4 reasons to crowdsource your pen test
TRANSCRIPT
4 REASONS TO CROWDSOURCE YOUR PENETRATION TEST
The premier platform for crowdsourced cybersecurity.
[email protected]@bugcrowd.com
All content (c) Bugcrowd Inc, 2014 - All rights reserved.
The Problem
Security is not a fair fight.
How do you level your playing field?
HACKED
HACKED
HACKED HACKED
HACKED
HACKED
All content (c) Bugcrowd Inc, 2014 - All rights reserved.
About your presenters@caseyjohnellis
Founder and CEO, Bugcrowd
Recovering pentester turned solution architect turned sales guy
turned entrepreneur
Founder and CEO of Bugcrowd
@jcranVP Delivery, Bugcrowd
Bugcrowd researcher turned operations lead
Formerly @Rapid7, @Metasploit, @PwnieExpress
CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved.
Bugcrowd ProductsCrowdsourced security to fit your needs
Free
Responsible Disclosure
Capped costAd-hoc or continuousElite tier researchers
Flex Bounty
Continuous testingMonthly fee + transaction fee
Bug Bounty
CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved.
What is Flex?• A bug bounty in the format of a penetration test
• Typically a 2 week, fixed cost, fixed timeline project
• Private (vetted researchers) or open
• Bugcrowd does vulnerability analysis
• Deliverable:
• Report with overview and verified vulnerabilities
• Access to platform and researchers
CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved.
Use cases• A more effective web, mobile and/or IOT penetration test
• Lots of effort in a short timeframe
• Ideal for short testing windows
• Rapid deployment testing
• New products or features, supplier due diligence, acquisitions, etc
• Precursor to a public bug bounty program (i.e. what is my *real* security posture)
CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved.
How does it work?
• Program Setup
• Program Kickoff and Invitations
• Program Runs [2 weeks on average]
• Analysis [96 hours on average]
• Report Delivery and Access
CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved.
4 Reasons to Crowdsource Your Penetration Test
• Pay for results not effort
• Engage diverse skill-sets
• A Reward model that encourages depth and breadth
• Higher total effort
CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved.
Pay for results not effort
• 193 Average number of submissions per program
• 45 Average number of valid submissions
• $256 Average cost per bug (How much does it cost now?)
• Average Priority from 1 (showstopper) to 5 (won’t fix): 3.88
CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved.
Engage diverse skill-sets
• Vast array of specialties
• Web Application, Network, Mobile, Hardware
• Testing styles and patterns vary wildly
• Have questions? Engage the researchers at the end of the program
CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved.
A reward model that encourages depth and breadth
• Top 3 issues get a significant percentage of the reward pool
• All “unplaced” submissions get the remainder
• Sliding scale varies on the difficulty of the application and prior testing results
CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved.
Higher total effort
• Up to 80 hours of effort in the first 8 hours
• At least 160 man-hours per bounty
• Activity depends on incentives
CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved.
Summary
• Cost effective, quick, high quality results
• Capped cost and capped timeline
• Great way to prepare for an ongoing bounty program
• Flex model incentivizes both breadth and depth