Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
Key Takeaways from
Instructure’s Bug Bounty
Program
Presenters:
Q. Wade Billings, Sr. Director of Global IT Shared Service...
Your Presenters
• Q. Wade Billings, Sr. Director of Global IT Shared Services
Instructure
• IT leadership career spanning ...
About Instructure
• Instructure makes smart software that makes people smarter
• Instructure is a fast growing, education ...
About Bugcrowd
• Your Elastic Security Team
• Founded in 2012, based in San Francisco, 20
employees
• 15,000 Researchers, ...
Annual Assessment
• We update our platform every three weeks and users
benefit from features and bug fixes.
• Starting in 20...
Why Bugcrowd?
• This year we wanted to take it a step further.
• Economics of bug bounties promised better results
compare...
Bugcrowd Flex
• Two week bug bounty
• Private with vetted researchers
• Top placed rewards (35%), Others (65%)
• Flex Boun...
Flex Reward Structure
Flex Process
• Step 1: Onboarding
• Step 2: Program opens to private, vetted researchers
• Step 3: Crowdcontrol removes du...
Flex Process
Flex Results
• Instead of two or three security
researchers, we had 63+
researchers active during the test
• 10x the numbe...
Flex Results
• Stored XSS
• Sending messages
for unsubscribed
courses
• Encrypted Cookie
Store malleability /
Key-reuse
• ...
Key Takeaways
• Security is a process, and you can benefit by being
transparent about your assessment process
• Flex bounti...
What’s next
• We’ve launched a new ongoing bug bounty
program in partnership with Bugcrowd
• Our overarching goal is to cr...
Questions?
Key Takeaways from Instructure's Successful Bug Bounty Program
Próximo SlideShare
Cargando en…5
×

de

Key Takeaways from Instructure's Successful Bug Bounty Program Slide 1 Key Takeaways from Instructure's Successful Bug Bounty Program Slide 2 Key Takeaways from Instructure's Successful Bug Bounty Program Slide 3 Key Takeaways from Instructure's Successful Bug Bounty Program Slide 4 Key Takeaways from Instructure's Successful Bug Bounty Program Slide 5 Key Takeaways from Instructure's Successful Bug Bounty Program Slide 6 Key Takeaways from Instructure's Successful Bug Bounty Program Slide 7 Key Takeaways from Instructure's Successful Bug Bounty Program Slide 8 Key Takeaways from Instructure's Successful Bug Bounty Program Slide 9 Key Takeaways from Instructure's Successful Bug Bounty Program Slide 10 Key Takeaways from Instructure's Successful Bug Bounty Program Slide 11 Key Takeaways from Instructure's Successful Bug Bounty Program Slide 12 Key Takeaways from Instructure's Successful Bug Bounty Program Slide 13 Key Takeaways from Instructure's Successful Bug Bounty Program Slide 14 Key Takeaways from Instructure's Successful Bug Bounty Program Slide 15 Key Takeaways from Instructure's Successful Bug Bounty Program Slide 16
Próximo SlideShare
4 Reasons to Crowdsource Your Pen Test
Siguiente
Descargar para leer sin conexión y ver en pantalla completa.

1 recomendación

Compartir

Descargar para leer sin conexión

Key Takeaways from Instructure's Successful Bug Bounty Program

Descargar para leer sin conexión

Slides used during Bugcrowd's 3/5/2015 webinar with Instructure, the innovative company behind Canvas Learning Management System. Learn why they turned to crowdsourced security, and how Bugcrowd's Flex program gave them great results.

Audiolibros relacionados

Gratis con una prueba de 30 días de Scribd

Ver todo

Key Takeaways from Instructure's Successful Bug Bounty Program

  1. 1. Key Takeaways from Instructure’s Bug Bounty Program Presenters: Q. Wade Billings, Sr. Director of Global IT Shared Services : Instructure Jonathan Cran, VP Operations : Bugcrowd
  2. 2. Your Presenters • Q. Wade Billings, Sr. Director of Global IT Shared Services Instructure • IT leadership career spanning over 20 years. Held high level positions with Excite@Home, lowermybills.com, Medicity and most recently WorkFront (fka AtTask) • Involved in the Utah InfoSec community with ties to BSidesSLC and UtahSec.org • Jonathan Cran, VP Operations Bugcrowd • Security Assessment Startups. Leadership positions with Rapid7, Pwnie Express, Metasploit.
  3. 3. About Instructure • Instructure makes smart software that makes people smarter • Instructure is a fast growing, education technology SaaS company serving multiple global markets • Our growth since launch in 2011 • 18+ million users • 1,200 institutions under contract • 500+ employees • Global offices and five hosting platforms worldwide
  4. 4. About Bugcrowd • Your Elastic Security Team • Founded in 2012, based in San Francisco, 20 employees • 15,000 Researchers, $400,000 in researcher payments in 2014, 150 programs • Provider of Crowdcontrol, the platform for Bug Bounty and Flex Bounty programs • We help you start and manage your bug bounty program
  5. 5. Annual Assessment • We update our platform every three weeks and users benefit from features and bug fixes. • Starting in 2011, Instructure took a proactive approach to security. • We publicly published results after the first security audit • When vulnerabilities were found, we fixed them and put them into production as quickly as possible • We even embedded a blogger to observe and document the process!!
  6. 6. Why Bugcrowd? • This year we wanted to take it a step further. • Economics of bug bounties promised better results compared to the traditional approach • Large researcher community, strong engagement • Flex bounty met the “Annual Assessment” format
  7. 7. Bugcrowd Flex • Two week bug bounty • Private with vetted researchers • Top placed rewards (35%), Others (65%) • Flex Bounty Report • Access to researchers and management platform
  8. 8. Flex Reward Structure
  9. 9. Flex Process • Step 1: Onboarding • Step 2: Program opens to private, vetted researchers • Step 3: Crowdcontrol removes duplicates and out of scope issues, providing quick feedback to researchers • Step 4: Customer Validates, Assigns Awards and Authorizes Payments • Step 5: Program Closes, Report Created, Report Delivered • Step 6: Customer resolves and Researcher re-tests (if requested)
  10. 10. Flex Process
  11. 11. Flex Results • Instead of two or three security researchers, we had 63+ researchers active during the test • 10x the number of vulnerabilities identified • This is NOT because Instructure is less secure - we have been doing these open audits each year for three years • Each researcher comes at the problem with a different perspective
  12. 12. Flex Results • Stored XSS • Sending messages for unsubscribed courses • Encrypted Cookie Store malleability / Key-reuse • https://blog.bugcrowd.com/increased-pen-test-results-instructure-flex/
  13. 13. Key Takeaways • Security is a process, and you can benefit by being transparent about your assessment process • Flex bounties work! More, high-quality results by engaging with the research community vs traditional methods • Bugcrowd is helping make the bug bounty programs accessible to organizations • Download the report: https://blog.bugcrowd.com/ increased-pen-test-results-instructure-flex/
  14. 14. What’s next • We’ve launched a new ongoing bug bounty program in partnership with Bugcrowd • Our overarching goal is to create the most secure learning and engagement platform for teachers and corporate trainers across the world. • We do this by being proactive and playing offense when it comes to security, not defense.
  15. 15. Questions?
  • salem2012

    Dec. 3, 2016

Slides used during Bugcrowd's 3/5/2015 webinar with Instructure, the innovative company behind Canvas Learning Management System. Learn why they turned to crowdsourced security, and how Bugcrowd's Flex program gave them great results.

Vistas

Total de vistas

1.211

En Slideshare

0

De embebidos

0

Número de embebidos

4

Acciones

Descargas

18

Compartidos

0

Comentarios

0

Me gusta

1

×