Embed Size (px)
DESCRIPTION
There's an asymmetry in the way we approach security today... The threat takes the form of lots of hackers, with lots of different skill-sets and diverse motivations - And the majority of them aren't being paid by the hour to attack your stuff. Contrast this with the paid by the hour consultants and in-house resources. It's not that the good guys aren't smart, it's that the model is fundamentally disadvantaged. Crowdsourcing security testing through bug bounty programs engages a crowd of "good guys who think like bad guys" and economically incentivizes them the same way the bad guys are. Casey likes solving problems. He's the Founder and CEO of Bugcrowd, a company which provides a platform to manage bug bounty programs. He's also an Aussie who has difficulty with words that end with "er".
Citation preview
8,100 hackers + Your apps = ???SourceCONF Boston 2014
Why are we here?
About me@caseyjohnellis
JABAH (Just Another Blonde Aussie Hacker)
Recovering pentester turned solution architect turned entrepreneur
Wife and two kids now living in San Francisco
Founder and CEO of Bugcrowd
What’s a bug bounty program?
History
0
125
250
375
500
1995 2000 2005 2010 2015
It’s not just about being cheap, or loud…
It’s about levelling the playing field.
Black/gray hat economics !
Goal: Exploit the bug and keep it alive Resources: Many hackers/skill-sets/motivations/time
Incentive: Paid for results
White hat economics !
Goal: Find the bug and kill it Resources: Single sets of eyes
Incentive: Paid for effort
Bug bounty economics !
A white hat goal with black/gray market economics and resourcing.
Reward pool: $10,000 2 weeks elapsed
CASE STUDY
Wordpress Sprint Bounty + 5 Plugins
$2,500
1st $1,000
2nd $500
3rd $250
All Others
or the remainder divided by number of valid unique
bugs… Which ever is lower)
CASE STUDY
Wordpress Sprint Bounty + 5 Plugins
349 researchers participated.
243 security submissions from 23 countries.
7 unauth’d to full privilege 0-day vulnerabilities.
CASE STUDY
Wordpress Sprint Bounty + 5 Plugins
67 rewardable Issues
$142.86 deduplicated cost per issue
16 active security researchers in first hour
8 hours effort in first elapsed hour
CASE STUDY
Wordpress Sprint Bounty + 5 Plugins
$10,000
5 days of effort in the first 8 hours of the
bounty… Across 349 separate sets of eyes
5 days of effort
VS
With many eyes all bugs are shallow
- Linus’ Law“
Really?
Credit: Veracode
GnuTLS goto fail Credit: Veracode Heartbleed
Linus was (a little bit) wrong.
Developer Incentive
Make it work.
Security Incentive
“…but what if nothing happens?”
Who is doing this well right now?
With many eyes and the right incentive all bugs are shallow
- Linus’ Amended Law
“
Sound familiar?
Bug bounties repurpose the economics of offense to the defensive side.
So how do you get more eyes on security bugs?
Cash Soft Incentives Kudos
Swag, challenge coins, points systems,
exclusive opportunities
Hall of Fame, job prospects, contract
prospects, community kudos, general swagger
Ready to start?
Bug bounties are awesome…
…but hard.
Tips from the trenches
The mistake *everyone* makes:
!
VULNERABILITY DATA PEOPLE
The Golden Rule:
Respect the researcher
If you touch the code, pay the researcher
Be upfront and clear about what you will and won’t
pay
Be transparent about duplicate and won’t fix
issues
Fix quick, pay quick.
Expect front loading
Controlled incidents improve your dev team
Remember that bounty hunting is casual (vs
committed)
Conclusion• Bug bounties are cost effective, and highly
marketable… but that’s not the full story…
• …this shift in strategy is necessary to address the fundamental asymmetries in the way we do things today.
• Go start one.
• More tips and tricks at https://blog.bugcrowd.com
Questions?
@caseyjohnellis
https://bugcrowd.com
!
Greets to Chris, Rob and SourceCONF crew, builditsecure.ly, Rapid7, iamthecavalry.com, @treyford, @k8em0, @codesoda and the
@bugcrowd team.
