7 bug bounty myths, busted

22
7 Bug Bounty Myths

Upload: bugcrowd

Post on 19-Mar-2017

144 views

Category:

Internet


1 download

TRANSCRIPT

Page 1: 7 Bug Bounty Myths, BUSTED

7 Bug Bounty Myths

Page 2: 7 Bug Bounty Myths, BUSTED

What Is a Bug Bounty?

Page 3: 7 Bug Bounty Myths, BUSTED

3

What is a Bug Bounty?For Those of You Who Are New

To companies and their applications in exchange for…

Where independent security researchers all over the word

f

Think of it as a competition…Find & report vulnerabilities

Rewards

Page 4: 7 Bug Bounty Myths, BUSTED

Poll(Single Select)

Question: I believe our organization’s security could be improved with the addition of a bug bounty program?• Strongly agree• Somewhat agree• Neither agree or disagree• Somewhat disagree• Strongly disagree

Page 5: 7 Bug Bounty Myths, BUSTED

5

Why Are More Organizations Doing Bug Bounty Programs?

Ballooning attack surface

We have debt to clear and we need to be able to plan for the future

Active, efficient adversaries

Well developed “offensive” economic

Broken status quoAutomation doesn’t provide enough coverage, reliance on one off conusulting engagements

Cybersecurity resource shortage

209,000 in the USA alone

Page 6: 7 Bug Bounty Myths, BUSTED

A New Way to Run Bug Bounties

Page 7: 7 Bug Bounty Myths, BUSTED

7

Why Do We Exist?Platform That Connects Organizations to the Researcher Community

40,000+ Researchers

With specialized skills including web, mobile and IoT hacking. Our community is made up of tens of thousands of the hackers from around the world.

f

Organizations Both Big and Small

Making Bug Bounties easy for ever type of company through a variety of Bug Bounty Solutions.

Page 8: 7 Bug Bounty Myths, BUSTED

A Radical Cyber Security Advantage

A Crowd That Thinks Like An Adversary But Acts Like an Ally to Find

Vulnerabilities

A Platform That Simplifies Connecting Researchers to Organizations

Security Expertise To Design, Support, and Manage Crowd Security Programs

Enterprise Bug Bounty Solutions & Hackers-On Demand

7 Bug Bounty Myths

Page 9: 7 Bug Bounty Myths, BUSTED

7 Bug Bounty Myths

Page 10: 7 Bug Bounty Myths, BUSTED

10

Myth #1: All bug bounty programs are ‘public’ False. Today, the majority of bug bounty programs are invite-only programs.

68%

Of Programs

Are Private

Best Practice: Start with private program• Learn how to scope and define program with fewer researchers• Build processes and experience in receiving submissions• Address specific security needs with curated crowd

Page 11: 7 Bug Bounty Myths, BUSTED

11

Myth #2: Only tech companies run bug bountiesFalse. The bug bounty model has evolved to be effective and flexible for organizations of virtually any size or type.

Growth in programs is being driven by adoption across industries

Top Emerging segments:• Automotive• Medical Device• Government

Page 12: 7 Bug Bounty Myths, BUSTED

12

Myth #3: Running a bounty program is too riskyFalse. With a trusted partner, running a bug bounty program is no more risky than other, traditional security assessment methods.

Public Disclosure Incidents.0005

%

“YOU CAN VERY WELL QUANTIFY AND CONTROL FOR THE RISKS AND REWARDS OF USING THE CROWD, SUCH THAT IN THE END, THE LEGAL EXPOSURE THAT AN ORGANIZATION

HAS FROM USING THE CROWD IS BASICALLY THE SAME AS IT WOULD HAVE FROM ANY OTHER MEANS OF PEN TESTING

THAT YOU MIGHT TRADITIONALLY BUY FROM A PEN TESTING PROVIDER.”

JAMES DENARO, FOUNDER OF CIPHERLAW

• Programs incentivize good behavior• Researchers want to do the right thing• Using a platform where your program and researchers are

managed “out of the box” is key

Page 13: 7 Bug Bounty Myths, BUSTED

13

Myth #4: Bug bounties don’t attract talented testersFalse. Many of our bug hunters are the most talented security researchers in the world, and many are full-time security professionals.

“WE DECIDED TO RUN A BUG BOUNTY PROGRAM TO GET ACCESS TO A WIDE

VARIETY OF SECURITY TESTERS. HIRING SECURITY RESEARCHERS IS VERY DIFFICULT IN TODAY’S MARKET... WE HAVE PRODUCTS

THAT COVER A WIDE VARIETY OF APPLICATIONS, USING A WIDE VARIETY OF TECHNOLOGIES, SO WE NEED SECURITY TESTING THAT CAN COVER ALL THOSE

AREAS.”

JON GREEN, SR. DIRECTOR OF SECURITY

ARCHITECTURE, ARUBA

“Inside the Mind of a Hacker”

https://pages.bugcrowd.com/inside-the-mind-of-a-hacker-2016

Page 14: 7 Bug Bounty Myths, BUSTED

14

Myth #5: They don’t yield high-value resultsFalse. Bug bounties help organizations uncover high-quality vulnerabilities missed by traditional security assessment methods.

Vulnerability Rating Taxonomy: http://bgcd.co/vrt-2016

“WE THINK OF THE BUG BOUNTY PROGRAM AS ‘PART OF THIS

COMPLETE BREAKFAST.’ YOU HAVE ALL THESE INTERNAL ACTIVITIES, AND THE BUGCROWD PROGRAM FOR US... IS A NICE SUPPLEMENT TO THOSE THINGS,

IT CATCHES BUGS THAT OUR INTERNAL TESTING DIDN’T CATCH.”

JIM HEBERT, SR. SECURITY ENGINEER,

FITBIT

Page 15: 7 Bug Bounty Myths, BUSTED

15

Myth #6: They’re too costly and hard to budget forFalse. You can control your bug bounty budget, and we help make the best suggestion for your organization.

“EFFICIENCY AND EFFECTIVENESS OF THE CROWD IS REALLY WHY WE BRING THEM ON... BECAUSE WE HAVE THE CROWD INVOLVED IN THE VULNERABILITY MANAGEMENT PROGRAM, IT’S HELPED IN EXPANDING OF OUR TEAM FOR A FRACTION OF THE COST. NOW MY INTERNAL RESOURCES ARE BETTER UTILIZED.”

DAVID BAKER, CSO, OKTA

https://pages.bugcrowd.com/

whats-a-bug-worth

15 Hours

Avg Time Spent

220+

# of Researchers

3500Hours

Total Testing Time2 Full Time

heads

Okta’s Bug Bounty Throughput

Page 16: 7 Bug Bounty Myths, BUSTED

Poll(Single Select)

Question: I believe we have enough staff and resources to deal with all of our security challenges• Strongly agree• Somewhat agree• Neither agree or disagree• Somewhat disagree• Strongly disagree

Page 17: 7 Bug Bounty Myths, BUSTED

17

Myth #7: Bounty programs are too hard to manageFalse. With a trusted partner, bug bounty programs are easy, efficient and effective. You receive ready-to-fix, high value bugs.

Crowd + Platform + Expertise

• Reduce the program management load on your security team with an easy to use platform to manage programs and communicate with researchers

• Only receive and act on real vulnerabilities with automated triage and expert validation of submissions

• Incentivize and reward researchers globally with automated, direct payment through our platform with no commission on payouts

Page 18: 7 Bug Bounty Myths, BUSTED

18

Multi Solution Bug Bounty Model Gaining TractionNot Just About Public Programs

Engage the collective intelligence of

thousands of security researchers

worldwide.

The perfect solution to incentivize the

continuous testing of main web

properties, self-sign up apps, or

anything already publicly accessible.

Private Ongoing ProgramPublic Ongoing Program

Continuous testing using a private,

invite-only, crowd of researchers.

Incentivize the continuous testing of

main web properties, self-signup apps,

or anything publically accessible.

Project based testing using a private,

invite-only, crowd of researchers.

Target new products, major releases, or

anything requiring a short period of

testing. Replace costly pen-tests.

On-Demand Program

Many organizations are utilizing different types of Bug Bounty Solutions

Page 19: 7 Bug Bounty Myths, BUSTED

Key Takeaways

Page 20: 7 Bug Bounty Myths, BUSTED

A Radical Cyber Security Advantage

A Crowd That Thinks Like An Adversary But Acts Like an Ally to Find

Vulnerabilities

A Platform That Simplifies Connecting Researchers to Organizations

Security Expertise To Design, Support, and Manage Crowd Security Programs

Enterprise Bug Bounty Solutions & Hackers-On Demand

7 Bug Bounty Myths

Page 21: 7 Bug Bounty Myths, BUSTED

7 Bug Bounty Myths

Page 22: 7 Bug Bounty Myths, BUSTED

Next Steps

Talk with a bug bounty expert: Bugcrowd.com/chat-with-us