SlideShare uma empresa Scribd logo

CrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggerated

eightbit
eightbit

CrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggerated

Tecnologia
1 de 64
Baixar para ler offline
Rumours of our Demise Have Been Greatly Exaggerated Michael Gianarakis Julian Berton
Obligatory Introduction Slide Michael Gianarakis @mgianarakis Director of SpiderLabs, Asia-Pacific & Japan SecTalks Brisbane Have also spoken at the “equally as good” WAHCKon hacking conference (❤ Nanomebia) Flat Duck Justice Warrior 🦆 Julian Berton @julianberton Application Security Engineer at SEEK OWASP Melbourne Chapter Lead Web developer in a previous life Climber of rocks butters
Why This Presentation? • There is a fair bit of hype surrounding crowdsourced security testing and the result-oriented economic model • Many have claimed that “traditional” pentesting is dead and the industry will be “Uberised" as a inevitable future • Most of the discussion on this topic is either from the bug hunters (great) or from the bounty companies themselves (mixed bag) - very few address the point of view of an organisation trying to manage their security • Intends to address the realities of running a bounty and where they fit in an organisation’s security testing framework
Bug Bounties
Bug Bounty Basics • Concept is simple • Providing a mechanism for security researchers to submit a bug in a system or application usually with some incentive (cash or kudos) tied to doing so • Pioneered and established by the likes of Mozilla, Microsoft and Google
Bug Bounty Basics • More recently various startups have entered the space offering to host or manage bug bounties for organisations and offer them to their platform or security testers • Companies such as Bugcrowd, HackerOne, Synack • Refer to them as HaaS (Hacking as a Service) providers in the talk (as opposed to "traditional" pen test providers)
Different Types of Bounties • Public bounties - bounty programs that invite participation from the public • Private bounties - invite only programs • Timed bounties - usually limited to the HaaS companies, a timed bounty is a bounty (typically private) that is only open for a short period of time
Bug bounties are essentially pen testing with a different economic and resource model
That’s what makes them interesting
The Hype
Why you should pay attention • There is a lot hype surrounding bug bounties - primarily driven by the VC funded Silicon Valley marketing departments • Bug bounties and HaaS providers represent some interesting innovation in the security testing space • Can be a great compliment to your appsec program • If you perform security testing you should explore the benefits and tradeoffs
Security Testing Challenges https://www.trustwave.com/Resources/Library/Documents/Australian-Security- Testing-Practices-and-Priorities/
Skills Shortage Tech Team Security Team
Evolving Development Practices Then 3-6 month deploy to prod cycles (think waterfall) One software stack per company (e.g. C#, .NET, SQL Server and IIS Ratio of security people to developers/infrastructure is skewed Now CD/CI, deploy to prod daily (move faster) Agile development practices Developers do everything = devops practices Ratio of security people to developers/infrastructure still skewed
Evolving Development Practices
Evolving Development Practices ~30 times a day
Growing Complexity ~150 different tools, languages, platforms and frameworks
The Crowd-Sourced Future • Bug bounties address the skills shortage via crowd-sourcing • Unlocks access to a vast resource pool - Bugcrowd and HackerOne claim testers in the tens of thousands but in theory the resource pool is potentially much greater than that • Even private/invite-only bounties can give access to a larger and more diverse resource pool than what you might find with traditional in-house or contract testing teams
The Crowd-Sourced Future Tech Team Security Team
The Crowd-Sourced Future • The benefits of the crowd-sourced model are obvious • Scales well - tap into 100s of testers instantly • Diverse skills sets - researchers specialised in certain classes of bugs • Can lead to high quality bugs
The Crowd-Sourced Future https://pages.bugcrowd.com/2016-state-of-bug-bounty-report
The Result-Based Economic Model • Organisations running bug bounty programs pay out based on the successful bug submissions - which represent genuine, validated, non-duplicated vulnerabilities • This flips the switch on how most companies pay for for vulnerabilities • Instead of paying for a resources time (be it in-house or a consultant) to find the vulnerabilities you are paying for the bug itself. • The real innovation of the bug bounty model
The Result-Based Economic Model • The central benefit to this model is that there are less compromises that you have make compared to traditional testing activities • You don’t have to limit yourself to a small number of testers • You don’t have to limit yourself to a set timeframe • You don’t have to limit scope to the same extent
The Reality
Can You Run a Bounty? • Do you have security aware people to manage the program? • What is the security maturity of the systems you want to test? • Do you have the budget and traction to fix security in a timely manner?
Can You Run a Bounty? • How fragile are your systems? • Can testing be performed on production? No? Do you have a publicly available test environment? • Can the production app detect and block attacks if they are affecting customers or degrading service?
SEEK’s Private Timed Bounty • 50 researchers invited and were paid for bugs found. • Testing occurred on production systems. • 3 apps in scope.
The Brief • Overview of company and targets. • Targets - sites that are in scope. • Focus Areas - Draw attention to things you care about. • Out-of-Scope - Areas that are off limits. • Issue Exclusions - Issues you will not reward. • Rewards - What you will reward for issues found.
Submissions 104 issues were reported in total, with 40 being verified issues
Severity 3 High, 7 Medium and 31 Low issues were reported
Issues by Category 97.5% of all issues are categorised in the OWASP Top 10
About the Researchers 50 researchers were invited, 15 submitted and 12 were valid
About the Researchers 12 researchers who submitted valid issues came from
Reward Distribution
Reward Distribution
Traffic
SEEK’s Private Ongoing Bounty • Ongoing, private, managed program (started November 2016). • 50 researchers invited initially. • Testing occurs on production systems. • 3 apps in scope + 2 mobile apps.
Submission Timeline
Severity
Risk Mitigation Risk Mitigation A researcher could perform testing that brings down or disrupts production (if testing on production systems). • Program brief state's Denial of Service on any in scope targets. • Ban researcher from program. They will stop as they will not get paid and get negative points on the HaaS. • If you have the ability (e.g. a WAF) you can block the IP address that is causing the issues. • Use a testing environment for the bug bounty program.
Risk Mitigation Risk Mitigation A researcher could interact with real customers and steal real customer data. • The brief states not to interact with real customers. Ban researcher from program. • Existing security controls will prevent most customers being affected. • Parts of the site that are too hard to test without interacting with customers are taken out of scope.
Risk Mitigation Risk Mitigation A researcher could exploit a vulnerability and steal sensitive data. • In the brief it states issues should be reported immediately and sensitive data must not be exfiltrated. • Bonuses are rewarded for getting access to sensitive data and systems, incentivising them to report the issue quickly.
Risk Mitigation Risk Mitigation A researcher could publicly disclose an issue during or after the program. • They will not receive a reward, will be banned from the program and their reputation score will suffer. • Ensure that the business is capable and ready to fix reported issues (especially the high issues) as quickly as possible. So that the risk is minimised if it did go public.
Lessons Learnt - Managing the Crowd
Lessons Learnt - Managing the Crowd
Lessons Learnt - Managing the Crowd
Lessons Learnt - Managing the Crowd
Lessons Learnt • Limited control over researcher's actions. • Unsure if attacks were coming from a real hacker or a researcher. • Keep the program brief as simple as possible. • Reward bonuses to focus testing on certain applications or issue types. • Respond to researchers in a reasonable time frame. Even for invalid issues. • Testers will eventually trigger operational alerts (Prod testing only).
Revisiting the Economics • The result-based economic model can be more flexible but it’s not automatically cost-effective • Marketing from the HaaS providers like to compare bug bounties to point-in-time penetration tests but it’s not a worthwhile comparison - the model is too different • The common price-per-bug measure is a trap
Revisiting the Economics • Given that bounties are ongoing and longer term when modelling the economics of running a program you should use something more akin to Total Cost of Ownership analysis • Commonly overlooked elements when performing the economic analysis: • Management fees (if using a HaaS provider) • Internal management of the program (even if using a HaaS provider) • Increased load on production equipment and processes • Downtime, outage or failure expenses • Diminished performance (i.e. opportunity cost if site is slow or down)
Revisiting the Economics • Managing the incentives are also not straightforward • Have to account for the variability of the payout - the cost is driven by the results (more results = more cost) • You are competing with other bounty providers for resources - in a way you become a vendor to the testers • Payout size directly influences the quality of the testers and the submissions - in “traditional” pen-testing you might pay more for low-end bugs but you typically pay less for high-end bugs
Compliance - The Elephant In the Room • Compliance artificially creates economic incentive to perform testing and drives most of the industry. • Can be internal (internal audit, policy etc.) or external (PCI, CBEST etc.) • This is why most of us have jobs.
Compliance Testing • Compliance testing is based around assurance and verification • Determine that a level of control has been established and maintained • This is why the "checklist approach" is so prevalent in compliance based testing and why every QSA asks to see your methodology.
Compliance Testing • The incentives in the results-based model don't incentivise testers for compliance testing. • Compliance testing is about verification - even if everything is fine or likely to be fine you still need to verify and more importantly evidence compliance with the control objectives. • For a bug hunter spending time verifying controls for a company has no ROI vs. chasing the bug. • Only way to get around them is to pay them for the verification activities - but then you are back to "traditional" testing.
Liability • One of the big hurdles to overcome with this approach for most companies is managing liability. • Most large organisations have a risk management team and a vendor management team. Bug bounties typically don't make it past there on liability grounds. • There is a level of risk tolerance required at the moment
Liability • Even when using a HaaS where does the liability sit if there is an issue caused by a tester? • The standard legal protections (e.g. MSAs, NDAs) do not extend to anonymous testers • Enforcing action against anonymous users, cross jurisdiction is probably not possible • Liability extends to amount of management contract not the payouts and contracts for most HaaS providers governed by US law
Liability • There is still a lot of unanswered questions and ground to cover in this area before more “traditional” organisations get on board. • The HaaS providers are likely to evolve to meet this problem as they try to target organisations outside generally progressive tech companies • Will be interesting to see how this develops.
Bottom Line
Should I run a bug bounty?
Maybe
There is no silver bullet in information security I feel like we’ve been over this before…..
Key Takeaways • Bug bounties are just one tool that can be used to manage your security risk. Training Inception Development Deployment Monitoring Web security training program for tech teams. Security awareness and improve security culture (i.e. Brown bags, email updates, etc). Review system design for security weaknesses. Develop attack scenarios for high risk projects. Add security specific tests into test suite. Adopt security standards and security release plans. Automate security scanning tools into build pipeline. Automatically scan infrastructure and code for outdated and vulnerable components. Perform manual security testing for complex or high value components. Implement a continuous testing program (e.g. A bug bounty program).
Key Takeaways • Bug bounties have a lot of inherent benefits but there are a number of considerations that need to be understood and accounted for • Always evaluate against your requirements • Don’t just blindly follow a HaaS or a pen test provider or any other vendor for that matter - do your homework
Questions? Michael Gianarakis @mgianarakis au.linkedin.com/in/michaelgianarakis meetup.com/sectalks-brisbane eightbit.io Julian Berton @julianberton au.linkedin.com/in/julianberton meetup.com/Application-Security-OWASP-Melbourne bertonjulian.github.io NOOBZneedLOVtoo 💕 clamparty ducksec 🦆

Recomendados

Derek Wright: risk v uncertainty case study
Derek Wright: risk v uncertainty case studyDerek Wright: risk v uncertainty case study
Derek Wright: risk v uncertainty case study
Association for Project Management
 
Test environment management anti patterns
Test environment management anti patterns Test environment management anti patterns
Test environment management anti patterns
Niall Crawford
 
From Defect Reporting To Defect Prevention
From Defect Reporting To Defect PreventionFrom Defect Reporting To Defect Prevention
From Defect Reporting To Defect Prevention
Sune Gynthersen
 
Is Your Vulnerability Management Program Keeping Pace With Risks?
Is Your Vulnerability Management Program Keeping Pace With Risks?Is Your Vulnerability Management Program Keeping Pace With Risks?
Is Your Vulnerability Management Program Keeping Pace With Risks?
Skybox Security
 
Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?
Skybox Security
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management
Argyle Executive Forum
 
Test Environment Management: A Critical Requirement for Effective CI/CD
Test Environment Management: A Critical Requirement for Effective CI/CDTest Environment Management: A Critical Requirement for Effective CI/CD
Test Environment Management: A Critical Requirement for Effective CI/CD
DevOps.com
 
Peter Zimmerer - Establishing Testing Knowledge and Experience Sharing at Sie...
Peter Zimmerer - Establishing Testing Knowledge and Experience Sharing at Sie...Peter Zimmerer - Establishing Testing Knowledge and Experience Sharing at Sie...
Peter Zimmerer - Establishing Testing Knowledge and Experience Sharing at Sie...
TEST Huddle
 

Recomendados

Derek Wright: risk v uncertainty case study
Derek Wright: risk v uncertainty case studyDerek Wright: risk v uncertainty case study
Derek Wright: risk v uncertainty case study
Association for Project Management
 
Test environment management anti patterns
Test environment management anti patterns Test environment management anti patterns
Test environment management anti patterns
Niall Crawford
 
From Defect Reporting To Defect Prevention
From Defect Reporting To Defect PreventionFrom Defect Reporting To Defect Prevention
From Defect Reporting To Defect Prevention
Sune Gynthersen
 
Is Your Vulnerability Management Program Keeping Pace With Risks?
Is Your Vulnerability Management Program Keeping Pace With Risks?Is Your Vulnerability Management Program Keeping Pace With Risks?
Is Your Vulnerability Management Program Keeping Pace With Risks?
Skybox Security
 
Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?
Skybox Security
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management
Argyle Executive Forum
 
Test Environment Management: A Critical Requirement for Effective CI/CD
Test Environment Management: A Critical Requirement for Effective CI/CDTest Environment Management: A Critical Requirement for Effective CI/CD
Test Environment Management: A Critical Requirement for Effective CI/CD
DevOps.com
 
Peter Zimmerer - Establishing Testing Knowledge and Experience Sharing at Sie...
Peter Zimmerer - Establishing Testing Knowledge and Experience Sharing at Sie...Peter Zimmerer - Establishing Testing Knowledge and Experience Sharing at Sie...
Peter Zimmerer - Establishing Testing Knowledge and Experience Sharing at Sie...
TEST Huddle
 
Ken Johnston - Big Bugs That Got Away - EuroSTAR 2010
Ken Johnston - Big Bugs That Got Away - EuroSTAR 2010Ken Johnston - Big Bugs That Got Away - EuroSTAR 2010
Ken Johnston - Big Bugs That Got Away - EuroSTAR 2010
TEST Huddle
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability Management
Marcelo Martins
 
E bay at_the_applied_ergonomics_conference_-_march_2008___mar_01_2008
E bay at_the_applied_ergonomics_conference_-_march_2008___mar_01_2008E bay at_the_applied_ergonomics_conference_-_march_2008___mar_01_2008
E bay at_the_applied_ergonomics_conference_-_march_2008___mar_01_2008
Remedy Interactive
 
Application Assessment Metrics
Application Assessment MetricsApplication Assessment Metrics
Application Assessment Metrics
SensePost
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Framework
jpubal
 
10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program
BeyondTrust
 
Risks of Risk-Based Testing
Risks of Risk-Based TestingRisks of Risk-Based Testing
Risks of Risk-Based Testing
rrice2000
 
Web Application Vulnerability Management
Web Application Vulnerability ManagementWeb Application Vulnerability Management
Web Application Vulnerability Management
jpubal
 
Risk assessment and management
Risk assessment and managementRisk assessment and management
Risk assessment and management
TaekHyeun Kim
 
CoverMyQuality: Implementing a Quality Program by Rick Neighbarger and Susan ...
CoverMyQuality: Implementing a Quality Program by Rick Neighbarger and Susan ...CoverMyQuality: Implementing a Quality Program by Rick Neighbarger and Susan ...
CoverMyQuality: Implementing a Quality Program by Rick Neighbarger and Susan ...
QA or the Highway
 
Risk assessment and management
Risk assessment and managementRisk assessment and management
Risk assessment and management
Tanmoy Sinha
 
Metric Free Test Management by Joseph Ours
Metric Free Test Management by Joseph OursMetric Free Test Management by Joseph Ours
Metric Free Test Management by Joseph Ours
QA or the Highway
 
Test beyond the obvious- Root Cause Analysis
Test beyond the obvious- Root Cause AnalysisTest beyond the obvious- Root Cause Analysis
Test beyond the obvious- Root Cause Analysis
PractiTest
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize Risk
AlienVault
 
Testing Metrics and why Managers like them
Testing Metrics and why Managers like themTesting Metrics and why Managers like them
Testing Metrics and why Managers like them
PractiTest
 
Risk Management Training
Risk Management TrainingRisk Management Training
Risk Management Training
Quality Improvement Consulting
 
Advanced Defect Management
Advanced Defect ManagementAdvanced Defect Management
Advanced Defect Management
Sabarinath Venugopalan
 
Cmgt 400 Entire Course NEW
Cmgt 400 Entire Course NEWCmgt 400 Entire Course NEW
Cmgt 400 Entire Course NEW
shyamuop
 
Risk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarRisk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches Webinar
Aviva Spectrum™
 
Defect Triage by Matt Eakin
Defect Triage by Matt EakinDefect Triage by Matt Eakin
Defect Triage by Matt Eakin
QA or the Highway
 
Software Requirement Elicitation Techniques http://www.imran.xyz
Software Requirement Elicitation Techniques http://www.imran.xyzSoftware Requirement Elicitation Techniques http://www.imran.xyz
Software Requirement Elicitation Techniques http://www.imran.xyz
Imran Hussain Khan
 
Ericriesleanstartuppresentationforweb2
Ericriesleanstartuppresentationforweb2Ericriesleanstartuppresentationforweb2
Ericriesleanstartuppresentationforweb2
Edmund FOng
 

Mais conteúdo relacionado

Mais procurados

E bay at_the_applied_ergonomics_conference_-_march_2008___mar_01_2008
E bay at_the_applied_ergonomics_conference_-_march_2008___mar_01_2008E bay at_the_applied_ergonomics_conference_-_march_2008___mar_01_2008
E bay at_the_applied_ergonomics_conference_-_march_2008___mar_01_2008
Remedy Interactive
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize Risk
AlienVault
 
Risk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarRisk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches Webinar
Aviva Spectrum™
 
Defect Triage by Matt Eakin
Defect Triage by Matt EakinDefect Triage by Matt Eakin
Defect Triage by Matt Eakin
QA or the Highway
 

Mais procurados (20)

Ken Johnston - Big Bugs That Got Away - EuroSTAR 2010
Ken Johnston - Big Bugs That Got Away - EuroSTAR 2010Ken Johnston - Big Bugs That Got Away - EuroSTAR 2010
Ken Johnston - Big Bugs That Got Away - EuroSTAR 2010
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability Management
 
E bay at_the_applied_ergonomics_conference_-_march_2008___mar_01_2008
E bay at_the_applied_ergonomics_conference_-_march_2008___mar_01_2008E bay at_the_applied_ergonomics_conference_-_march_2008___mar_01_2008
E bay at_the_applied_ergonomics_conference_-_march_2008___mar_01_2008
 
Application Assessment Metrics
Application Assessment MetricsApplication Assessment Metrics
Application Assessment Metrics
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Framework
 
10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program
 
Risks of Risk-Based Testing
Risks of Risk-Based TestingRisks of Risk-Based Testing
Risks of Risk-Based Testing
 
Web Application Vulnerability Management
Web Application Vulnerability ManagementWeb Application Vulnerability Management
Web Application Vulnerability Management
 
Risk assessment and management
Risk assessment and managementRisk assessment and management
Risk assessment and management
 
CoverMyQuality: Implementing a Quality Program by Rick Neighbarger and Susan ...
CoverMyQuality: Implementing a Quality Program by Rick Neighbarger and Susan ...CoverMyQuality: Implementing a Quality Program by Rick Neighbarger and Susan ...
CoverMyQuality: Implementing a Quality Program by Rick Neighbarger and Susan ...
 
Risk assessment and management
Risk assessment and managementRisk assessment and management
Risk assessment and management
 
Metric Free Test Management by Joseph Ours
Metric Free Test Management by Joseph OursMetric Free Test Management by Joseph Ours
Metric Free Test Management by Joseph Ours
 
Test beyond the obvious- Root Cause Analysis
Test beyond the obvious- Root Cause AnalysisTest beyond the obvious- Root Cause Analysis
Test beyond the obvious- Root Cause Analysis
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize Risk
 
Testing Metrics and why Managers like them
Testing Metrics and why Managers like themTesting Metrics and why Managers like them
Testing Metrics and why Managers like them
 
Risk Management Training
Risk Management TrainingRisk Management Training
Risk Management Training
 
Advanced Defect Management
Advanced Defect ManagementAdvanced Defect Management
Advanced Defect Management
 
Cmgt 400 Entire Course NEW
Cmgt 400 Entire Course NEWCmgt 400 Entire Course NEW
Cmgt 400 Entire Course NEW
 
Risk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarRisk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches Webinar
 
Defect Triage by Matt Eakin
Defect Triage by Matt EakinDefect Triage by Matt Eakin
Defect Triage by Matt Eakin
 

Semelhante a CrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggerated

Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
Dinis Cruz
 
Final spiralmodel97
Final spiralmodel97Final spiralmodel97
Final spiralmodel97
akshay8835
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Denim Group
 

Semelhante a CrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggerated (20)

Software Requirement Elicitation Techniques http://www.imran.xyz
Software Requirement Elicitation Techniques http://www.imran.xyzSoftware Requirement Elicitation Techniques http://www.imran.xyz
Software Requirement Elicitation Techniques http://www.imran.xyz
 
Ericriesleanstartuppresentationforweb2
Ericriesleanstartuppresentationforweb2Ericriesleanstartuppresentationforweb2
Ericriesleanstartuppresentationforweb2
 
Owasp LA
Owasp LAOwasp LA
Owasp LA
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
 
! Testing for agile teams
! Testing for agile teams! Testing for agile teams
! Testing for agile teams
 
Final spiralmodel97
Final spiralmodel97Final spiralmodel97
Final spiralmodel97
 
Prototyping
PrototypingPrototyping
Prototyping
 
Fundamentals_of_Software_testing.pptx
Fundamentals_of_Software_testing.pptxFundamentals_of_Software_testing.pptx
Fundamentals_of_Software_testing.pptx
 
Optimizing Dev Portals with Analytics and Feedback
Optimizing Dev Portals with Analytics and FeedbackOptimizing Dev Portals with Analytics and Feedback
Optimizing Dev Portals with Analytics and Feedback
 
Design testabilty
Design testabiltyDesign testabilty
Design testabilty
 
Agile Development And Medtech
Agile Development And MedtechAgile Development And Medtech
Agile Development And Medtech
 
John Fodeh - Spend Wisely, Test Well
John Fodeh - Spend Wisely, Test WellJohn Fodeh - Spend Wisely, Test Well
John Fodeh - Spend Wisely, Test Well
 
Winning Over The Challenges of Implementing BCM in a BPO by Jeremias Astrero,...
Winning Over The Challenges of Implementing BCM in a BPO by Jeremias Astrero,...Winning Over The Challenges of Implementing BCM in a BPO by Jeremias Astrero,...
Winning Over The Challenges of Implementing BCM in a BPO by Jeremias Astrero,...
 
Continuous Delivery and Continuous Agile by Andy Singleton - Agile Maine Day...
Continuous Delivery and Continuous Agile by Andy Singleton - Agile Maine Day...Continuous Delivery and Continuous Agile by Andy Singleton - Agile Maine Day...
Continuous Delivery and Continuous Agile by Andy Singleton - Agile Maine Day...
 
IT Quality Testing and the Defect Management Process
IT Quality Testing and the Defect Management ProcessIT Quality Testing and the Defect Management Process
IT Quality Testing and the Defect Management Process
 
How to Build Winning Products by Microsoft Sr. Product Manager
How to Build Winning Products by Microsoft Sr. Product ManagerHow to Build Winning Products by Microsoft Sr. Product Manager
How to Build Winning Products by Microsoft Sr. Product Manager
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
 
Requirement Elicitation Techniques/Methods
Requirement Elicitation Techniques/MethodsRequirement Elicitation Techniques/Methods
Requirement Elicitation Techniques/Methods
 
How to build confidence in your release cycle
How to build confidence in your release cycleHow to build confidence in your release cycle
How to build confidence in your release cycle
 
Ncerc rlmca202 adm m1 ssm
Ncerc rlmca202 adm m1 ssmNcerc rlmca202 adm m1 ssm
Ncerc rlmca202 adm m1 ssm
 

Mais de eightbit

Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testing
eightbit
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testing
eightbit
 

Mais de eightbit (10)

Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applications
 
Hack in the Box GSEC 2016 - Reverse Engineering Swift Applications
Hack in the Box GSEC 2016 - Reverse Engineering Swift ApplicationsHack in the Box GSEC 2016 - Reverse Engineering Swift Applications
Hack in the Box GSEC 2016 - Reverse Engineering Swift Applications
 
Rootcon X - Reverse Engineering Swift Applications
Rootcon X - Reverse Engineering Swift ApplicationsRootcon X - Reverse Engineering Swift Applications
Rootcon X - Reverse Engineering Swift Applications
 
Wahckon[2] - iOS Runtime Hacking Crash Course
Wahckon[2] - iOS Runtime Hacking Crash CourseWahckon[2] - iOS Runtime Hacking Crash Course
Wahckon[2] - iOS Runtime Hacking Crash Course
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
 
YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applications
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testing
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testing
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Último (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 

CrikeyCon 2017 - Rumours of our Demise Have Been Greatly Exaggerated

  • 1. Rumours of our Demise Have Been Greatly Exaggerated Michael Gianarakis Julian Berton
  • 2. Obligatory Introduction Slide Michael Gianarakis @mgianarakis Director of SpiderLabs, Asia-Pacific & Japan SecTalks Brisbane Have also spoken at the “equally as good” WAHCKon hacking conference (❤ Nanomebia) Flat Duck Justice Warrior 🦆 Julian Berton @julianberton Application Security Engineer at SEEK OWASP Melbourne Chapter Lead Web developer in a previous life Climber of rocks butters
  • 3. Why This Presentation? • There is a fair bit of hype surrounding crowdsourced security testing and the result-oriented economic model • Many have claimed that “traditional” pentesting is dead and the industry will be “Uberised" as a inevitable future • Most of the discussion on this topic is either from the bug hunters (great) or from the bounty companies themselves (mixed bag) - very few address the point of view of an organisation trying to manage their security • Intends to address the realities of running a bounty and where they fit in an organisation’s security testing framework
  • 5. Bug Bounty Basics • Concept is simple • Providing a mechanism for security researchers to submit a bug in a system or application usually with some incentive (cash or kudos) tied to doing so • Pioneered and established by the likes of Mozilla, Microsoft and Google
  • 6. Bug Bounty Basics • More recently various startups have entered the space offering to host or manage bug bounties for organisations and offer them to their platform or security testers • Companies such as Bugcrowd, HackerOne, Synack • Refer to them as HaaS (Hacking as a Service) providers in the talk (as opposed to "traditional" pen test providers)
  • 7. Different Types of Bounties • Public bounties - bounty programs that invite participation from the public • Private bounties - invite only programs • Timed bounties - usually limited to the HaaS companies, a timed bounty is a bounty (typically private) that is only open for a short period of time
  • 8. Bug bounties are essentially pen testing with a different economic and resource model
  • 9. That’s what makes them interesting
  • 11. Why you should pay attention • There is a lot hype surrounding bug bounties - primarily driven by the VC funded Silicon Valley marketing departments • Bug bounties and HaaS providers represent some interesting innovation in the security testing space • Can be a great compliment to your appsec program • If you perform security testing you should explore the benefits and tradeoffs
  • 13. Skills Shortage Tech Team Security Team
  • 14. Evolving Development Practices Then 3-6 month deploy to prod cycles (think waterfall) One software stack per company (e.g. C#, .NET, SQL Server and IIS Ratio of security people to developers/infrastructure is skewed Now CD/CI, deploy to prod daily (move faster) Agile development practices Developers do everything = devops practices Ratio of security people to developers/infrastructure still skewed
  • 17. Growing Complexity ~150 different tools, languages, platforms and frameworks
  • 18. The Crowd-Sourced Future • Bug bounties address the skills shortage via crowd-sourcing • Unlocks access to a vast resource pool - Bugcrowd and HackerOne claim testers in the tens of thousands but in theory the resource pool is potentially much greater than that • Even private/invite-only bounties can give access to a larger and more diverse resource pool than what you might find with traditional in-house or contract testing teams
  • 19. The Crowd-Sourced Future Tech Team Security Team
  • 20. The Crowd-Sourced Future • The benefits of the crowd-sourced model are obvious • Scales well - tap into 100s of testers instantly • Diverse skills sets - researchers specialised in certain classes of bugs • Can lead to high quality bugs
  • 22. The Result-Based Economic Model • Organisations running bug bounty programs pay out based on the successful bug submissions - which represent genuine, validated, non-duplicated vulnerabilities • This flips the switch on how most companies pay for for vulnerabilities • Instead of paying for a resources time (be it in-house or a consultant) to find the vulnerabilities you are paying for the bug itself. • The real innovation of the bug bounty model
  • 23. The Result-Based Economic Model • The central benefit to this model is that there are less compromises that you have make compared to traditional testing activities • You don’t have to limit yourself to a small number of testers • You don’t have to limit yourself to a set timeframe • You don’t have to limit scope to the same extent
  • 25. Can You Run a Bounty? • Do you have security aware people to manage the program? • What is the security maturity of the systems you want to test? • Do you have the budget and traction to fix security in a timely manner?
  • 26. Can You Run a Bounty? • How fragile are your systems? • Can testing be performed on production? No? Do you have a publicly available test environment? • Can the production app detect and block attacks if they are affecting customers or degrading service?
  • 27. SEEK’s Private Timed Bounty • 50 researchers invited and were paid for bugs found. • Testing occurred on production systems. • 3 apps in scope.
  • 28. The Brief • Overview of company and targets. • Targets - sites that are in scope. • Focus Areas - Draw attention to things you care about. • Out-of-Scope - Areas that are off limits. • Issue Exclusions - Issues you will not reward. • Rewards - What you will reward for issues found.
  • 29. Submissions 104 issues were reported in total, with 40 being verified issues
  • 30. Severity 3 High, 7 Medium and 31 Low issues were reported
  • 31. Issues by Category 97.5% of all issues are categorised in the OWASP Top 10
  • 32. About the Researchers 50 researchers were invited, 15 submitted and 12 were valid
  • 33. About the Researchers 12 researchers who submitted valid issues came from
  • 37. SEEK’s Private Ongoing Bounty • Ongoing, private, managed program (started November 2016). • 50 researchers invited initially. • Testing occurs on production systems. • 3 apps in scope + 2 mobile apps.
  • 40. Risk Mitigation Risk Mitigation A researcher could perform testing that brings down or disrupts production (if testing on production systems). • Program brief state's Denial of Service on any in scope targets. • Ban researcher from program. They will stop as they will not get paid and get negative points on the HaaS. • If you have the ability (e.g. a WAF) you can block the IP address that is causing the issues. • Use a testing environment for the bug bounty program.
  • 41. Risk Mitigation Risk Mitigation A researcher could interact with real customers and steal real customer data. • The brief states not to interact with real customers. Ban researcher from program. • Existing security controls will prevent most customers being affected. • Parts of the site that are too hard to test without interacting with customers are taken out of scope.
  • 42. Risk Mitigation Risk Mitigation A researcher could exploit a vulnerability and steal sensitive data. • In the brief it states issues should be reported immediately and sensitive data must not be exfiltrated. • Bonuses are rewarded for getting access to sensitive data and systems, incentivising them to report the issue quickly.
  • 43. Risk Mitigation Risk Mitigation A researcher could publicly disclose an issue during or after the program. • They will not receive a reward, will be banned from the program and their reputation score will suffer. • Ensure that the business is capable and ready to fix reported issues (especially the high issues) as quickly as possible. So that the risk is minimised if it did go public.
  • 44. Lessons Learnt - Managing the Crowd
  • 45. Lessons Learnt - Managing the Crowd
  • 46. Lessons Learnt - Managing the Crowd
  • 47. Lessons Learnt - Managing the Crowd
  • 48. Lessons Learnt • Limited control over researcher's actions. • Unsure if attacks were coming from a real hacker or a researcher. • Keep the program brief as simple as possible. • Reward bonuses to focus testing on certain applications or issue types. • Respond to researchers in a reasonable time frame. Even for invalid issues. • Testers will eventually trigger operational alerts (Prod testing only).
  • 49. Revisiting the Economics • The result-based economic model can be more flexible but it’s not automatically cost-effective • Marketing from the HaaS providers like to compare bug bounties to point-in-time penetration tests but it’s not a worthwhile comparison - the model is too different • The common price-per-bug measure is a trap
  • 50. Revisiting the Economics • Given that bounties are ongoing and longer term when modelling the economics of running a program you should use something more akin to Total Cost of Ownership analysis • Commonly overlooked elements when performing the economic analysis: • Management fees (if using a HaaS provider) • Internal management of the program (even if using a HaaS provider) • Increased load on production equipment and processes • Downtime, outage or failure expenses • Diminished performance (i.e. opportunity cost if site is slow or down)
  • 51. Revisiting the Economics • Managing the incentives are also not straightforward • Have to account for the variability of the payout - the cost is driven by the results (more results = more cost) • You are competing with other bounty providers for resources - in a way you become a vendor to the testers • Payout size directly influences the quality of the testers and the submissions - in “traditional” pen-testing you might pay more for low-end bugs but you typically pay less for high-end bugs
  • 52. Compliance - The Elephant In the Room • Compliance artificially creates economic incentive to perform testing and drives most of the industry. • Can be internal (internal audit, policy etc.) or external (PCI, CBEST etc.) • This is why most of us have jobs.
  • 53. Compliance Testing • Compliance testing is based around assurance and verification • Determine that a level of control has been established and maintained • This is why the "checklist approach" is so prevalent in compliance based testing and why every QSA asks to see your methodology.
  • 54. Compliance Testing • The incentives in the results-based model don't incentivise testers for compliance testing. • Compliance testing is about verification - even if everything is fine or likely to be fine you still need to verify and more importantly evidence compliance with the control objectives. • For a bug hunter spending time verifying controls for a company has no ROI vs. chasing the bug. • Only way to get around them is to pay them for the verification activities - but then you are back to "traditional" testing.
  • 55. Liability • One of the big hurdles to overcome with this approach for most companies is managing liability. • Most large organisations have a risk management team and a vendor management team. Bug bounties typically don't make it past there on liability grounds. • There is a level of risk tolerance required at the moment
  • 56. Liability • Even when using a HaaS where does the liability sit if there is an issue caused by a tester? • The standard legal protections (e.g. MSAs, NDAs) do not extend to anonymous testers • Enforcing action against anonymous users, cross jurisdiction is probably not possible • Liability extends to amount of management contract not the payouts and contracts for most HaaS providers governed by US law
  • 57. Liability • There is still a lot of unanswered questions and ground to cover in this area before more “traditional” organisations get on board. • The HaaS providers are likely to evolve to meet this problem as they try to target organisations outside generally progressive tech companies • Will be interesting to see how this develops.
  • 59. Should I run a bug bounty?
  • 60. Maybe
  • 61. There is no silver bullet in information security I feel like we’ve been over this before…..
  • 62. Key Takeaways • Bug bounties are just one tool that can be used to manage your security risk. Training Inception Development Deployment Monitoring Web security training program for tech teams. Security awareness and improve security culture (i.e. Brown bags, email updates, etc). Review system design for security weaknesses. Develop attack scenarios for high risk projects. Add security specific tests into test suite. Adopt security standards and security release plans. Automate security scanning tools into build pipeline. Automatically scan infrastructure and code for outdated and vulnerable components. Perform manual security testing for complex or high value components. Implement a continuous testing program (e.g. A bug bounty program).
  • 63. Key Takeaways • Bug bounties have a lot of inherent benefits but there are a number of considerations that need to be understood and accounted for • Always evaluate against your requirements • Don’t just blindly follow a HaaS or a pen test provider or any other vendor for that matter - do your homework