Running a Bug Bounty Program

Similar documents
HEAD TO HEAD. Bug Bounties vs. Penetration Testing. How the crowdsourced model is disrupting traditional penetration testing.

Crowdsourced Security at the Government Level: It Takes a Nation (of Hackers)

Bug Bounty programs in Switzerland? Florian Badertscher, C1 - public

SECURITY CULTURE HACKING: DISRUPTING THE SECURITY STATUS QUO

How to Succeed with Your Bug Bounty Program

Security Evolution - Bug Bounty Programs for Web Applications OWASP. The OWASP Foundation Michael Coates - Mozilla

2016 Bug Bounty Hacker Report

Google Cloud Technical Brief

THE STATE OF BUG BOUNTY

Follow the Money: Security Researchers, Disclosure, Confidence and Profit

From Technology Transfer To Open IPR

A Market-based Approach to Software Evolution

ENABLING DIGITAL TRANSFORMATION WITH SECURE ENGAGMENT AND COLLABORATION

Success through Offshore Outsourcing. Kartik Jayaraman Director Enterprise Relationships (Strategic Accounts)

Security Champions 2.0. OWASP Bucharest AppSec 2017 Alexander Antukh

BUG BOUNTY BUZZWORD BINGO DEEP DIVE UNDER A JUMPED SHARK

1 st Quarter FY2016 IR Presentation

Penetration Testing Is Dead! (Long Live Penetration Testing!)

Operations Security (OPSEC)

The PMO Global Awards is an annual non-profit initiative hosted by PMO Global Alliance in a partnership with Wellingtone Project Management.

Using Trustwave SEG Cloud with Exchange Server

Castles in the Clouds: Do we have the right battlement? (Cyber Situational Awareness)

DEPARTMENT OF THE NAVY OFFICE OF THE CHIEF OF NAVAL OPERATIONS 2000 NAVY PENTAGON WASHINGTON DC

24th Air Force/ AFCYBER Delivering Outcomes through Cyberspace

OFFER A smart contract based proposal, vetting, voting and funding system. ACT is a decentralized autonomous organisation on Ethereum

COMMUNITY MANAGEMENT COMMUNITY MANAGEMENT 1

VMware AirWatch Guide for the Apple Device Enrollment Program (DEP) Using Apple's DEP to automatically enroll new devices with AirWatch MDM

Nationwide Job Opportunity ANG Active Guard/Reserve AGR Vacancy

Security Risk Analysis and 365 Days of Meaningful Use. Rodney Gauna & Val Tuerk, Object Health

Sponsorship Package. 3-4 February, Mcmaster Innovation Park Hamilton, ON.

United States Army. Criminal Investigation Command. Hunting The Hackers CCIU Detectives Deliver Digital Justice

ITU-TRCSL Training on ICTs for promoting Innovation & Entrepreneurship

BCOT Token Sale Structure

CodeSprints: Unlocking a magnetic force to attract tech talent WHAT IF HUNDREDS OF HIGHLY SKILLED ENGINEERS CAME TO YOU?

FY16 Enterprise Mobility Suite (EMS) Adoption Offer Frequently Asked Questions

CAPT Jody Grady, USN USCYBERCOM LNO to USPACOM

Matching System for Creative Projects and Freelance Workers: PaylancerHK

VMware AirWatch Guide for the Apple Device Enrollment Program (DEP) Using Apple's DEP to automatically enroll new devices with AirWatch MDM

2018 CYBER CUP CHALLENGE Sponsored by Deloitte at the 2018 National Cyber Summit OFFICIAL RULES NO PURCHASE NECESSARY TO ENTER OR WIN.

The Right Tools for the Job: ASSEMBLING YOUR IMAGING STRATEGY

EVERGREEN IV: STRATEGIC NEEDS

STEMchain Solution Overview

Reuters Insources Software Development Offshore

JRSS Discussion Panel Joint Regional Security Stack

Getting Ready For Your Giving Day. Everything you need to know about participating in a Giving Day on GiveGab!

Igniting Innovation in Pakistan Through 4IR Wave Tech

Contents. Ad Tech Big Data Creative Information Security. Marketing Media, Planning & Buying. Project Management & Client Services

Crowdsourcing Security 1

The Decentralized (DAO) Loyalty ecosystem

Michelle Moore Manager, OutPatient Registration Services Angelica DelVillar Registration Lead Representative, OutPatient Services

June 13, Sincerely, Tovah LaDier Managing Director I NTERNATIONAL B IOMETRICS & I DENTIFICATION A SSOCIATION

Institute of Advanced Studies (IAS) Rainmaker Growing CDU s revenue from research and innovation Guidelines

Blackjacking 0wning the Enterprise via Blackberry. Jesse x30n D Aguanno

9/10/2016. What is a Cycle? Learning Objectives

BIOMETRICS IN HEALTH CARE : A VALUE PROPOSITION FROM HEALTH CARE SECTOR

YEAR-END REPORT February, Håkan Buskhe, President and CEO Magnus Örnberg, EVP and CFO

Coast Guard Cyber Command. Driving Mission Execution CAPT John Felker Deputy Commander, CGCYBERCOM August 2011

OVERVIEW. Helping people live healthier lives and helping make the health system work better for everyone

Profitability, Compliance and Effective Staff Management

Union Budget 2018 Proposals and impact on IT/ITeS sector

March 14, pm ET

Solve One More Guidelines

Crowdfunding. An introduction to the basics of raising money for a project through online platforms. Introduction. Background

Incorporated Research Institutions for Seismology. Request for Proposal. IRIS Data Management System Data Product Development.

Outsourced Product Development

ARMY RDT&E BUDGET ITEM JUSTIFICATION (R-2 Exhibit)

Head of Security and Business Continuity. Incident Response and Crisis Management Ser-Sec /11/2017

Partnerships Scheme. Call for Proposals

9. Positioning Ports for Grant Funding and Government Loan Programs

Social Engineering & How to Counteract Advanced Attacks. Joe Ferrara, President and CEO Wombat Security Technologies, Inc.

Open Source Software at the European Commission EU-FOSSA 2. Drupal Europe Conference

Home Health Value-Based Purchasing Series: HHVBP Model 101. Wednesday, February 3, 2016

STATE OF RHODE ISLAND OFFICE OF THE GENERAL TREASURER

UNCLASSIFIED R-1 ITEM NOMENCLATURE

THRIVE. BUILD A BETTER INTERNET Let's Start This Journey. Together. ico.thrivelabs.io Copyright - A Weboom LTD Company

Global IT-BPO Outsourcing Deals Analysis 2Q15 Analysis: April to June

Report No. DODIG March 26, Improvements Needed With Tracking and Configuring Army Commercial Mobile Devices

Sponsorship Information

SMB Advantage Terms & Conditions

Ann Garten Prof. Development

SSC Pacific is making its mark as

Small Business PC Refresh Survey - Japan. CONDUCTED FOR INTEL January 2018

Coflight efdp Angelo Corsaro, Ph.D. Software Technologies Scientist

The Role of Exercises in Training the Nation's Cyber First-Responders

SECRETARY OF THE ARMY WASHINGTON

DOD STRATEGY CWMD AND THE POTENTIAL ROLE OF EOD

Technology Advancement Program Guidelines for Proposals

21-26 of October 2012: Co-Cities demonstrations at the 19th ITS World Congress in Vienna Validate mobility services with Co-Cities

Task Force Innovation Working Groups

UNCLASSIFIED. UNCLASSIFIED Air Force Page 1 of 5 R-1 Line #199

NATO UNCLASSIFIED. 6 January 2016 MC 0472/1 (Final)

SMARTBOOK. Chaplain Assistant MOS-T (Reclassification) Course (DL)(Phase 1)(Feb 17)

UNCLASSIFIED. UNCLASSIFIED Air Force Page 1 of 7 R-1 Line #198

Contributor Information

DEPARTMENT OF THE NAVY HEADQUARTERS UNITED STATES MARINE CORPS 3000 MARINE CORPS PENTAGON WASHINGTON, DC

INSIDER THREATS. DOD Should Strengthen Management and Guidance to Protect Classified Information and Systems

A total 52,886 donations were given during the 24-hour, online giving day raising more than $7.8 million from 18,767 donors.

Cybersecurity United States National Security Strategy President Barack Obama

Technical Supplement For Joint Standard Instrumentation Suite Missile Attitude Subsystem (JMAS) Version 1.0

Florida College System Data Submission Procedures

Transcription:

Running a Bug Bounty Program

Julian Berton Application Security Engineer at SEEK Web developer in a previous life Climber of rocks Contact Twitter - @JulianBerton LinkedIn - julianberton Website - julianberton.com

Todays Agenda What motivates an attacker? Security scaling problems. What is a bug bounty program? SEEK s bug bounty program journey. Example bug submissions.

What motivates a hacker?

Cash!

Hacker Motivations Money Politics / Government Religion To make money and lots of it! The Syrian Electronic Army (SEA) is a group of computer hackers aimed at supporting the government of Syria. Some terrorist and hacktivist groups hack due to certain religious beliefs. Fun / Fame World Domination War/Protection More prevalent in the early days of the internet. Well maybe just in the movies. State sponsored hackers with the aim of gathering intelligence on other countries.

Hackers are here to stay :(

What happens to the stolen data?

Sold on the Dark Web

Sold on the Dark Web

Why does this keep happening? Is there a problem with our approach to security...

Current Security Model The current application security model was designed when: There were 3-6 month deploy to prod cycles (think waterfall). One software stack per company (e.g. C#,.NET, SQL Server and IIS). Ratio of security people to devs is Well, not great. So how was app sec approached?

The Current Security Model Manual security reviews go here Manual code reviews go here Manual pen tests go here...woot security is done!

The way we build software is changing... Small teams (Max 5-10) Agile development methodologies (move faster) Devs do everything = DevOps practices CD / CI, deploy to prod daily (move even faster)

Deploys To Prod Per Month ~30 times a day and growing!

Security is the Gatekeeper Why would this be the case? Successful attacks UNREASONABLE security controls

Security is the Gatekeeper

Security Vs Tech Ratio ~140 Tech Team 1-2 App Sec Team

It s getting more complex! ~150 different tools, languages, platforms, frameworks and techniques

The Solution? Can we make web apps 100% secure?

Yes there is a way!

Application Security Principles 1. Defence in Depth 2. Minimise Attack Surface 3. 4. 5. 6. Never Trust External Systems or Data 7. Fail Securely 8. Establish Secure Defaults 9. Compartmentalise Least Privilege Avoid Reliance on Obscurity Keep Security Simple 10. Detect Intrusions

Defence In Depth

Secure Development Lifecycle. How do we integrate these security principles into the SDLC?

Secure Development Lifecycle It all starts with.

The Devops / Agile Movement

SEEK s Application Security Vision Training Inception Development Deployment Web security training program for tech teams. Review system design for security weaknesses. Add security specific tests into test suite. Automate security scanning tools into build pipeline. Security awareness and improve security culture (i.e. Brown bags, email updates, etc). Develop attack scenarios for high risk projects. Adopt security standards and security release plans. Automatically scan infrastructure and code for outdated and vulnerable components. Monitoring Perform manual security testing for complex or high value components. Implement a continuous testing program (e.g. A bug bounty program).

Bug Bounty Programs Evening up the playing field...

What is a Bug Bounty Program? Crowdsourced security testing. Pay for valid bugs found, not for time spent testing. Researchers come from all around the world.

Even Up the Playing Field 50-200 Bounty Hunters ~140 Tech Team

Bug Bounty Services Bug bounty services help you setup and manage the program. Time based or on-demand programs. Invite only programs with option to help with triaging submissions.

Bug Bounty Programs 500+ Public Bug Bounty Programs Globally

Even the Pentagon Have a Bug Bounty Program!!

Location of Researchers Source: Bugcrowd - The State of bug bounty report

Company Verticals Source: Bugcrowd - The State of bug bounty report

Can i run a bug bounty program?

A few questions to consider... Do you have security aware people to manage the program? What is the security maturity of the websites you want to test? Can you fix security issues in a timely manner?

A few questions to consider... How fragile are your websites? Do you have a publicly available test environment? Could you block attacks if the researchers are affecting customers?

Bug Bounty Program POC Two week, private program.

Private On-demand Program 50 researchers invited Testing production systems 3 apps in scope ~5 days effort $15K USD reward pool

Issues Overview 104 issues were reported in total, with 40 being verified issues:

Issue Ratings 3 High, 7 Medium and 30 Low issues were reported:

Issues by Category 97.5% of all issues fall into the OWASP Top 10:

Reward Pool Distribution of $15K USD reward pool:

Only Slight Increase in Overall Traffic

Ongoing Bug Bounty Program Private, managed program.

Scope Tier 1 talent.seek.com.au www.seek.com.au Seek mobile applications api.seek.com.au *.cloud.seek.com.au seekcdn.com authenticate.seek.com.au *.id.seek.com.au auth.seek.com.au Tier 2 *.skinfra.xyz *.myseek.xyz

Reward Range Over Time Initial Range (Nov 16) Current Range (Oct 17) Category Rewards Tier 1 Tier 2 Critical $1,500 $2,500 - $5,000 $1,000 - $5000 High $900 $800 - $1,200 $700- $900 Medium $400 $400 - $500 $200- $400 Low $100 $100 - $200 $50

455 Total Submissions 272 Submissions (Excluding Duplicates) 51 Valid Issues Currency is USD

Submissions By Severity 27 19 9 2

Bug Bounty Program Started

Top Researchers

Lessons Learnt

Researchers Don t Always Follow The Rules

Dealing with Researchers

Researcher Reports

XXE

XXE xxe_test_external_dtd.docx

XXE

XXE http://52.64.105.114/payload.dtd

XXE

XXE c:/windows/win.ini for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1

Dangling Domains

Dangling A Records...

Dangling A Records... $ dig remoted.skinfra.xyz <<>> DiG 9.8.3-P1 <<>> remoted.skinfra.xyz remoted.skinfra.xyz. IN A 52.64.41.231

Dangling A Records...

Dangling A Records...

The End

Corporate Slack Team Access

Setting the Scene Customer Service Portal

Emails are sent to the CS ticketing system: support@seek.com. au

Emails here are to support@seek.com.au and from the user s email address

Twitter does not force email verification.

Asked me for an email address and logged me in hmmm

Parameter: include_email When set to true email will be returned in the user objects as a string. If the user does not have an email address on their account, or if the email address is not verified, null will be returned.

Recap We can see emails to support@seek.com.au and from any email address So we could read SEEK user's support email tickets Not that interesting :( What s next?

Slack sends emails from no-reply@slack.com

@seek.com.au

Appendix

Pro s and Con s

Bug bounty program - The Good and Bad Pros Cons Can be more cost effective. Program management overhead. Pay researchers per bug not for time spent. Stakeholder management. Communicating with ALL the researchers. Validating, triaging and deduping issues reported.

Bug bounty program - The Good and Bad Pros Researchers incentives are different. Rewarded for valid bugs not time spent looking. Rewards don t have to be money (swag, experience, reputation, fun). Cons If you reward swag or kudos instead of money the testers might go elsewhere. Over time researchers get bored and move on. Need to increase payouts to keep interest.

Bug bounty program - The Good and Bad Pros Diverse skill sets. Researchers specialise in finding certain types of issues. Leads to high quality bugs. Multiply this by 100+ researchers. Cons No guarantee of researcher's skill level or what types of issues they have tested for.

Bug bounty program - The Good and Bad Pros Cons Scales well. Only scales well if the incentives are there. Tap into 100 s of testers almost instantly. Test coverage is hard to judge. Difficult to know when testers last tested the app, page or feature. Increase assurance on one site or multiple.

Bug bounty program - The Good and Bad Pros Fits into a continuous delivery environment. Ongoing program can continually test your apps. Instead of point in time. Cons Can continually test your app only if you are running an effective program with ongoing researcher activity. Hard to get researchers to focus on small site changes.

Bug bounty program - The Good and Bad Pros Cons Marketing your company s security. Can lead to the public knowing that you have bugs. Public programs tell the public that you are trying to make your apps and their data secure. Can be hard to keep researchers quiet for the long term.

Bug bounty program - The Good and Bad Pros Good way of learning about your blind spots. Multiple opportunities to run blue team exercises. Researchers find systems and features you didn't even know were there. Cons Testers will find and test sites you don't want them to test.

Risk Mitigations

The Risks Risk Mitigation A researcher could perform testing that brings down or disrupts production (if testing on production systems). Program brief state's Denial of Service on any in scope targets. Ban researcher from program. They will stop as they will not get paid and get negative points on the HaaS. If you have the ability (e.g. a WAF) you can block the IP address that is causing the issues. Use a testing environment for the bug bounty program.

The Risks Risk Mitigation A researcher could interact with real customers and steal real customer data. The brief states not to interact with real customers. Ban researcher from program. Existing security controls will prevent most customers being affected. Parts of the site that are too hard to test without interacting with customers are taken out of scope.

The Risks Risk Mitigation A researcher could exploit a vulnerability and steal sensitive data. In the brief it states issues should be reported immediately and sensitive data must not be exfiltrated. Bonuses are rewarded for getting access to sensitive data and systems, incentivising them to report the issue quickly.

The Risks Risk Mitigation A researcher could publicly disclose an issue during or after the program. They will not receive a reward, will be banned from the program and their reputation score will suffer. Ensure that the business is capable and ready to fix reported issues (especially the high issues) as quickly as possible. So that the risk is minimised if it did go public.

The End

Credits/References https://pages.bugcrowd.com/hubfs/pdfs/state-of-bug-bounty-2016.pdf https://www2.trustwave.com/rs/815-rfm-693/images/2016%20trustwave%20global%20security%20 Report.pdf http://www.wired.co.uk/article/hack-the-pentagon-bug-bounty http://bugsheet.com/directory http://www.theverge.com/2016/3/8/11179926/facebook-account-security-flaw-bug-bounty-payout http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ http://www.cio.com.au/article/606319/australia-hardest-hit-globally-by-cyber-security-skills-shortage -report/ http://www.abc.net.au/news/2015-08-27/global-skills-shortage-for-cyber-security-experts2c-says-com mo/6730034

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback