If You Can't Beat 'Em, Join 'Em (AppSecUSA)

•

1 gostou•642 visualizações

Grant McCracken and Daniel Trauner's presentation on setting up and managing a successful bug bounty program. Having a bug bounty program is one of the most efficient methods of finding security vulnerabilities today. But, as anyone who has tried to run a bug bounty program knows, it's not a trivial undertaking... As professionals who have helped to manage hundreds of bug bounty programs, we're uniquely positioned to provide advice on how to succeed. Whether you're already running a bug bounty program, are looking to run a bug bounty program, or are a researcher, this talk aims to deepen your knowledge of the subject.

Tecnologia

If You Can’t Beat ‘Em Join ‘Em:
Practical Tips for Running a Successful Bug Bounty Program
Grant McCracken and Daniel Trauner
AppSecUSA 2016

Grant
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
• Solutions Architect @Bugcrowd
– Formerly an AppSec Engineer
• Before that, WhiteHat
• Traveling, music, stuff.

Dan
• Senior AppSec Engineer @Bugcrowd
• Before that, Software Security @HP
– Static analysis – lots of languages
– Focused on Apple iOS
• Art history and collecting
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em

AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
BUG BOUNTY PROGRAMS

Netscape “Bugs Bounty”
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em

An (Abbreviated) History of Bug Bounties Since 1995
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em

AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
WHY?

Do you really want to let people attack you?
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
Source (Hyperbole and a Half)

Yes! (They’re doing it anyways…)
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
Source (Hyperbole and a Half)

You vs. and Them
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em

Who are these people?
• All ages
• All levels of experience
• All over the world
• Users and and non-users
• Passionate about security!
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em

The Value of Crowdsourced Testing
Formal Methodologies The Crowd’s Creativity
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
03

AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
HOW?

Overview
Pre-Launch
• Scope
• Focus
• Exclusions
• Environment
• Access
Post-Launch
• Managing Expectations
• Communicating Effectively
• Defining a Vulnerability Rating Taxonomy
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em

But you never mentioned paying rewards!
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em

“Touch the code, pay the bug.”
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
!

AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
PRE-LAUNCH

…but first, Step 0
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
• Basic resources and requirements
– A full-time resource
– Escalation policies
– Organization-wide awareness
Find all of
the dank
memes for
your slides

Scope
• Scope defines the researcher’s universe
– Leave nothing open to interpretation
– Understand your attack surface
– Recognize the path of least resistance
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
Source (Flickr)

Focus
• You might care about specific:
– Targets
– Vulnerability Types
– Functionality (e.g. payment processing)
• How?
– Incentives
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
Source (xkcd)

Exclusions
• You might not care about:
– (Low-impact) “low hanging fruit”
– Intended functionality
– Known issues
– Accepted risks
– Issues based on pivoting
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
Source (Meme Generator)

Environment
• Production vs. staging
• Make sure it can stand up to testing!
– Scanners
– Contact forms
– Pentesting requests
• Special bounty types
• Researcher environments
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
Source (Twitter @PokemonGoApp)

This is what a shared environment looks like…
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em

Access
• Easier = better
• Provide adequate resources for success
– E.g. sandbox credit cards
• No shared credentials
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
Source (Demotivation)

Remember…
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em

AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
POST-LAUNCH

Manage Expectations
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
Source (Jane Donald)

Manage Expectations
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
Source (SoJo 104.9)

Communication is Key
• Researchers like:
– Concise, unambiguous responses
• ESL
– Short response time
– Predictable reward time
• Stay on top of these issues!
• Public disclosure?
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
🔑

Coordinated Disclosure
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
Source (Stefano Vettorazzi)

Define a Vulnerability Rating Taxonomy (VRT)
• For program owners:
– Speeds up triage process
– Track your organization’s security posture
– Arrive at a reward amount more quickly
• For researchers:
– Focus on high-value bugs
– Avoid wasting time on non-rewardable bugs
– Alongside brief, helps build trust
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em

AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
THINK LIKE A RESEARCHER

The Regular Methodologies
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
Source (OWASP)Source (Amazon)

The Bughunter’s Methodology
• Identify roads less traveled
– Acquisitions (define the rules)
– Functionality changes or redesigns
– Mobile websites or apps
• Think like a researcher
– Wikipedia (acquisitions)
– Google dorks, recon-ng, altdns, etc.
• jhaddix/domain (enumall)
• ChrisTruncer/EyeWitness
– Researchers’ Blogs
– And many more we can’t fit into this
talk!
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
Source (Meme Generator)

AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
A GOOD REPORT

AppSecUSA 2016 If You Can't Beat 'Em Join 'Em

AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
FINAL TIPS

Consider the business impact!
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
Source (Know Your Meme)

Remember what it’s all about.
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
Source (BBC)

Case Study: Instructure
2013 (Pentest) 2014 (Bug Bounty) 2015 (Bug Bounty)
Critical 0 0 0
High 1 25 3
Medium 1 8 2
Low 2 16 5
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
Source (Instructure)

AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
Source (Stack Exchange)

Thanks!
Grant McCracken
grant@bugcrowd.com
Daniel Trauner
dan@bugcrowd.com
AppSecUSA 2016 If You Can't Beat 'Em Join 'Em
Source (xkcd)

Mais conteúdo relacionado

Destaque

Crossing Origins by Crossing Formats

internot

Build or Buy: The Barracuda Bug Bounty Story [Webinar]

bugcrowd

Bug Bounty Tipping Point: Strength in Numbers

bugcrowd

Key Takeaways from Instructure's Successful Bug Bounty Program

bugcrowd

If You Can't Beat 'Em, Join 'Em

bugcrowd

You don’t need a license for bug hunting season anymore. Bug bounty programs are becoming well established as a valuable tool in identifying vulnerabilities early. The Department of Defense has authorized its first bug bounty program, and many vendors are taking a fresh look. While the programs are highly effective, many questions remain about how to structure bug bounty programs to address the concerns that vendors and researchers have about controlling bug hunters, security and privacy, contractual issues with bug hunters, what happens if there is a rogue hacker in the crowd, and liability and compliance concerns. This presentation will cover the best practices for structuring effective bug bounty programs. Talk originally given at AppSecUSA 2016 | October 13, 2016

AppSecUSA 2016: 'Your License for Bug Hunting Season'

bugcrowd

Breaking AngularJS Javascript sandbox

Mathias Karlsson

Bug Bounty - Hackers Job

Arbin Godar

SQL Injection INSERT ON DUPLICATE KEY trick

Mathias Karlsson

Writing vuln reports that maximize payouts - Nullcon 2016

bugcrowd

Polyglot payloads in practice by avlidienbrunn at HackPra

Mathias Karlsson

How to run a kick ass bug bounty program - Node Summit 2013

bugcrowd

View this ondemand webinar here: https://pages.bugcrowd.com/7-bug-bounty-myths-busted-ondemand-webinar About the content: Despite thousands of large and small organizations running bug bounty programs, there is still a lot of fear and uncertainty about these in the cybersecurity community. In this recorded webinar we will explore 7 myths about Bug Bounty programs, the hackers who are involved, and the impact they are having on the security posture of organizations around the world. After viewing this presentation and ondemand webinar you will: 1. Learn if a bug bounty program is right for your organization 2. Understand if a bug bounty encourages hackers to attack your systems 3. Explore the real benefits of bug bounty programs – and find out if they actually work 4. Get insight on whether these programs are too hard and costly to manage

7 Bug Bounty Myths, BUSTED

bugcrowd

Bug Bounty Secrets

n|u - The Open Security Community

[Webinar] Building a Product Security Incident Response Team: Learnings from ...

bugcrowd

Bug Bounty for - Beginners

Himanshu Kumar Das

Bug Bounty 101

Shahee Mirza

Bug Bounty Hunter Methodology - Nullcon 2016

bugcrowd

Synack cirtical infrasructure webinar

Synack

Destaque (19)

Crossing Origins by Crossing Formats

Build or Buy: The Barracuda Bug Bounty Story [Webinar]

Bug Bounty Tipping Point: Strength in Numbers

Key Takeaways from Instructure's Successful Bug Bounty Program

If You Can't Beat 'Em, Join 'Em

AppSecUSA 2016: 'Your License for Bug Hunting Season'

Breaking AngularJS Javascript sandbox

Bug Bounty - Hackers Job

SQL Injection INSERT ON DUPLICATE KEY trick

Writing vuln reports that maximize payouts - Nullcon 2016

Polyglot payloads in practice by avlidienbrunn at HackPra

How to run a kick ass bug bounty program - Node Summit 2013

7 Bug Bounty Myths, BUSTED

Bug Bounty Secrets

[Webinar] Building a Product Security Incident Response Team: Learnings from ...

Bug Bounty for - Beginners

Bug Bounty 101

Bug Bounty Hunter Methodology - Nullcon 2016

Synack cirtical infrasructure webinar

Semelhante a If You Can't Beat 'Em, Join 'Em (AppSecUSA)

DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca

DevSecCon

The One-Shot Product by Microsoft Product Leader

Product School

(as presented at Codemotion Rome 2016) This presentation will start with an overview of the current state of Application Insecurity (with practical examples). This will make the attendees think twice about what is about to happen to their applications. The solution is to leverage a new generation of application security thinking such as: TDD, Docker, Test Automation, Static Analysis, cleaver Fuzzing, JIRA Risk workflows, Kanban, micro web services visualization, and ELK. These practices will not only make applications/software more secure/resilient, but it allow them to be developed in a much more efficient, cheaper and productive

New Era of Software with modern Application Security v1.0

Dinis Cruz

Anti-patterns

Return on Intelligence

apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...

apidays

A Webinar on Risk Analysis and Management, Exploratory Testing, and Technical Testing. I want to get across the model that I have for risks, which is that risks are “beliefs” and a result of our beliefs. We believe some things will go wrong more than others. And because our beliefs are limited but the range of risks is not, we need to somehow go beyond our beliefs and look at tools and processes for doing that. Also we know that risk is important for testing. What I want to do in this talk is present risk as the underpinning and driving force behind everything we do in testing. You can use risk to justify the stuff that you do as a tester. And you can use risk to derive your test scope as well as your test process.

Risk Mitigation Using Exploratory and Technical Testing - QASymphony Webinar ...

Alan Richardson

Growth Hacking Conference '17 - Antwerp

Thibault Imbert

Researchers generally see quantitative methods as very different to qualitative methods. However with modern analytics and the advent of ‘big data’ our insight approaches are undergoing a shift. The numbers of data points and activity measured in a typical digital product is growing, providing increasingly rich and complete sets of insightful data. This gives us the information we need to understand what people are doing and more importantly, why they are doing it. However researchers are not typically asked to get involved with the design of analytics measures. Digital teams are lacking skills on how to extract qualitative meaning from analytics, opting for traditional qualitative research approaches that are not fully integrated with their existing user-base. We took the challenge on and built our first Big Data System bringing Quant and Qual together.

Quant Equals Qual

Lola Oyelayo

Love Can't Wait! Optimizing PageLoad Time of SPAs at Zoosk [FutureStack16]

New Relic

Social Media Monitoring (a quick overview).

Hugo Zaragoza

Web Application Security And Getting Into Bug Bounties

kunwaratul hax0r

Congratulations, your data is up and running in a graph database! This is the first step of many to unlocking the potential in your data. It’s easy to get mired in the complexities of graph technology and forget that real users, mere mortals, will need to use this information to inform mission critical tasks. To get the value out of your graph investment, you’ll need to provide an experience that enables users to explore and visualize your graph data in meaningful ways. In this talk we’ll take a hands on approach to applying user-centered strategies and leveraging the latest UI tools to rapidly create great experiences with graph data. Topics will include: Tailoring experiences to the intended audience and data Interacting with complex data shouldn’t be complicated for users. The key is to understand your users and build a solution that targets them. Zeroing in on user goals and creating a solution that targets them in a fast, lightweight and iterative way Using live data and rapid prototyping to inform your navigation, visualization selections and overall design Determining the the right visualization for the job Just because you can display almost anything doesn’t mean you should. Choosing the right visualizations to achieve specific goals is a key factor in unlocking the usefulness of graph. We’ll demonstrate how to match the right visualization against user needs. When is it appropriate to break out of the standard node view and visualize graph data in another context like a geospatial map? How do I determine the dominant dimensions to filter a node chart? What is the simplest, most efficient way to traverse time with large data sets? Do I need to visually expose the graph at all? Cutting through the clutter on choosing the right visualization tools Once you’ve got your goals set, how do you make it happen? Will it perform at scale? We’ll demonstrate example use cases with sample graph data and some of these tools to highlight practical uses.

DataStax | Meaningful User Experience with Graph Data (Chris Lacava, Expero) ...

DataStax

World Future Society 2015 Professional Members Forum

Wendy Schultz

Java one2016 con3054-watsonap-is

sandhya kapoor

Sandhya Kapoor, Senior Software Engineer, IBM @sandhyakapoor9 Frank Greco, Chairman, NYJavaSIG @frankgreco The more we interact with “smart apps,” the more we hear the word cognitive being thrown around. But what does it actually imply? What is a cognitive application? Can you make your app cognitive? This session covers what these buzzwords mean and how to enhance your application with Watson APIs. The presenters build an application from scratch, using the Watson Java SDK, and discuss how to integrate Watson into your existing application.

Building Cognitive Applications with Watson APIs

Dev_Events

Java one2016 con3054-watsonap-is

sandhya kapoor

The agile manifesto says directly that "We are uncovering better ways of developing software by doing it and helping others do it." If this continual improvement is true, what new topics are currently being discussed and talked about at agile conferences? What are teams across the world struggling and experimenting with? What topics are the most heated? In this session, I'll give an overview of some of the new and hot agile topics.

Trends in Agile Software

Steve Rogalsky

Data Aggregation, Curation and analytics for security and situational awareness

DataWorks Summit/Hadoop Summit

Meaningful User Experience

Neo4j

Was invited to share with the SMU Masters of IT in Business students on (i) how I got to my current position as a data scientist and (ii) what I do in my current position. Includes suggested areas to focus on (e.g., distributed systems and processing) and how to gain more experience (e.g., volunteering). I also go through the problems that we solve at Lazada using machine learning and a high level architecture of how we do it.

Sharing about my data science journey and what I do at Lazada

Eugene Yan Ziyou

Semelhante a If You Can't Beat 'Em, Join 'Em (AppSecUSA) (20)

DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca

The One-Shot Product by Microsoft Product Leader

New Era of Software with modern Application Security v1.0

Anti-patterns

apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...

Risk Mitigation Using Exploratory and Technical Testing - QASymphony Webinar ...

Growth Hacking Conference '17 - Antwerp

Quant Equals Qual

Love Can't Wait! Optimizing PageLoad Time of SPAs at Zoosk [FutureStack16]

Social Media Monitoring (a quick overview).

Web Application Security And Getting Into Bug Bounties

DataStax | Meaningful User Experience with Graph Data (Chris Lacava, Expero) ...

World Future Society 2015 Professional Members Forum

Java one2016 con3054-watsonap-is

Building Cognitive Applications with Watson APIs

Java one2016 con3054-watsonap-is

Trends in Agile Software

Data Aggregation, Curation and analytics for security and situational awareness

Meaningful User Experience

Sharing about my data science journey and what I do at Lazada

Mais de bugcrowd

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel

bugcrowd

Ekoparty 2017 - The Bug Hunter's Methodology

bugcrowd

3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program

bugcrowd

Zephyr Health, a quickly growing company harnessing the power of global healthcare data, has spent the last year augmenting its’ product security efforts. With Bugcrowd’s help, they have transformed their development and overarching culture to prioritize security. Bugcrowd joins Zephyr Health’s CISO, Kim Green, to hear about how she came to understand and implement crowdsourced security testing within the organization.

Revitalizing Product Securtiy at Zephyr Health

bugcrowd

Kymberlee Price's Presentation from Black Hat 2015 In this presentation, Kymberlee discusses several highly critical vulnerabilities that have been uncovered through a variety of bug bounty programs and their impact on the customers. With participation from researchers and vendors, attendees will not only see some sweet vulnerabilities broken down, but also why wading through another submission from @CluelessSec might be worth it.

HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs

bugcrowd

How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV

bugcrowd

WATCH JASON'S TALK LIVE, 8/14 @ 11AM PDT - Register Here: http://bgcd.co/DEFCON23-haddix Jason Haddix explores successful tactics and tools used by himself and the best bug hunters. Practical methodologies, tools and tips that make you better at hacking websites and mobile apps to claim those bounties. Follow Jason on Twitter: http://twitter.com/jhaddix Follow Bugcrowd on Twitter: http://twitter.com/bugcrowd Check out the latest bug bounties on Bugcrowd: https://bugcrowd.com/programs

How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...

bugcrowd

4 Reasons to Crowdsource Your Pen Test

bugcrowd

Mobile Application Security Threats through the Eyes of the Attacker

bugcrowd

5 Tips to Successfully Running a Bug Bounty Program

bugcrowd

[Webinar] The Art & Value of Bug Bounty Programs

bugcrowd

Mais de bugcrowd (11)

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel

Ekoparty 2017 - The Bug Hunter's Methodology

3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program

Revitalizing Product Securtiy at Zephyr Health

HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs

How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV

How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...

4 Reasons to Crowdsource Your Pen Test

Mobile Application Security Threats through the Eyes of the Attacker

5 Tips to Successfully Running a Bug Bounty Program

[Webinar] The Art & Value of Bug Bounty Programs

Último

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

Following the popularity of “Cloud Revolution: Exploring the New Wave of Serverless Spatial Data,” we’re thrilled to announce this much-anticipated encore webinar. In this sequel, we’ll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you’re building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Zilliz

💥 You’re lucky! We’ve found two different (lead) developers that are willing to share their valuable lessons learned about using UiPath Document Understanding! Based on recent implementations in appealing use cases at Partou and SPIE. Don’t expect fancy videos or slide decks, but real and practical experiences that will help you with your own implementations. 📕 Topics that will be addressed: • Training the ML-model by humans: do or don't? • Rule-based versus AI extractors • Tips for finding use cases • How to start 👨‍🏫👨‍💻 Speakers: o Dion Morskieft, RPA Product Owner @Partou o Jack Klein-Schiphorst, Automation Developer @Tacstone Technology

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

UiPathCommunity

Dubai, known for its towering skyscrapers, luxurious lifestyle, and relentless pursuit of innovation, often finds itself in the global spotlight. However, amidst the glitz and glamour, the emirate faces its own set of challenges, including the occasional threat of flooding. In recent years, Dubai has experienced sporadic but significant floods, disrupting normalcy and posing unique challenges to its infrastructure. Among the critical nodes in this bustling metropolis is the Dubai International Airport, a vital hub connecting the world. This article delves into the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Orbitshub

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

Keynote 2: APIs in 2030: The Risk of Technological Sleepwalk Paolo Malinverno, Growth Advisor - The Business of Technology Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

apidays

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

CNIC Information System with Pakdata Cf In Pakistan

danishmna97

Exploring Multimodal Embeddings with Milvus

Zilliz

When you’re building (micro)services, you have lots of framework options. Spring Boot is no doubt a popular choice. But there’s more! Take Quarkus, a framework that’s considered the rising star for Kubernetes-native Java. It always depends on what's best for your situation, but how to choose the best solution if you're comparing 2 frameworks? Both Spring Boot and Quarkus have their positives and negatives. Let us compare the two by live coding a couple of common use cases in Spring Boot and Quarkus. After this talk, you’ll be ready to get started with Quarkus yourself, and know when to select Quarkus or Spring Boot.

Spring Boot vs Quarkus the ultimate battle - DevoxxUK

Jago de Vreede

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

Dubai, often portrayed as a shimmering oasis in the desert, faces its own set of challenges, including the occasional threat of flooding. Despite its reputation for opulence and modernity, the emirate is not immune to the forces of nature. In recent years, Dubai has experienced sporadic but significant floods, testing the resilience of its infrastructure and communities. Among the critical lifelines in this bustling metropolis is the Dubai International Airport, a bustling hub that connects the city to the world. This article explores the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

Orbitshub

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

The action of the next cyber saga takes place in the mystical lands of the Asia-Pacific region, where the main characters began their digital activities in the middle of 2021 and qualitatively strengthened it in 2022. Corporate espionage, document theft, audio recordings, and data leaks from messaging platforms were all a matter of one day for Dark Pink. Their geographical focus may have started in the Asia-Pacific region, but their ambitions knew no bounds, targeting a European government ministry in a bold move to expand their portfolio. Their victim profile was as diverse as a UN meeting, targeting military organizations, government agencies, and even a religious organization. Because discrimination is not a fashionable agenda. In the world of cybercrime, they serve as a reminder that sometimes the most serious threats come in the most unassuming packages with a pink bow.

Cyberprint. Dark Pink Apt Group [EN].pdf

Overkill Security

If You Can't Beat 'Em, Join 'Em (AppSecUSA)

1. If You Can’t Beat ‘Em Join ‘Em: Practical Tips for Running a Successful Bug Bounty Program Grant McCracken and Daniel Trauner AppSecUSA 2016

2. Grant AppSecUSA 2016 If You Can't Beat 'Em Join 'Em • Solutions Architect @Bugcrowd – Formerly an AppSec Engineer • Before that, WhiteHat • Traveling, music, stuff.

3. Dan • Senior AppSec Engineer @Bugcrowd • Before that, Software Security @HP – Static analysis – lots of languages – Focused on Apple iOS • Art history and collecting AppSecUSA 2016 If You Can't Beat 'Em Join 'Em

4. AppSecUSA 2016 If You Can't Beat 'Em Join 'Em BUG BOUNTY PROGRAMS

5. Source (Flickr)

6. Netscape “Bugs Bounty” AppSecUSA 2016 If You Can't Beat 'Em Join 'Em

7. An (Abbreviated) History of Bug Bounties Since 1995 AppSecUSA 2016 If You Can't Beat 'Em Join 'Em

8. AppSecUSA 2016 If You Can't Beat 'Em Join 'Em WHY?

9. Do you really want to let people attack you? AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (Hyperbole and a Half)

10. Yes! (They’re doing it anyways…) AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (Hyperbole and a Half)

11. You vs. and Them AppSecUSA 2016 If You Can't Beat 'Em Join 'Em

12. Who are these people? • All ages • All levels of experience • All over the world • Users and and non-users • Passionate about security! AppSecUSA 2016 If You Can't Beat 'Em Join 'Em

13. The Value of Crowdsourced Testing Formal Methodologies The Crowd’s Creativity AppSecUSA 2016 If You Can't Beat 'Em Join 'Em 03

14. AppSecUSA 2016 If You Can't Beat 'Em Join 'Em HOW?

15. Overview Pre-Launch • Scope • Focus • Exclusions • Environment • Access Post-Launch • Managing Expectations • Communicating Effectively • Defining a Vulnerability Rating Taxonomy AppSecUSA 2016 If You Can't Beat 'Em Join 'Em

16. But you never mentioned paying rewards! AppSecUSA 2016 If You Can't Beat 'Em Join 'Em

17. “Touch the code, pay the bug.” AppSecUSA 2016 If You Can't Beat 'Em Join 'Em !

18. AppSecUSA 2016 If You Can't Beat 'Em Join 'Em PRE-LAUNCH

19. …but first, Step 0 AppSecUSA 2016 If You Can't Beat 'Em Join 'Em • Basic resources and requirements – A full-time resource – Escalation policies – Organization-wide awareness Find all of the dank memes for your slides

20. Scope • Scope defines the researcher’s universe – Leave nothing open to interpretation – Understand your attack surface – Recognize the path of least resistance AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (Flickr)

21. Focus • You might care about specific: – Targets – Vulnerability Types – Functionality (e.g. payment processing) • How? – Incentives AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (xkcd)

22. Exclusions • You might not care about: – (Low-impact) “low hanging fruit” – Intended functionality – Known issues – Accepted risks – Issues based on pivoting AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (Meme Generator)

23. Environment • Production vs. staging • Make sure it can stand up to testing! – Scanners – Contact forms – Pentesting requests • Special bounty types • Researcher environments AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (Twitter @PokemonGoApp)

24. This is what a shared environment looks like… AppSecUSA 2016 If You Can't Beat 'Em Join 'Em

25. Access • Easier = better • Provide adequate resources for success – E.g. sandbox credit cards • No shared credentials AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (Demotivation)

26. Remember… AppSecUSA 2016 If You Can't Beat 'Em Join 'Em

27. AppSecUSA 2016 If You Can't Beat 'Em Join 'Em POST-LAUNCH

28. Manage Expectations AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (Jane Donald)

29. Manage Expectations AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (SoJo 104.9)

30. Communication is Key • Researchers like: – Concise, unambiguous responses • ESL – Short response time – Predictable reward time • Stay on top of these issues! • Public disclosure? AppSecUSA 2016 If You Can't Beat 'Em Join 'Em 🔑

31. Coordinated Disclosure AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (Stefano Vettorazzi)

32. Define a Vulnerability Rating Taxonomy (VRT) • For program owners: – Speeds up triage process – Track your organization’s security posture – Arrive at a reward amount more quickly • For researchers: – Focus on high-value bugs – Avoid wasting time on non-rewardable bugs – Alongside brief, helps build trust AppSecUSA 2016 If You Can't Beat 'Em Join 'Em

33. AppSecUSA 2016 If You Can't Beat 'Em Join 'Em THINK LIKE A RESEARCHER

34. The Regular Methodologies AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (OWASP)Source (Amazon)

35. The Bughunter’s Methodology • Identify roads less traveled – Acquisitions (define the rules) – Functionality changes or redesigns – Mobile websites or apps • Think like a researcher – Wikipedia (acquisitions) – Google dorks, recon-ng, altdns, etc. • jhaddix/domain (enumall) • ChrisTruncer/EyeWitness – Researchers’ Blogs – And many more we can’t fit into this talk! AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (Meme Generator)

36. AppSecUSA 2016 If You Can't Beat 'Em Join 'Em A GOOD REPORT

37. AppSecUSA 2016 If You Can't Beat 'Em Join 'Em

38. AppSecUSA 2016 If You Can't Beat 'Em Join 'Em FINAL TIPS

39. Consider the business impact! AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (Know Your Meme)

40. Remember what it’s all about. AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (BBC)

41. Case Study: Instructure 2013 (Pentest) 2014 (Bug Bounty) 2015 (Bug Bounty) Critical 0 0 0 High 1 25 3 Medium 1 8 2 Low 2 16 5 AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (Instructure)

42. AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (Stack Exchange)

43. Thanks! Grant McCracken grant@bugcrowd.com Daniel Trauner dan@bugcrowd.com AppSecUSA 2016 If You Can't Beat 'Em Join 'Em Source (xkcd)

Notas do Editor

We own the rights to this image
We own the rights to this image
We own the rights to this image
The author allows use of her work with correct attribution (see https://hyperboleandahalf.blogspot.com/p/faq_10.html)
The author allows use of her work with correct attribution (see https://hyperboleandahalf.blogspot.com/p/faq_10.html)
Unsplash (CC0)
“Clip Art Panda” site explicitly says you can use this(free) image.
- Acknowledge the comic before moving on
Unsplash (CC0)
Unsplash (CC0)
- don’t underestimate pre-launch stuff here
Part of Unicode
(George carlin slide used to be here) - we’d tell program owners and researchers the same stuff

If You Can't Beat 'Em, Join 'Em (AppSecUSA)

Recomendados

Recomendados

Mais conteúdo relacionado

Destaque

Destaque (19)

Semelhante a If You Can't Beat 'Em, Join 'Em (AppSecUSA)

Semelhante a If You Can't Beat 'Em, Join 'Em (AppSecUSA) (20)

Mais de bugcrowd

Mais de bugcrowd (11)

Último

Último (20)

If You Can't Beat 'Em, Join 'Em (AppSecUSA)

Notas do Editor