OWASP LATAM@home 2020
Download as PPTX, PDF0 likes52 views
The document discusses lessons learned from running a bug bounty program for one year. It emphasizes that preparation is key to success, and that a bug bounty program should not be the sole method for detecting vulnerabilities, but rather should be part of a broader security program ("defense in depth"). Response time to researchers is important for maintaining an engaged community. The appropriate scope, budget, and priorities should be determined based on the program's maturity level. Quality reports providing deeper understanding of applications are more valuable than quantity. Building a sense of community is also important.
OWASP LATAM@home 2020
- 1. + BUG BOUNTY - ONE YEAR LATER
- 2. 2 ABOUT US Alejandro Iacobelli Application Security Manager at MELI and OWASP Buenos Aires Chapter Leader Appsec Profesor alejandro.iacobelli@owasp.org linkedin.com/in/aiacobellisec twitter: @aiacobelli_sec Pablo Garbossa Information Security Manager at MELI and OWASP Buenos Aires Chapter Leader pablo.garbossa@owasp.org ar.linkedin.com/in/pgarbossa twitter: @pgarbossa
- 3. 3 DISCLOSURE Las opiniones expresadas en la presentación y/o en los slides siguientes son solamente nuestras y no necesariamente de nuestro empleador.
- 4. 4 We will talk about... ■ What is a bug bounty program? ■ Why it is important? ■ Company’s perspective
- 9. 9 LESSONS LEARNED Make your pre-work Not a Silver Bullet Defense in Depth Scope Show me the MONEY Quality and Quantity Response Time Community
- 10. 10 PRE-WORK SLA
- 13. 13 PRE-WORK SLA BACKLOG SECURITY TEAM CAPACITY KNOW YOURSELF
- 14. 14 PRE-WORK SLA BACKLOG SECURITY TEAM CAPACITY KNOW YOURSELF CHOOSE PARTNER
- 15. 15 PRE-WORK SLA BACKLOG SECURITY TEAM CAPACITY KNOW YOURSELF CHOOSE PARTNER MAKE A POLICY
- 16. 16 NOT A SILVER BULLET Security Requirements Engineering Threat modeling Attack surface analysis Misuse case analysis SasT Software Composition Analysis Secure coding standards DasT Vulnerability Assessment Peer Code Review Security Culture Software acceptance Bug Bounty Program Penetration testing Vulnerability Assessments Vulnerability Management Monitoring Anomaly detection Configuration Management Avoid Penetrate and Patch Model
- 17. 17 NOT A SILVER BULLET Do not only use it as vulnerability detector Tactic / Reactive Strategic / Proactive Appsec program MATURITY ● Celebrate findings ● Set objectives in order to increase findings ● Generic Policy ● Every finding is seen as a fail on some stage of the SDLC ● Root cause analysis per finding ● Analice bounty information to set new OKR’s
- 18. 18 DEFENSE IN DEPTH Bug Bounty is not a replacement for pentesting Vulnerability Assessment Penetration Testing
- 19. 19 RESPONSE TIME Measure times and analyze effect on researchers First Response Time Average time to triage Average time to bounty Average time to resolution Managed programs
- 20. 20 TIME TO BOUNTY Bounty time matters Cum hoc ergo propter hoc!!
- 21. 21 RESPONSE TIME Pay for risk reduction (> Mature) -> Resolution time and internal SLA are important -> If not, angry community Pay on valid report (< Mature) -> Careful with Dupi! -> Angry community Define your strategy: Pay for fix or pay for valid report
- 22. 22 BUDGET More money more interest Pay a lot for trivial findings & Up SHOW ME THE MONEY MATURITY Money should go up according to maturity ¿How to choose how much to pay?
- 23. 23 SCOPE Prudence to the unknown is good but too much prudence is not ● Makes recon and learning curve more complicated ● Products do not depend of a single domain ● Accepting 3 times of vulnerabilities makes first report barrier very difficult
- 24. 24 SCOPE Prudence to the unknown is good but too much prudence is not Cum hoc ergo propter hoc!!
- 25. 25 QUALITY OVER QUANTITY More knowledge, better vulnerabilities - More accurate documentation (Cards,Users,api’s) - Announce new features - Challenge researchers into specific targets - Organize events to bond with the community
- 27. 27 Conclusions - Before anything else, preparation is the key to success (make your pre-work) - Un programa maduro de seguridad aplicativa no puede depender únicamente de este tipo de iniciativas para detectar fallas en sus aplicaciones - (Not a silver bullet) - Un programa de bug bounty no es un reemplazo a los ejercicios de pentest tradicionales, sino un complemento” (Defense in depth) - “Un hunter desmotivado genera un efecto avalancha en la comunidad y los tiempos de respuesta son un factor influyente” (Response Time) - “Del total de invitaciones rechazadas, el 20% son debidas a scope acotado ” (Scope) - “Los montos a pagar deben tener relación a la madurez de los productos a testear, el presupuesto disponible y lo riesgoso que puede ser ese producto para la empresa.”(Show me the money) - “Por lo general, las vulnerabilidades de mayor impacto se detectan una vez que se logra entender las funcionalidades de una aplicación a fondo.”(Quality and Quantity) - Focus on making community.
- 28. 28 Q&A