Bug bounty botox: how to spot good security DNA & prevention from cosmetic security

Presented at LocoMocoSec 2019, April 18, 2019, 3 p.m. (30 minutes).

Bug bounties are beautiful, when done right. But what about bug bounties gone bad? Bug bounties have risen in popularity across the globe since the success of Hack the Pentagon, but we are rushing in to use it everywhere, even where sensitive assets are concerned. The allure of "thorough" security vulnerability testing at a fraction of the cost of traditional professional penetration testing seems too good to be true. It is. Like an oversubscribed cell phone provider boasting network speeds that local congestion can never meet, the bug bounty platforms brag sheer account numbers, even as only a tiny fraction of bug hunters have any real luck (or skills). There's a reason many top companies and governments manage their own triage & store their own bugs on premise, not in 5 year old startup cloud platforms triaged by contractors. Who has eyes on your bugs beside you? How can we use this new crowd-sourced security testing safely? Where are we inadvertently mishandling sensitive information in the execution of what in some cases is only superficial security performance art. All organizations need to understand why & how to manage particularly sensitive bugs more securely. What does your threat model & organizational maturity tell you about whether you can safely use a bug bounty, and against which targets? Learn to spot bug bounty Botox, & to go deeper into the tradeoffs of any given bug discovery method. Both sides of this bug gig economy can do better. Come find out how.

Presenters:

  • Katie Moussouris - Luta Security
    Ms. Moussouris recently testified as an expert on bug bounties & the labor market for security research for the US Senate, and has also been called upon for European Parliament hearings on dual-use technology. She was later invited by the US State Department to help renegotiate the Wassenaar Arrangement, which she successfully helped change the export control language to include technical exemptions for vulnerability disclosure and incident response. She is a coauthor of an economic research paper on the labor market for bugs, published as a book chapter by MIT Press in 2017, and presented on the first system dynamics model of the vulnerability economy & exploit market in 2015, as part of her academic work as a visiting scholar at MIT Sloan School. She has over 20 years of pioneering leadership in information security, as a former penetration tester at @stake , to creating Microsoft Vulnerability Research, the first MS Bug bounties, and advising the US Department of Defense for years resulting in the launch of the Hack-the-Pentagon program. She is also an author and co-editor of standards ISO 29147 Vulnerability disclosure and ISO 30111 Vulnerability handling processes.

Links:

Similar Presentations: