Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
Próximo SlideShare
Crossing Origins by Crossing Formats
Siguiente
Descargar para leer sin conexión y ver en pantalla completa.

Compartir

If You Can't Beat 'Em, Join 'Em (AppSecUSA)

Descargar para leer sin conexión

Grant McCracken and Daniel Trauner's presentation on setting up and managing a successful bug bounty program. Having a bug bounty program is one of the most efficient methods of finding security vulnerabilities today. But, as anyone who has tried to run a bug bounty program knows, it's not a trivial undertaking... As professionals who have helped to manage hundreds of bug bounty programs, we're uniquely positioned to provide advice on how to succeed. Whether you're already running a bug bounty program, are looking to run a bug bounty program, or are a researcher, this talk aims to deepen your knowledge of the subject.

  • Sé el primero en recomendar esto

If You Can't Beat 'Em, Join 'Em (AppSecUSA)

  1. 1. If You Can’t Beat ‘Em Join ‘Em: Practical Tips for Running a Successful Bug Bounty Program Grant McCracken and Daniel Trauner AppSecUSA 2016
  2. 2. Grant AppSecUSA 2016 If You Can't Beat 'Em Join 'Em • Solutions Architect @Bugcrowd – Formerly an AppSec Engineer • Before that, WhiteHat • Traveling, music, stuff.
  3. 3. Dan • Senior AppSec Engineer @Bugcrowd • Before that, Software Security @HP – Static analysis – lots of languages – Focused on Apple iOS • Art history and collecting AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
  4. 4. AppSecUSA 2016 If You Can't Beat 'Em Join 'Em BUG BOUNTY PROGRAMS
  5. 5. Source (Flickr)
  6. 6. Netscape “Bugs Bounty” AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
  7. 7. An (Abbreviated) History of Bug Bounties Since 1995 AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
  8. 8. AppSecUSA 2016 If You Can't Beat 'Em Join 'Em WHY?
  9. 9. Do you really want to let people attack you? AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (Hyperbole and a Half)
  10. 10. Yes! (They’re doing it anyways…) AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (Hyperbole and a Half)
  11. 11. You vs. and Them AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
  12. 12. Who are these people? • All ages • All levels of experience • All over the world • Users and and non-users • Passionate about security! AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
  13. 13. The Value of Crowdsourced Testing Formal Methodologies The Crowd’s Creativity AppSecUSA 2016 If You Can't Beat 'Em Join 'Em 03
  14. 14. AppSecUSA 2016 If You Can't Beat 'Em Join 'Em HOW?
  15. 15. Overview Pre-Launch • Scope • Focus • Exclusions • Environment • Access Post-Launch • Managing Expectations • Communicating Effectively • Defining a Vulnerability Rating Taxonomy AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
  16. 16. But you never mentioned paying rewards! AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
  17. 17. “Touch the code, pay the bug.” AppSecUSA 2016 If You Can't Beat 'Em Join 'Em !
  18. 18. AppSecUSA 2016 If You Can't Beat 'Em Join 'Em PRE-LAUNCH
  19. 19. …but first, Step 0 AppSecUSA 2016 If You Can't Beat 'Em Join 'Em • Basic resources and requirements – A full-time resource – Escalation policies – Organization-wide awareness Find all of the dank memes for your slides
  20. 20. Scope • Scope defines the researcher’s universe – Leave nothing open to interpretation – Understand your attack surface – Recognize the path of least resistance AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (Flickr)
  21. 21. Focus • You might care about specific: – Targets – Vulnerability Types – Functionality (e.g. payment processing) • How? – Incentives AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (xkcd)
  22. 22. Exclusions • You might not care about: – (Low-impact) “low hanging fruit” – Intended functionality – Known issues – Accepted risks – Issues based on pivoting AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (Meme Generator)
  23. 23. Environment • Production vs. staging • Make sure it can stand up to testing! – Scanners – Contact forms – Pentesting requests • Special bounty types • Researcher environments AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (Twitter @PokemonGoApp)
  24. 24. This is what a shared environment looks like… AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
  25. 25. Access • Easier = better • Provide adequate resources for success – E.g. sandbox credit cards • No shared credentials AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (Demotivation)
  26. 26. Remember… AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
  27. 27. AppSecUSA 2016 If You Can't Beat 'Em Join 'Em POST-LAUNCH
  28. 28. Manage Expectations AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (Jane Donald)
  29. 29. Manage Expectations AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (SoJo 104.9)
  30. 30. Communication is Key • Researchers like: – Concise, unambiguous responses • ESL – Short response time – Predictable reward time • Stay on top of these issues! • Public disclosure? AppSecUSA 2016 If You Can't Beat 'Em Join 'Em 🔑
  31. 31. Coordinated Disclosure AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (Stefano Vettorazzi)
  32. 32. Define a Vulnerability Rating Taxonomy (VRT) • For program owners: – Speeds up triage process – Track your organization’s security posture – Arrive at a reward amount more quickly • For researchers: – Focus on high-value bugs – Avoid wasting time on non-rewardable bugs – Alongside brief, helps build trust AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
  33. 33. AppSecUSA 2016 If You Can't Beat 'Em Join 'Em THINK LIKE A RESEARCHER
  34. 34. The Regular Methodologies AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (OWASP)Source (Amazon)
  35. 35. The Bughunter’s Methodology • Identify roads less traveled – Acquisitions (define the rules) – Functionality changes or redesigns – Mobile websites or apps • Think like a researcher – Wikipedia (acquisitions) – Google dorks, recon-ng, altdns, etc. • jhaddix/domain (enumall) • ChrisTruncer/EyeWitness – Researchers’ Blogs – And many more we can’t fit into this talk! AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (Meme Generator)
  36. 36. AppSecUSA 2016 If You Can't Beat 'Em Join 'Em A GOOD REPORT
  37. 37. AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
  38. 38. AppSecUSA 2016 If You Can't Beat 'Em Join 'Em FINAL TIPS
  39. 39. Consider the business impact! AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (Know Your Meme)
  40. 40. Remember what it’s all about. AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (BBC)
  41. 41. Case Study: Instructure 2013 (Pentest) 2014 (Bug Bounty) 2015 (Bug Bounty) Critical 0 0 0 High 1 25 3 Medium 1 8 2 Low 2 16 5 AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (Instructure)
  42. 42. AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (Stack Exchange)
  43. 43. Thanks! Grant McCracken grant@bugcrowd.com Daniel Trauner dan@bugcrowd.com AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (xkcd)

Grant McCracken and Daniel Trauner's presentation on setting up and managing a successful bug bounty program. Having a bug bounty program is one of the most efficient methods of finding security vulnerabilities today. But, as anyone who has tried to run a bug bounty program knows, it's not a trivial undertaking... As professionals who have helped to manage hundreds of bug bounty programs, we're uniquely positioned to provide advice on how to succeed. Whether you're already running a bug bounty program, are looking to run a bug bounty program, or are a researcher, this talk aims to deepen your knowledge of the subject.

Vistas

Total de vistas

608

En Slideshare

0

De embebidos

0

Número de embebidos

11

Acciones

Descargas

14

Compartidos

0

Comentarios

0

Me gusta

0

×