crowdsourced vulnerability testing
TRANSCRIPT
Reward Programs as a Service A fresh approach to security tes8ng!
”Bugcrowd and similar marketplaces, such as Danish firm CrowdCurity and Synack, are democratising the crowdsourced penetration testing model which has previously been only available to the biggest software companies that can afford to pay out millions of dollars”
CrowdCurity CrowdCurity
Chris8an Jacob Jakob Esben Michael
• A Service Pla,orm for Vulnerability Reward Programs • Founded in July 2013 • 3 months bootstrapping in ArgenCna • Pla,orm Launched September 2013 • 5 Programs Runned • 300+ Testers • Part of Boost.vc in Sillicon Valley for the next 4 months
Credit Card Fraud
Credit cards are targeted Online businesses have a high risk of aNacks by intruders who steal credit card informaCon from the sites to sell it on the black market. There is plenty to steal In 2012 the european online B2C sites had an income of €312 billion (3,5% of BNP). The transacCons are typically handled with credit cards.*
Harmed customers
Viruses and Malware On vulnerable sites aNackers can implement virusses and other malware which infects and potenCally damages the systems of the customers Customers Lost If a customer is infected by a virus or malware on a site, there is a high chance that they will not feel safe about using that site again.
Forced Crashes
Loss of Service Many shops and services put a pride in being available online 24-‐7. But evil aNackers can crash a site in minutes if it is not protected. Loss of income and integrity When a site is forced to crash the business lose potenCal income and the integrity of the site and the business is seriously harmed.
Data Disclosure
Big data = Big risk To enable a high service level sensiCve data is being stored online. If this data is disclosed to the wrong people it could have strong negaCve impact. Integrity Loss When private data is disclosed it leads to an integrity loss for the business keeping the data and could harm the customer owning it.
CrowdCurity
The Risks of Online Business
*Source FDIH
$$$
CrowdCurity
Why is it Difficult to Solve?
The security threat of being hacked which online businesses are facing, is a distributed and self-‐organizing threat. Most of the tools that online
businesses have today to fight aNacks, are stuff like code reviews, automaCc scanners and corporate security experts. All of these
soluCons will be fighCng a loosing baNle against the aNacks. By nature of the threat it is difficult to solve completely by using centralized and
automaCc soluCons.
The Solution
"99designs meets IT security -‐ Crowdsource security testers to discover your vulnerabiliCes"
Crowdsourced Security Testing
CrowdCurity
ENGAGE HACKERS WITH REWARD PROGRAMS!
• By running a vulnerability reward program you engage a crowd of skilled hackers with good intenCons to to earn rewards and recogniCon by tesCng the security of your web applicaCons
IT’S SMARTER!
• Instead of 1 set of eyes you can get 100+ • MulCple aNack angles gets covered by moCvated testers
IT’S CHEAPER!
• You only pay for valid vulnerabiliCes– No bugs, No cost • You get 100+ testers cheaper than the price of 1 consultant
ALL THE BIG GUYS ARE DOING IT!
• In 3 years Google has paid crowdsourced researchers over $2 million in security rewards and fixed more than 2,000 bugs*
CrowdCurity
Crowdsourced Security Tes8ng
1
2
3
*Source thenextweb
4
The Solution
• hNp://www.slideshare.net/michael_coates/bug-‐bounty-‐programs-‐for-‐the-‐web
Reward Programs CrowdCurity
Security Research Community
CrowdCurity
Reward Program Challenges
Online busineses
• Attract Skilled researchers? • Rules? • Reporting? • Payments?
• How to get businesses to
understand the value-add of a reward program?
Security Research Community
CrowdCurity
Reward Programs as a Service
Online busineses
Service Pla,orm
• One place to find programs
for skilled researchers • Best Practice Rules • Best Practice Reporting • Reward/Payment Mgmt.
• Connecting businesses to
the research community and promoting the value-add of reward programs
The business fixes the vulnerability and the business owner keeps the reward program to discover more vulnerabiliCes
7. Fix and con8nue
The business evaluates the vulnerability and decide if it is eligible for a cash reward. The feedback is given through crowdcurity.com
5.Business Evaluates
A tester finds a vulnerability in the web applicaCon, and submits the details of it through an easy to use form at crowdcurity.com
4. Tester finds vulnerability The reward program is marketed to the crowd of skilled testers from around the world
3. Marke8ng to testers
He creates a vulnerability reward program through an easy to use submission form at crowdcurity.com
2. Create Reward Program
An owner of a successful online business wants to test the security of his web applicaCon.
1. Security Test Needed
CrowdCurity
How it works
$
CrowdCurity
If a reward is given CrowdCurity handles the payment to the tester and charges the business a 20% service fee.
6. Payment Mgmt.
CrowdCurity
A Customer Case
Cloud service
• <10 Employees • Many big customers • Already focused on security • AnC-‐aNack measures installed
Reward Program
• AdverCsed to Full crowd • Reward sizes $300/$100/$25 • Focus on Customer Portal • Best PracCce Rules
The Test
• 50+ testers parCcipated • 6 conCnents represented • $1500 given in rewards • 19 vulnerabiliCes rewarded
Business Ready to Test Best Practice Setup High Value at a Low Cost
CrowdCurity
The Future of Reward Programs
• A standard part of the security toolbox • Used by online businesses of all sizes • A way for security researchers to promote themselves for e.g. recruitment
• Rewards will increase with the popularity
CrowdCurity
Simple intui8ve layout and instruc8ve videos Nice dashboard with an overview of the tests
Forms for submi`ng programs and vulnerabili8es Easy to use views of programs and vulnerabili8es
WWW.CROWDCURITY.COM