Managing Crowdsourced Security RVAsec Mike Shema June 8, 2017 - - PowerPoint PPT Presentation

managing crowdsourced security
SMART_READER_LITE
LIVE PREVIEW

Managing Crowdsourced Security RVAsec Mike Shema June 8, 2017 - - PowerPoint PPT Presentation

Sep 29, 2022 466 likes •797 views

Managing Crowdsourced Security RVAsec Mike Shema June 8, 2017 mike@cobalt.io You see, in this world theres two kinds of people, my friend: Those with loaded guns and those who dig. You dig. Clint Eastwood, The Good, the Bad,

slide-1
SLIDE 1

Managing Crowdsourced Security

Mike Shema mike@cobalt.io RVAsec June 8, 2017

slide-2
SLIDE 2

– Clint Eastwood, The Good, the Bad, and the Ugly.

“You see, in this world there’s two kinds of people, my friend: Those with loaded guns and those who dig. You dig.”

slide-3
SLIDE 3

– Eli Wallach, The Good, the Bad, and the Ugly.

“There are two kinds of spurs, my

  • friend. Those that come in by the

door; those that come in by the window.”

slide-4
SLIDE 4

A cacophony of hordes. A scrutiny of crowds.

slide-5
SLIDE 5

How do we… find vulns efficiently? spend wisely? reduce risk?

slide-6
SLIDE 6

Bounties are an imperfect proxy for risk, where price implies impact.

$0 — $15K

~$800 avg. $50

Reflected XSS, self, no auth

$10,000

XSS vs. any auth’d user,
 access sensitive info

slide-7
SLIDE 7

Bounties are an imperfect proxy for work, where earnings may diverge from effort. 80% 50% 100%

slide-8
SLIDE 8

~33% ~87%

slide-9
SLIDE 9

Noise increases cost

  • f discovery and

reduces efficiency.

slide-10
SLIDE 10

Clear, concise documentation Scope Rules of engagement Practical SLAs for responses Expectations of reasonable threat models

Filters

slide-11
SLIDE 11
slide-12
SLIDE 12
slide-13
SLIDE 13

Cost-effective, Efficient Cost-effective, Inefficient Cost-ineffective, Inefficient Cost-ineffective, Efficient

slide-14
SLIDE 14

Days since any report: 2, 5, 11

Days Since Valid (Any) Report

2016 7 (4) 16 (8) 33 (14) 2015 4 (1) 10 (5) 23 (11) 2014 3 (2) 8 (4) 16 (7) 50% 80% 95%

slide-15
SLIDE 15

Baseline —
 Initial cost +
 Ongoing maintenance Volume —
 Reports/day,
 Percent valid Triage —
 Reports/hour,
 Hourly rate

~15% savings

slide-16
SLIDE 16

Where are the scanners?

Overlaps, gaps, and ceilings in capabilities. Fixed-cost, typically efficient, but still requires triage and maintenance.

slide-17
SLIDE 17

Public, Private Bounties

slide-18
SLIDE 18

Pen Testing

slide-19
SLIDE 19

– Mike Shema’s Axiom of AppSec

“We always have bugs. Eyes are shallow.”

slide-20
SLIDE 20

BugOps vs. DevOps

Chasing bugs isn’t a strategy.

slide-21
SLIDE 21

Risk reduction.

slide-22
SLIDE 22

“You’re not using HTTPS.” “Use HTTPS.” “Seriously. Please use HTTPS.” “Let’s Encrypt.”

slide-23
SLIDE 23
slide-24
SLIDE 24

Risk Strategies

Decrease rate of reports for ___ vulns. Increase speed of deploying fixes for ___ vulns. Deploy ___ to counter ___ vuln class.

slide-25
SLIDE 25
slide-26
SLIDE 26

Realistic threat models. Incentives oriented towards quality and effort. Machine-readable reports.

Bounties

slide-27
SLIDE 27

Crowds

Public bounty Private bounty Pen testing Threat intel sharing Fuzzing farms

slide-28
SLIDE 28

Find efficient vuln discovery methods, strive for automation. Small crowds can have high impact.

slide-29
SLIDE 29

Thank You!

blog.cobalt.io

slide-30
SLIDE 30

Questions?

slide-31
SLIDE 31

R —
 www.r-project.org RStudio —
 www.rstudio.com data.table ggplot