8,100 hackers + Your apps = ???

Post on 06-May-2015

545 views 0 download

Preview:

Click to see full reader
Report this document
SHARE

description

There's an asymmetry in the way we approach security today... The threat takes the form of lots of hackers, with lots of different skill-sets and diverse motivations - And the majority of them aren't being paid by the hour to attack your stuff. Contrast this with the paid by the hour consultants and in-house resources. It's not that the good guys aren't smart, it's that the model is fundamentally disadvantaged. Crowdsourcing security testing through bug bounty programs engages a crowd of "good guys who think like bad guys" and economically incentivizes them the same way the bad guys are. Casey likes solving problems. He's the Founder and CEO of Bugcrowd, a company which provides a platform to manage bug bounty programs. He's also an Aussie who has difficulty with words that end with "er".

transcript

8,100 hackers + Your apps = ???SourceCONF Boston 2014

Why are we here?

About me@caseyjohnellis

JABAH (Just Another Blonde Aussie Hacker)

Recovering pentester turned solution architect turned entrepreneur

Wife and two kids now living in San Francisco

Founder and CEO of Bugcrowd

What’s a bug bounty program?

History

0

125

250

375

500

1995 2000 2005 2010 2015

It’s not just about being cheap, or loud…

It’s about levelling the playing field.

Black/gray hat economics !

Goal: Exploit the bug and keep it alive Resources: Many hackers/skill-sets/motivations/time

Incentive: Paid for results

White hat economics !

Goal: Find the bug and kill it Resources: Single sets of eyes

Incentive: Paid for effort

Bug bounty economics !

A white hat goal with black/gray market economics and resourcing.

Reward pool: $10,000 2 weeks elapsed

CASE STUDY

Wordpress Sprint Bounty + 5 Plugins

$2,500

1st $1,000

2nd $500

3rd $250

All Others

or the remainder divided by number of valid unique

bugs… Which ever is lower)

CASE STUDY

Wordpress Sprint Bounty + 5 Plugins

349 researchers participated.

243 security submissions from 23 countries.

7 unauth’d to full privilege 0-day vulnerabilities.

CASE STUDY

Wordpress Sprint Bounty + 5 Plugins

67 rewardable Issues

$142.86 deduplicated cost per issue

16 active security researchers in first hour

8 hours effort in first elapsed hour

CASE STUDY

Wordpress Sprint Bounty + 5 Plugins

$10,000

5 days of effort in the first 8 hours of the

bounty… Across 349 separate sets of eyes

5 days of effort

VS

With many eyes all bugs are shallow

- Linus’ Law“

Really?

Credit: Veracode

GnuTLS goto fail Credit: Veracode Heartbleed

Linus was (a little bit) wrong.

Developer Incentive

Make it work.

Security Incentive

“…but what if nothing happens?”

Who is doing this well right now?

With many eyes and the right incentive all bugs are shallow

- Linus’ Amended Law

Sound familiar?

Bug bounties repurpose the economics of offense to the defensive side.

So how do you get more eyes on security bugs?

Cash Soft Incentives Kudos

Swag, challenge coins, points systems,

exclusive opportunities

Hall of Fame, job prospects, contract

prospects, community kudos, general swagger

Ready to start?

Bug bounties are awesome…

…but hard.

Tips from the trenches

The mistake *everyone* makes:

!

VULNERABILITY DATA PEOPLE

The Golden Rule:

Respect the researcher

If you touch the code, pay the researcher

Be upfront and clear about what you will and won’t

pay

Be transparent about duplicate and won’t fix

issues

Fix quick, pay quick.

Expect front loading

Controlled incidents improve your dev team

Remember that bounty hunting is casual (vs

committed)

Conclusion• Bug bounties are cost effective, and highly

marketable… but that’s not the full story…

• …this shift in strategy is necessary to address the fundamental asymmetries in the way we do things today.

• Go start one.

• More tips and tricks at https://blog.bugcrowd.com

https://blog.bugcrowd.com

Questions?

@caseyjohnellis

https://bugcrowd.com

casey@bugcrowd.com

!

Greets to Chris, Rob and SourceCONF crew, builditsecure.ly, Rapid7, iamthecavalry.com, @treyford, @k8em0, @codesoda and the

@bugcrowd team.

https://bugcrowd.com
mailto:casey@bugcrowd.com
http://builditsecure.ly
http://iamthecavalry.com

Top related

DON’T PLAY RUSSIAN ROULETTE WITH YOUR APPS...3 Smartphones are becoming a prime target for hackers, the valuable data they contain and their vulnerability encourage hackers to focus
Documents
Hackers' Guide 1
Documents
técnicas de hackers
Education
2014 Car Hackers Handbook - OpenGarages Car Hackers Handbook - OpenGarages
Documents
Hackers open source
Documents
Hackers gotta eat
Technology
Hackers 22
Technology
Modern Hackers
Documents
hackers 2 hackers conference III · hackers 2 hackers conference III voip (in)security integrity attacks *caller-id spoofing *problem: easily spoofable/ not always checked / systems
Documents
Growth Hackers
Documents
Hackers, Heroes of the Computer Revolution - Higher Intellectcdn.preterhuman.net/.../Hackers,_Heroes_of_the_Computer_Revolution.pdf · HACKERS, HEROES OF THE COMPUTER REVOLUTION 2
Documents
Lisp Hackers
Documents
Los 10 hackers
Documents
>AB8=8G=K9 :> SPA-A0;>=> ?@>A?5:BC ˜>1548B5;59...–0,000 +4,500 +8,100 +11,700 +6,100 +4,900 –0,000 +4,500 +7,700 +8,100 +11,700 +21,200 +8,100 +11,700 +4,500 –0,000-6,000 –0,000
Documents
Car hackers
Documents
Professional Hackers
Technology
Midnight Hackers
Technology
Comparing the Cognitive Abilities of Hackers and …reported hackers and non-hackers, as well as compare the cognitive abilities scores of different subsets of hackers, in a sample
Documents
Hacks/Hackers Styleguide
Documents
Wanted hackers!!
Education

Copyright © 2018 DOCUMENTS