Embed Size (px)
Citation preview
Key Takeaways from Instructure’s Bug Bounty
ProgramPresenters:
Q. Wade Billings, Sr. Director of Global IT Shared Services : Instructure Jonathan Cran, VP Operations : Bugcrowd
Your Presenters• Q. Wade Billings, Sr. Director of Global IT Shared Services
Instructure
• IT leadership career spanning over 20 years. Held high level positions with Excite@Home, lowermybills.com, Medicity and most recently WorkFront (fka AtTask)
• Involved in the Utah InfoSec community with ties to BSidesSLC and UtahSec.org
• Jonathan Cran, VP Operations Bugcrowd
• Security Assessment Startups. Leadership positions with Rapid7, Pwnie Express, Metasploit.
About Instructure• Instructure makes smart software that makes people smarter
• Instructure is a fast growing, education technology SaaS company serving multiple global markets
• Our growth since launch in 2011
• 18+ million users
• 1,200 institutions under contract
• 500+ employees
• Global offices and five hosting platforms worldwide
About Bugcrowd• Your Elastic Security Team
• Founded in 2012, based in San Francisco, 20 employees
• 15,000 Researchers, $400,000 in researcher payments in 2014, 150 programs
• Provider of Crowdcontrol, the platform for Bug Bounty and Flex Bounty programs
• We help you start and manage your bug bounty program
Annual Assessment• We update our platform every three weeks and users
benefit from features and bug fixes.
• Starting in 2011, Instructure took a proactive approach to security.
• We publicly published results after the first security audit
• When vulnerabilities were found, we fixed them and put them into production as quickly as possible
• We even embedded a blogger to observe and document the process!!
Why Bugcrowd?
• This year we wanted to take it a step further.
• Economics of bug bounties promised better results compared to the traditional approach
• Large researcher community, strong engagement
• Flex bounty met the “Annual Assessment” format
Bugcrowd Flex• Two week bug bounty
• Private with vetted researchers
• Top placed rewards (35%), Others (65%)
• Flex Bounty Report
• Access to researchers and management platform
Flex Reward Structure
Flex Process• Step 1: Onboarding
• Step 2: Program opens to private, vetted researchers
• Step 3: Crowdcontrol removes duplicates and out of scope issues, providing quick feedback to researchers
• Step 4: Customer Validates, Assigns Awards and Authorizes Payments
• Step 5: Program Closes, Report Created, Report Delivered
• Step 6: Customer resolves and Researcher re-tests (if requested)
Flex Process
Flex Results• Instead of two or three security
researchers, we had 63+ researchers active during the test
• 10x the number of vulnerabilities identified
• This is NOT because Instructure is less secure - we have been doing these open audits each year for three years
• Each researcher comes at the problem with a different perspective
Flex Results• Stored XSS
• Sending messages for unsubscribed courses
• Encrypted Cookie Store malleability / Key-reuse
• https://blog.bugcrowd.com/increased-pen-test-results-instructure-flex/
Key Takeaways• Security is a process, and you can benefit by being
transparent about your assessment process
• Flex bounties work! More, high-quality results by engaging with the research community vs traditional methods
• Bugcrowd is helping make the bug bounty programs accessible to organizations
• Download the report: https://blog.bugcrowd.com/increased-pen-test-results-instructure-flex/
What’s next• We’ve launched a new ongoing bug bounty
program in partnership with Bugcrowd
• Our overarching goal is to create the most secure learning and engagement platform for teachers and corporate trainers across the world.
• We do this by being proactive and playing offense when it comes to security, not defense.
Questions?
