S e p t emb er 20 16

ARE YOU VULNERABILITY BLIND?3 REASONS TO RECONSIDER A BUG BOUNTY

1/25/172

PAUL ROSSSVP MARKETING

JOHNATHAN HUNTVP INFORMATION

SECURITY

SPEAKERS

AGENDA

• Vulnerability Blindness

• 3 Reasons to Reconsider a Bug Bounty

1. How a security expert changed his mind about bug bounties

2. Why no bug bounty means missed vulnerabilities

3. How Bugcrowd finds a P1 bug every 13 hours*

1/25/173

*Increase from 1 every 27 hours earlier in 2016

WHY IS THERE AN ISSUE TO ADDRESS?

1/25/174

Ballooning attack surface

Cybersecurity resource shortage

Broken status-quo

Active, efficient adversaries

Breaking The Vulnerability Cycle

MYTHS OF BUG BOUNTY(OR WHY YOU MIGHT HAVE DISMISSED THEM IN THE PAST)

1/25/175

6

POLL

1/25/17 | ESCAPE VELOCITY

CONTINUOUS VULNERABILITY ASSESSMENT HAS NOT BEEN A THING

1/25/177

Zone of Vulnerability

Blindness

Zone of Vulnerability

Blindness

Code Release

Code Release

Vul

nera

bilit

y A

war

enes

s

BUG BOUNTY & CONTINUOUS ASSESSMENT AS THE SOLUTION

1/25/178

WHAT IS A BUG BOUNTY?

1/25/179

(Think of it as a competition)

Financial Services Consumer Tech Retail & Ecommerce Infrastructure Technology

Automotive Security Technology Other

2/3rd of Programs are

Private

WIDE ADOPTION OF CROWDSOURCED SECURITY

THE REHABILITATION OF A BUG BOUNTY SKEPTIC

1/25/1711

Reason 1

INTRODUCING INVISIONAward-winning product design collaboration platform

• Provide two million people with the power to prototype, review, refine, manage and user test web and mobile products.

• Drives the product design process at leading Fortune 100 companies, including at Disney, IBM, Walmart, Apple, Verizon and General Motors.

1/25/1712

INVISION SECURITY PROGRAM BEFORE BUG BOUNTY• Monthly internal vulnerability scans

• Monthly external vulnerability scans

• Annual Third-Party Penetration Test

• 30-day patch cycle

• Web Application Firewall

• DDoS Protection

1/25/1713

‘WHETHER OR NOT YOU’RE GOING TO HAVE THE GOOD GUYS

WORKING FOR YOU, DOESN’T MEAN THE BAD GUYS ARE GOING TO

STOP WORKING’

— JOHNATHAN HUNT

1/25/1714

WHY NO BUG BOUNTY MEANS MISSED VULNERABILITIES

1/25/1715

Reason 2

CONTINUOUS VULNERABILITY ASSESSMENT HAS NOT BEEN A THING

1/25/1716

Zone of Vulnerability

Blindness

Zone of Vulnerability

Blindness

Code Release

Code Release

Vul

nera

bilit

y A

war

enes

s

BUG BOUNTY DELIVERS CONTINUOUS VULNERABILITY ASSESSMENT

1/25/1717

Code Release

Code Release

Vul

nera

bilit

y A

war

enes

s

HOW BUGCROWD FINDS A P1 BUG EVERY 13 HOURS

1/25/1718

Reason 3

A RADICAL CYBER SECURITY ADVANTAGE:

Enterprise Bug Bounty Solutions & Hackers On-Demand

• 300+ Programs run

• Every program is managed by Bugcrowd

• Deep researcher engagement and support

• No confusing pricing models and no bounty commissions

• 45,000+ researchers

1/25/1719

Curated Crowd that Thinks like an

Adversary but acts as an ally to Find Vulnerabilities

A Platform That Simplifies Connecting

Researchers to Organizations, Saving You Time and Money

Security Expertise To Design, Support, and

Manage Crowd Security Programs

TIMELINE OF A SUCCESSFUL BUG BOUNTY PROGRAM

1/25/1720

Launches private bounty program

Receives first P1 submission

Receives 100th Submission Runs On-Demand program

Adds 100 additional researchers

Receives 500th submission

CONCLUSION

Avoiding Vulnerability Blindness

• Reality of modern development pipeline dictates a new approach

• Continuous vulnerability assessment is real and

achievable through bug bounty model

• Bugcrowd delivers the radical cybersecurity advantage of the crowd

1/25/1721

Curated Crowd Simple-to-use

platformExpertise to

ensure success

NEXT STEPS

TALK WITH A BUG BOUNTY EXPERT

HTTPS://PAGES.BUGCROWD.COM/TALK-WITH-A-BUG-BOUNTY-EXPERT

1/25/17 | ESCAPE VELOCITY22

1/25/1723

PAUL ROSS JOHNATHAN HUNT

@pjross01 @JHuntSecurity

Q&A