Application Security/Software Assurance

Education Level: Basic

4416 - Crowdsourced Security: The Good, The Bad and The Ugly

Speaker(s)

• 

  Mike Shema

  VP of SecOps and Research
  Cobalt.io

Cost, quality and coverage. These are the three major factors that security professionals must consider when designing a strategy for testing their web applications. There is a major talent shortage in the security industry, and tools will only get you so far. How can security professionals leverage the power of the crowd to get fresh, incentivized eyes on their latest and greatest web apps, mobile apps, and APIs? Public and private bug bounties, crowdsourced penetration testing. But what are the advantages and risks to engaging in this brave new world of “hire the hacker”?

Join Mike Shema, VP of SecOps and Research, Cobalt.io, for a frank discussion of the good, bad and the ugly when it comes to crowdsourcing your web application security.

Learning Objectives:

• Describe the difference between a public bug bounty, a private bug bounty and a crowdsourced penetration test.
• Recognize the all-in cost and workflows involved to get value out of a public bug bounty, private bug bounty and crowdsourced penetration test (e.g. curation,vmanagement, duplicates and invalid reports).
• Recognize the "hidden costs" involved in each of the crowdsourced security models, such as organizational reputation in the global security researcher community, organizational reputation of the security team and opportunity costs of choosing to proceed with one over another.