Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
Próximo SlideShare
Breaking the Vulnerability Cycle—Key Findings from 100 CISOs
Siguiente
Descargar para leer sin conexión y ver en pantalla completa.

Compartir

If You Can't Beat 'Em, Join 'Em

Descargar para leer sin conexión

Grant Mccracken and Daniel Trauner give tips for running a successful bug bounty program. From writing a clear bounty brief, to communicating efficiently and effectively with researchers, this presentation, given originally at BSides Austin on April 1, 2016, is a great first step in thinking about running a bug bounty program.

If You Can't Beat 'Em, Join 'Em

  1. 1. If You Can’t Beat ‘Em Join ‘Em Tips For Running a Successful Bug Bounty Program Grant McCracken Daniel Trauner BSides Austin April 1, 2016
  2. 2. Grant ● Technical Account Manager @Bugcrowd ○ formerly an ASE ● Before that, Whitehat ● Did some traveling ● Music BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  3. 3. Dan ● AppSec Engineer (ASE) @Bugcrowd ● Before that, Fortify SCA @HPSR ○ Static analysis -- lots of languages ○ Focus on iOS ● Art History/Collecting! BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  4. 4. Bug Bounty Programs BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  5. 5. wut BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  6. 6. A (Brief) History of Bug Bounty Programs BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  7. 7. Why? BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  8. 8. Do you really want to let people attack you? BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016 Source: http://hyperboleandahalf.blogspot.com/2010_06_01_archive.html
  9. 9. Yes! (They’re doing it anyways…) BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016 Source: http://hyperboleandahalf.blogspot.com/2010_06_01_archive.html
  10. 10. You vs. and Them BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  11. 11. Who are these people? ● All over the place! ○ All ages ○ All levels of experience ○ All over the world ○ Users and non-users ● Passionate about security BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  12. 12. Value ● Lots of eyes ● Only pay for valid results ● Shows a more advanced security posture ● Better overall reputation! BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  13. 13. How? BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  14. 14. How? ● Pre-Launch ○ Scope ○ Focus ○ Exclusions ○ Environment ○ Access ● Post-Launch ○ Managing Expectations ○ Communicating Effectively ○ Defining a Vulnerability Rating Taxonomy (VRT) BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  15. 15. BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  16. 16. “Touch the code, pay the bug.” BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  17. 17. Pre-Launch BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  18. 18. Scope, scope, scope ● Step 0... ○ Basic resources/requirements to run a program ● The researcher’s universe ○ Leave nothing open to interpretation ○ Understand your attack surface ○ The path of least resistance BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  19. 19. Focus ● You might care about specific: ○ Targets ○ Vuln types ○ Functionalities (e.g. payment processing) ● How? ○ Incentives ○ Create a focused program Source: https://xkcd.com/1361/ BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  20. 20. Exclusions ● You might not care about: ○ “Low-hanging fruit” ○ Intended functionality ○ Known issues ○ Accepted Risks ○ Issues resulting from pivoting BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  21. 21. Environment ● Different based on: ○ Prod vs. Staging ■ Make sure it can stand up to testing! 1. Scanners 2. Contact forms 3. Pentesting requests ○ Target type ■ IoT? iOS? ○ Special bounty type? ○ Researcher environments BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  22. 22. What a shared environment looks like... BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  23. 23. Access ● Easier = better ● How will researchers get there? ○ Whitelist? Proxy? Geo-restrictions? ● Public or private? ● SSN/CCs/phone numbers? ● Intuitive credentials management ○ NO SHARED CREDS BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  24. 24. Remember... BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  25. 25. Post-Launch BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  26. 26. Expectations, expectations, expectations... BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  27. 27. Expectations, expectations, expectations... BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  28. 28. Communication is Key ● Researchers like: ○ Concise, unambiguous responses ■ ESL ○ Quick responses ○ Predictable time to reward ● Stay on top of these issues! ● Public disclosure? BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  29. 29. Define a Vulnerability Rating Taxonomy ● For you: ○ Speed up triage process ○ Track your organization’s posture ○ Arrive at reward amount more quickly ● For them (if published): ○ Focus on high-value bugs ○ Avoid reporting wontfix issues ○ Feel a sense of trust (goes with brief) BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  30. 30. Discuss the VRT at a Roundtable ● Priority will change as your organization does ● Establish a discussion meeting ○ Review interesting bugs ○ Discuss additions to VRT ○ Propose changes to vulnerability classification/priorities ● This is an ongoing process! BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  31. 31. Meanwhile, IRL... BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  32. 32. $UNPREPARED_COMPANY Recipe for disaster: 1. Don’t provide known issues 2. Don’t consider exclusions 3. Sneaky brief changes BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  33. 33. Instructure 2013 (Pentest) 2014 (Bug Bounty) Critical 0 0 High 1 25 Medium 1 8 Low 2 16 Source: https://www.canvaslms.com/security BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  34. 34. tl;dr BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  35. 35. Source: https://xkcd.com/1256/ BSides Austin 2016 – If You Can’t Beat ‘Em Join ‘Em © Bugcrowd 2016
  • jeffhuangus

    Apr. 23, 2016

Grant Mccracken and Daniel Trauner give tips for running a successful bug bounty program. From writing a clear bounty brief, to communicating efficiently and effectively with researchers, this presentation, given originally at BSides Austin on April 1, 2016, is a great first step in thinking about running a bug bounty program.

Vistas

Total de vistas

1.000

En Slideshare

0

De embebidos

0

Número de embebidos

7

Acciones

Descargas

27

Compartidos

0

Comentarios

0

Me gusta

1

×