RVAsec 2017: Managing Crowdsourced Security Testing

This June at RVAsec 2017 I continued the discussion of metrics that reflect the effort spent on vuln discovery via crowdsourced models. It analyzes data from real-world bounty programs and pen tests in order to measure how time and money might both be invested wisely in finding vulns. Here are the slides for my presentation.

We shouldn’t chase an eternal BugOps strategy where an app’s security relies solely on fixing vulns found in production. We should be using vuln discovery as a feedback mechanism for improving DevOps processes and striving to automate ways to detect or prevent the flaws that manual analysis reveals.

And when we must turn to manual analysis, we should understand the metrics that help determine when it’s efficient, effective, and contributing to better appsec. This way we can being to model successful approaches within constrained budgets.


An Event Mutates

This week I spoke again about evolving a bug bounty program. It was an iteration on A Mutation Event that I presented last month. In the spirit of my evolutionary metaphor, the content has been modified in its descent and adapted to the audience. The tweaks are both in presentation flow and in response to questions.

bugI’ve also called out more clearly that in security, crowds require more time to manage than you think and effective crowds are smaller than you think. Adding the qualifier “effective” shrinks the size from a crowd to a coterie.

Check out the updated slides. And know that the future will not only bring more evolution on this topic, but expansion into others.

A Mutation Event

The last time I was fortunate enough to present at a conference was a year ago at SOURCE Seattle. So it feels good to have had the chance to return in 2016 and present on a new topic of crowdsourced security.bug

The title was Evolving a Bug Bounty Program and, accordingly, it embraced a theme of descent with modification. In this case, building feedback loops and iterative processes based on various signals (and noise!) from of a bug bounty program.

You can hear a preview of some of the ideas in the Brakeing Security podcast that covered the conference. Enjoy!