Upload
bugcrowd
View
67
Download
0
Embed Size (px)
Citation preview
September 2016
BREAKING THE VULNERABILITY CYCLE
KEY FINDINGS FROM 100 CISOS
2
JASON HADDIXHEAD OF TRUST AND SECURITY
BRAD ARKINCISO
ADOBE SYSTEMS
SPEAKERS
KIM GREENCISO
ZEPHYR HEALTH
3
AGENDA• Dissect each component of the Vulnerability Cycle• Explore top CISO challenges and opportunities for 2017• Security tools and best practices
4
TOP CISO CHALLENGESIN APPSEC
5
WHAT ISSUES ARE WE ADDRESSING?
Ballooning attack surface
Cybersecurity resource shortage
Broken status-quo
Active, efficient adversaries
Breaking the status quo
ActiveEfficient
AdversariesBallooning
AttackSurface
CybersecurityResourceShortage
6
ACTIVE AND EFFICIENT ADVERSARIESHacking is overwhelmingly the leading cause of data breaches
2007 2008 2009 2010 2011 2012 2013 2014 2015 20160%
10%
20%
30%
40%
50%
60%
Insider TheftHacking / Skimming / PhishingData on the MoveAccidental Email/ Internet ExposureSubcontractor / 3rd Party / Business AssociateEmployee Error / Negligence / Improper Disposal / LossPhysical Theft
Axis Title
7
BALLOONING ATTACK SURFACEApplication security becoming increasingly important
8
STAFFING AND RESOURCING CHALLENGESThe cybersecurity job gap is at an all time high
9September 2016
POLL
10
SECURITY TOOLS AND BEST PRACTICES
11
SECURITY TOOLS AND PRACTICES IN USE
12
AND STILL, WE’RE LEFT VULNERABLE
Time
Automation
Pen Test
Zone of Vulnerability
Blindness
Zone of Vulnerability
Blindness
Code Release
Code Release
Vuln
erab
ility
Awar
enes
s Pen Test
13
BUG BOUNTY DELIVERS CONTINUOUS VULNERABILITY ASSESSMENT
Time
Code Release
Code Release
Vuln
erab
ility
Awar
enes
s
14
VARIATIONS OF BUG BOUNTY PROGRAMS
Private ongoing program
Public ongoing program
Point-in-time “On-Demand” programs
PublicPrivate
15
BUG BOUNTIES MEET SECURITY NEEDS
• Addresses staffing and resourcing challenges
• Works within appsec budgeting constraints
• Improves internal security culture and supports training initiatives
16
Only crazy tech
companies run bug bounty
programs
Bug bounties don’t attract
talented testers or
results
They’re too hard to
manage and too expensive
Running a bounty
program is too risky
PERCEIVED CHALLENGES IN RUNNING A BOUNTY PROGRAM
Financial Services Consumer Tech Retail & Ecommerce Infrastructure Technology
Automotive Security Technology Other
WIDE ADOPTION OF CROWDSOURCED SECURITY
17
18
A RADICAL CYBER SECURITY ADVANTAGE:Enterprise Bug Bounty Solutions & Hackers On-Demand• 300+ Programs run• Every program is managed by Bugcrowd• Deep researcher engagement and support• No confusing pricing models and no bounty
commissions• 50,000+ researchers
Curated Crowd that Thinks like an
Adversary but acts as an ally to Find
Vulnerabilities
A Platform That Simplifies
Connecting Researchers to Organizations,
Saving You Time and Money
Security Expertise To Design, Support,
and Manage Crowd Security Programs
19
JASON HADDIXHEAD OF TRUST AND
SECURITY
BRAD ARKINCISO
ADOBE SYSTEMS
Q&A
KIM GREENCISO
ZEPHYR HEALTH@JHADDIX @KIM1GREEN @BRADARKIN
20
GET THE FULL DATA SETFROM THIS SESSION