Innovation Sandbox 2015: Bugcrowd

•

0 gostou•125 visualizações

Bugcrowd’s Crowdcontrol management platform centralizes communication and submission triage between companies and security researchers around the world, letting them review, validate and reward researchers in a timely and organized fashion. Crowdcontrol streamlines the submissions in one place, and allows multiple analysts to easily mark and track statuses on its secure platform. https://www.rsaconference.com/industry-topics/video/innovation-sandbox-2015-bugcrowd

Tecnologia

© 2015 RSA Conference. All rights reserved.
The defender’s dilemma is real
2
• Hacked
• Stolen
credentials
• Hacked
• Vulnerable web
app
• Hacked
• Vulnerable web
app
• Hacked
• Leaked
credentials
• Hacked
• 80M Stolen SS

© 2015 RSA Conference. All rights reserved.
The Solution
• Large tech created bug bounties to level the playing field.
• Bugcrowd brings crowdsourced security to everyone else.
3
v1 v2

© 2015 RSA Conference. All rights reserved.
Crowdcontrol Platform
4
• The Crowdcontrol platform delivers enterprise grade
communication and control between your team and
security researchers

© 2015 RSA Conference. All rights reserved.
Does it work?
“Bugcrowd’s testers dig deeper in their testing
than any testing previously done (either vendor
provided or internally performed). ”
David Levin, Director of Information Security at Western Union
5

© 2015 RSA Conference. All rights reserved.
Researcher Adoption
6
33,128 Valid
Submissions
726 P3 or
Higher
Security
Vulns
211
Unknown
P1’s
$506,215.02
Paid Out
Top Payout:
$10,000

© 2015 RSA Conference. All rights reserved.
Enterprise Ready Bugcrowd
7
• One platform
• 16,000
researchers
• Three offeringsFlex Flex Continuous Traditional
Crowdcontrol Platform

© 2015 RSA Conference. All rights reserved.
Core Team
8
Casey Ellis
Founder and CEO
15+ years in infosec
Former CSO Scriptrock
Chris Raethke
Founder and CTO
Sold Rightcrowd to SAP
Former Army Engineer
Jonathan Cran
VP Operations
Built Metasploit QA
program
Former CTO Pwnie Express
Brooke Motta
VP Sales
Took Rapid7 from
$0 to $50M ARR
Chris Tilton
VP Marketing
17+ years in Infosec
Previously: WhiteHat,
Veracode, SPI Dynamics

© 2015 RSA Conference. All rights reserved.
These brands (and others) trust Bugcrowd

© 2015 RSA Conference. All rights reserved.
Questions?
@caseyjohnellis
https://bugcrowd.com
casey@bugcrowd.com
10

Mais conteúdo relacionado

Mais de Casey Ellis

KEYNOTE: Nullcon 2021 - Security Research and Disclosure - The Unauthorized B...

Casey Ellis

TechCrunch Early Stage 2020 - How to prioritize security at your startup

Casey Ellis

Of all the problems the internet has, there seems to be one that rules them all: It doesn’t understand how to work with it’s immune system. In this talk I’ll run through the past/present/future of the vulnerability disclosure, and give a run-through of disclose.io: an open-source and vendor-agnostic initiative to make conversations between builders and breakers safe, standardized, and simple. I’ll close with a Call To Action for all participants with simple ways to help and get involved.

GRIMMCon: disclose.io - Taking the Internet's Immune System to the Next Level

Casey Ellis

KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...

Casey Ellis

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel

Casey Ellis

Full Disclosure Debate - NBT 5

Casey Ellis

KEYNOTE: The Unlikely Romance: Part 2 - What Now?

Casey Ellis

Our 2016 State of Bug Bounty Report announced that bug bounty programs adoption has increased 210% since 2013. As more and more companies leverage the capabilities of the global researcher community to identify critical vulnerabilities, we must ask...has the bug bounty economy reached a tipping point? Join Bugcrowd as we unpack the top trends in crowdsourced cybersecurity and review the key findings from The State of Bug Bounty Report 2016. Webinar: https://www.brighttalk.com/webcast/14415/221275/the-bug-bounty-tipping-point-strength-in-numbers

Webinar kym-casey-bug bounty tipping point webcast - po edits

Casey Ellis

Exploring the dynamics and relationship between the hacker community and the engineering coalface. Today’s cybersecurity battle is not a fair fight. The attackers — growing in numbers and sophistication — have overwhelmed the comparatively small pool of defenders. Add an engineering team that’s economically incentivized to ignore security, and you’re off to a bad start. This talk is story of what happens to engineers the first time some random kid 8,000 miles away hacks their stuff as a part of their bug bounty. It’s about its outsourcing the creation of the “oh shit” moment, and seeing your engineering team become a blue team. Why is this about pairing engineering teams with hackers specifically? Because it addresses a marked gap: people who build things for a living paired with people who break things for a living.

NodeSummit 2016 - WELCOME TO THE BLUE TEAM! CREATING “OH SHIT” MOMENTS FOR FU...

Casey Ellis

Tweet Share You don’t need a license for bug hunting season anymore. Bug bounty programs are becoming well established as a valuable tool in identifying vulnerabilities early. The Department of Defense has authorized its first bug bounty program, and many vendors are taking a fresh look. While the programs are highly effective, many questions remain about how to structure bug bounty programs to address the concerns that vendors and researchers have about controlling bug hunters, security and privacy, contractual issues with bug hunters, what happens if there is a rogue hacker in the crowd, and liability and compliance concerns. This presentation will cover the best practices for structuring effective bug bounty programs. Video: https://www.youtube.com/watch?v=ziUUyA0-zwg

AppSecUSA - Your License for Bug Hunting Season

Casey Ellis

ISSA CISO Summit 2017 - AN UNLIKELY ROMANCE THE CURRENT STATE OF BUG BOUNTIES

Casey Ellis

Introducing Bugcrowd

Casey Ellis

MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...

Casey Ellis

Our current approach to security assessment is inherently flawed; automation tools only find what they are programmed to find and penetration testing is extremely limited. Bug bounties build upon and improve upon these existing application security testing tools by harnessing the human creativity of the whitehat researcher community with a pay-for-results rewards model. As a cyber security veteran, Casey will analyze the evolution of the application security industry over the past several years and address why the existing tools and practices are falling short. With data from hundreds of bug bounty programs, he will also show how bug bounties are bridging the gap between companies who need to find security flaws before they’re exploited, and the hackers at the table ready to help. https://2017.conference.auscert.org.au/speaker/casey-ellis/

AusCERT 2016 - An Unlikely Romance: The Current State of Bug Bounties

Casey Ellis

The current state of the industry and “what happens next” is keeping security practitioners up at night. The interaction between companies and security researchers is a fragile equation: can they like each other or should they hate each other? Or both? Questions around this love/hate relationship, and its future abound, include: If we like each other, what are our groups’ strengths and weaknesses? How can this newly formulated partnership be celebrated? Controlled? Secured? When the honeymoon period is over, what happens if things go wrong? Can potential issues be predicted before we agree to partner together? How is trust established: Have we asked the right questions? How do we build long term rapport and respect? What regulations or legislation, if any, do we need to learn and follow? One misstep in a bug bounty program could shut down this harmonious “marriage,” but at the same time, more and more companies are taking on this perceived risk given that they’re seeing this new way of doing things is necessary and inevitable. Arming companies with more ammunition is necessary to defeat their attackers. If we make it through this fragile security landscape, what will that future look like? Our current approach to security assessment is inherently flawed. In this talk, Casey will examine how we got here, and how the "unlikely romance" between whitehats and enterprise organizations is changing everything.

Enigma 2018 - Combining the Power of Builders and Breakers

Casey Ellis

Security practitioners know that the threats that face an organization are always active, and that while defenders need to get everything right, a good attacker only needs to get one thing right. That’s all well and good for security practitioners, but what about the rest of the company? How do you transform security from a rather inconvenient checklist, to a nascent awareness of the threat? How do you get those responsible for providing your attack surface to ‘actually care about whether it’s secure or not?

Welcome to the blue team! How building a better hacker accidentally built a b...

Casey Ellis

Mais de Casey Ellis (16)

KEYNOTE: Nullcon 2021 - Security Research and Disclosure - The Unauthorized B...

TechCrunch Early Stage 2020 - How to prioritize security at your startup

GRIMMCon: disclose.io - Taking the Internet's Immune System to the Next Level

KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel

Full Disclosure Debate - NBT 5

KEYNOTE: The Unlikely Romance: Part 2 - What Now?

Webinar kym-casey-bug bounty tipping point webcast - po edits

NodeSummit 2016 - WELCOME TO THE BLUE TEAM! CREATING “OH SHIT” MOMENTS FOR FU...

AppSecUSA - Your License for Bug Hunting Season

ISSA CISO Summit 2017 - AN UNLIKELY ROMANCE THE CURRENT STATE OF BUG BOUNTIES

Introducing Bugcrowd

MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...

AusCERT 2016 - An Unlikely Romance: The Current State of Bug Bounties

Enigma 2018 - Combining the Power of Builders and Breakers

Welcome to the blue team! How building a better hacker accidentally built a b...

Último

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

A Beginners Guide to Building a RAG App Using Open Source Milvus

Zilliz

FWD Group - Insurer Innovation Award 2024

The Digital Insurer

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Modernizing Securities Finance: The cloud-native prime brokerage platform transforming capital markets. Madhu Subbu, Managing Director, Head of Securities Finance Engineering Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu

apidays

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

In the thrilling conclusion to 2023, ransomware groups had a banner year, really outdoing themselves in the "make everyone's life miserable" department. LockBit 3.0 took gold in the hacking olympics, followed by the plucky upstarts Clop and ALPHV/BlackCat. Apparently, 48% of organizations were feeling left out and decided to get in on the cyber attack action. Business services won the "most likely to get digitally mugged" award, with education and retail nipping at their heels. Hackers expanded their repertoire beyond boring old encryption to the much more exciting world of extortion. The US, UK and Canada took top honors in the "countries most likely to pay up" category. Bitcoins were the currency of choice for discerning hackers, because who doesn't love untraceable money?

Ransomware_Q4_2023. The report. [EN].pdf

Overkill Security

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Zilliz

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

Real Time Object Detection Using Open CV

Khem

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

Innovation Sandbox 2015: Bugcrowd

1. Casey Ellis Founder and CEO Bugcrowd

2. © 2015 RSA Conference. All rights reserved. The defender’s dilemma is real 2 • Hacked • Stolen credentials • Hacked • Vulnerable web app • Hacked • Vulnerable web app • Hacked • Leaked credentials • Hacked • 80M Stolen SS

5. © 2015 RSA Conference. All rights reserved. Does it work? “Bugcrowd’s testers dig deeper in their testing than any testing previously done (either vendor provided or internally performed). ” David Levin, Director of Information Security at Western Union 5

8. © 2015 RSA Conference. All rights reserved. Core Team 8 Casey Ellis Founder and CEO 15+ years in infosec Former CSO Scriptrock Chris Raethke Founder and CTO Sold Rightcrowd to SAP Former Army Engineer Jonathan Cran VP Operations Built Metasploit QA program Former CTO Pwnie Express Brooke Motta VP Sales Took Rapid7 from $0 to $50M ARR Chris Tilton VP Marketing 17+ years in Infosec Previously: WhiteHat, Veracode, SPI Dynamics

Innovation Sandbox 2015: Bugcrowd

Recomendados

Recomendados

Mais conteúdo relacionado

Mais de Casey Ellis

Mais de Casey Ellis (16)

Último

Último (20)

Innovation Sandbox 2015: Bugcrowd