Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
8,100 hackers + Your apps = ???
SourceCONF Boston 2014
Why are we here?
About me
@caseyjohnellis
JABAH (Just Another Blonde Aussie Hacker)
Recovering pentester turned solution architect turned e...
What’s a bug bounty program?
History
0
125
250
375
500
1995 2000 2005 2010 2015
It’s not just about being
cheap, or loud…
It’s about levelling the
playing field.
Black/gray hat economics
!
Goal: Exploit the bug and keep it alive
Resources: Many hackers/skill-sets/motivations/time
Inc...
White hat economics
!
Goal: Find the bug and kill it
Resources: Single sets of eyes
Incentive: Paid for effort
Bug bounty economics
!
A white hat goal with black/gray market economics
and resourcing.
Reward pool: $10,000
2 weeks elapsed
CASE STUDY
Wordpress Sprint Bounty + 5 Plugins
$2,500
1st
$1,000
2nd
$500
3rd
$250
Al...
CASE STUDY
Wordpress Sprint Bounty + 5 Plugins
349 researchers participated.
243 security submissions from 23 countries.
7...
CASE STUDY
Wordpress Sprint Bounty + 5 Plugins
67 rewardable Issues
$142.86 deduplicated cost per issue
16 active security...
CASE STUDY
Wordpress Sprint Bounty + 5 Plugins
$10,000
5 days of effort in the
first 8 hours of the
bounty… Across 349
sep...
With many eyes all bugs are shallow
- Linus’ Law
“
Really?
Credit: Veracode
GnuTLS goto fail
Credit: Veracode
Heartbleed
Linus was (a little bit) wrong.
Developer Incentive
Make it work.
Security Incentive
“…but what if nothing happens?”
Who is doing this well
right now?
With many eyes and the right incentive
all bugs are shallow
- Linus’ Amended Law
“
Sound familiar?
Bug bounties repurpose the economics
of offense to the defensive side.
So how do you get more eyes
on security bugs?
Cash Soft Incentives Kudos
Swag, challenge coins,
points systems,
exclusive ...
Ready to start?
Bug bounties are awesome…
…but hard.
Tips from the trenches
The mistake *everyone* makes:
!
VULNERABILITY DATA
PEOPLE
The Golden Rule:
Respect the researcher
If you touch the code, pay
the researcher
Be upfront and clear about
what you will and won’t
pay
Be transparent about
duplicate and won’t fix
issues
Fix quick, pay quick.
Expect front loading
Controlled incidents
improve your dev team
Remember that bounty
hunting is casual (vs
committed)
Conclusion
• Bug bounties are cost effective, and highly
marketable… but that’s not the full story…
• …this shift in strat...
Questions?
@caseyjohnellis
https://bugcrowd.com
casey@bugcrowd.com
!
Greets to Chris, Rob and SourceCONF crew, builditsecure.ly, Rapi...
Próximo SlideShare
Cargando en…5
×

de

8,100 hackers + Your apps = ??? Slide 1 8,100 hackers + Your apps = ??? Slide 2 8,100 hackers + Your apps = ??? Slide 3 8,100 hackers + Your apps = ??? Slide 4 8,100 hackers + Your apps = ??? Slide 5 8,100 hackers + Your apps = ??? Slide 6 8,100 hackers + Your apps = ??? Slide 7 8,100 hackers + Your apps = ??? Slide 8 8,100 hackers + Your apps = ??? Slide 9 8,100 hackers + Your apps = ??? Slide 10 8,100 hackers + Your apps = ??? Slide 11 8,100 hackers + Your apps = ??? Slide 12 8,100 hackers + Your apps = ??? Slide 13 8,100 hackers + Your apps = ??? Slide 14 8,100 hackers + Your apps = ??? Slide 15 8,100 hackers + Your apps = ??? Slide 16 8,100 hackers + Your apps = ??? Slide 17 8,100 hackers + Your apps = ??? Slide 18 8,100 hackers + Your apps = ??? Slide 19 8,100 hackers + Your apps = ??? Slide 20 8,100 hackers + Your apps = ??? Slide 21 8,100 hackers + Your apps = ??? Slide 22 8,100 hackers + Your apps = ??? Slide 23 8,100 hackers + Your apps = ??? Slide 24 8,100 hackers + Your apps = ??? Slide 25 8,100 hackers + Your apps = ??? Slide 26 8,100 hackers + Your apps = ??? Slide 27 8,100 hackers + Your apps = ??? Slide 28 8,100 hackers + Your apps = ??? Slide 29 8,100 hackers + Your apps = ??? Slide 30 8,100 hackers + Your apps = ??? Slide 31 8,100 hackers + Your apps = ??? Slide 32 8,100 hackers + Your apps = ??? Slide 33 8,100 hackers + Your apps = ??? Slide 34 8,100 hackers + Your apps = ??? Slide 35 8,100 hackers + Your apps = ??? Slide 36 8,100 hackers + Your apps = ??? Slide 37 8,100 hackers + Your apps = ??? Slide 38 8,100 hackers + Your apps = ??? Slide 39 8,100 hackers + Your apps = ??? Slide 40
Próximo SlideShare
Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Siguiente
Descargar para leer sin conexión y ver en pantalla completa.

1 recomendación

Compartir

Descargar para leer sin conexión

8,100 hackers + Your apps = ???

Descargar para leer sin conexión

There's an asymmetry in the way we approach security today... The threat takes the form of lots of hackers, with lots of different skill-sets and diverse motivations - And the majority of them aren't being paid by the hour to attack your stuff. Contrast this with the paid by the hour consultants and in-house resources. It's not that the good guys aren't smart, it's that the model is fundamentally disadvantaged. Crowdsourcing security testing through bug bounty programs engages a crowd of "good guys who think like bad guys" and economically incentivizes them the same way the bad guys are. Casey likes solving problems. He's the Founder and CEO of Bugcrowd, a company which provides a platform to manage bug bounty programs. He's also an Aussie who has difficulty with words that end with "er".

Libros relacionados

Gratis con una prueba de 30 días de Scribd

Ver todo

Audiolibros relacionados

Gratis con una prueba de 30 días de Scribd

Ver todo

8,100 hackers + Your apps = ???

  1. 1. 8,100 hackers + Your apps = ??? SourceCONF Boston 2014
  2. 2. Why are we here?
  3. 3. About me @caseyjohnellis JABAH (Just Another Blonde Aussie Hacker) Recovering pentester turned solution architect turned entrepreneur Wife and two kids now living in San Francisco Founder and CEO of Bugcrowd
  4. 4. What’s a bug bounty program?
  5. 5. History 0 125 250 375 500 1995 2000 2005 2010 2015
  6. 6. It’s not just about being cheap, or loud…
  7. 7. It’s about levelling the playing field.
  8. 8. Black/gray hat economics ! Goal: Exploit the bug and keep it alive Resources: Many hackers/skill-sets/motivations/time Incentive: Paid for results
  9. 9. White hat economics ! Goal: Find the bug and kill it Resources: Single sets of eyes Incentive: Paid for effort
  10. 10. Bug bounty economics ! A white hat goal with black/gray market economics and resourcing.
  11. 11. Reward pool: $10,000 2 weeks elapsed CASE STUDY Wordpress Sprint Bounty + 5 Plugins $2,500 1st $1,000 2nd $500 3rd $250 All Others
 or the remainder divided by number of valid unique bugs… Which ever is lower)
  12. 12. CASE STUDY Wordpress Sprint Bounty + 5 Plugins 349 researchers participated. 243 security submissions from 23 countries. 7 unauth’d to full privilege 0-day vulnerabilities.
  13. 13. CASE STUDY Wordpress Sprint Bounty + 5 Plugins 67 rewardable Issues $142.86 deduplicated cost per issue 16 active security researchers in first hour 8 hours effort in first elapsed hour
  14. 14. CASE STUDY Wordpress Sprint Bounty + 5 Plugins $10,000 5 days of effort in the first 8 hours of the bounty… Across 349 separate sets of eyes 5 days of effort VS
  15. 15. With many eyes all bugs are shallow - Linus’ Law “
  16. 16. Really? Credit: Veracode GnuTLS goto fail Credit: Veracode Heartbleed
  17. 17. Linus was (a little bit) wrong.
  18. 18. Developer Incentive Make it work.
  19. 19. Security Incentive “…but what if nothing happens?”
  20. 20. Who is doing this well right now?
  21. 21. With many eyes and the right incentive all bugs are shallow - Linus’ Amended Law “
  22. 22. Sound familiar?
  23. 23. Bug bounties repurpose the economics of offense to the defensive side.
  24. 24. So how do you get more eyes on security bugs? Cash Soft Incentives Kudos Swag, challenge coins, points systems, exclusive opportunities Hall of Fame, job prospects, contract prospects, community kudos, general swagger
  25. 25. Ready to start?
  26. 26. Bug bounties are awesome…
  27. 27. …but hard.
  28. 28. Tips from the trenches
  29. 29. The mistake *everyone* makes: ! VULNERABILITY DATA PEOPLE
  30. 30. The Golden Rule: Respect the researcher
  31. 31. If you touch the code, pay the researcher
  32. 32. Be upfront and clear about what you will and won’t pay
  33. 33. Be transparent about duplicate and won’t fix issues
  34. 34. Fix quick, pay quick.
  35. 35. Expect front loading
  36. 36. Controlled incidents improve your dev team
  37. 37. Remember that bounty hunting is casual (vs committed)
  38. 38. Conclusion • Bug bounties are cost effective, and highly marketable… but that’s not the full story… • …this shift in strategy is necessary to address the fundamental asymmetries in the way we do things today. • Go start one. • More tips and tricks at https://blog.bugcrowd.com
  39. 39. Questions?
  40. 40. @caseyjohnellis https://bugcrowd.com casey@bugcrowd.com ! Greets to Chris, Rob and SourceCONF crew, builditsecure.ly, Rapid7, iamthecavalry.com, @treyford, @k8em0, @codesoda and the @bugcrowd team.
  • jeffhuangus

    Apr. 23, 2016

There's an asymmetry in the way we approach security today... The threat takes the form of lots of hackers, with lots of different skill-sets and diverse motivations - And the majority of them aren't being paid by the hour to attack your stuff. Contrast this with the paid by the hour consultants and in-house resources. It's not that the good guys aren't smart, it's that the model is fundamentally disadvantaged. Crowdsourcing security testing through bug bounty programs engages a crowd of "good guys who think like bad guys" and economically incentivizes them the same way the bad guys are. Casey likes solving problems. He's the Founder and CEO of Bugcrowd, a company which provides a platform to manage bug bounty programs. He's also an Aussie who has difficulty with words that end with "er".

Vistas

Total de vistas

1.399

En Slideshare

0

De embebidos

0

Número de embebidos

29

Acciones

Descargas

40

Compartidos

0

Comentarios

0

Me gusta

1

×