

Me gusta

0

×