managing crowdsourced security
play

Managing Crowdsourced Security RVAsec Mike Shema June 8, 2017 - PowerPoint PPT Presentation

Sep 29, 2022 •466 likes •792 views

Managing Crowdsourced Security RVAsec Mike Shema June 8, 2017 mike@cobalt.io You see, in this world theres two kinds of people, my friend: Those with loaded guns and those who dig. You dig. Clint Eastwood, The Good, the Bad,

  1. Managing Crowdsourced Security RVAsec Mike Shema June 8, 2017 mike@cobalt.io

  2. “You see, in this world there’s two kinds of people, my friend: Those with loaded guns and those who dig. You dig.” – Clint Eastwood, The Good, the Bad, and the Ugly .

  3. “There are two kinds of spurs, my friend. Those that come in by the door; those that come in by the window.” – Eli Wallach, The Good, the Bad, and the Ugly .

  4. A cacophony of hordes. A scrutiny of crowds.

  5. How do we… find vulns efficiently ? spend wisely ? reduce risk ?

  6. Bounties are an imperfect proxy for risk, where price implies impact. $0 — $15K ~$800 avg. $10,000 $50 XSS vs. any auth’d user, 
 Reflected XSS, self, access sensitive info no auth

  7. Bounties are an imperfect proxy for work, where earnings may diverge from effort. 100% 80% 50%

  8. ~33% ~87%

  9. Noise increases cost of discovery and reduces efficiency.

  10. Clear, concise documentation Scope Rules of engagement Filters Practical SLAs for responses Expectations of reasonable threat models

  13. Cost-ineffective, Inefficient Cost-ineffective, Efficient Cost-effective, Inefficient Cost-effective, Efficient

  14. Days Since Valid (Any) Report 2016 7 (4) 16 (8) 33 (14) 2015 4 (1) 10 (5) 23 (11) 2014 3 (2) 8 (4) 16 (7) 50% 80% 95% Days since any report: 2, 5, 11

  15. Baseline — 
 Initial cost + 
 Ongoing maintenance Volume — 
 Reports/day, 
 Percent valid Triage — 
 Reports/hour, 
 Hourly rate ~15% savings

  16. Where are the scanners? Overlaps, gaps, and ceilings in capabilities. Fixed-cost, typically efficient, but still requires triage and maintenance.

  17. Public, Private Bounties

  18. Pen Testing

  19. “We always have bugs. Eyes are shallow.” – Mike Shema’s Axiom of AppSec

  20. BugOps vs. DevOps Chasing bugs isn’t a strategy.

  21. Risk reduction.

  22. “You’re not using HTTPS.” “Use HTTPS.” “Seriously. Please use HTTPS.” “Let’s Encrypt.”

  24. Risk Strategies Decrease rate of reports for ___ vulns. Increase speed of deploying fixes for ___ vulns. Deploy ___ to counter ___ vuln class.

  26. Realistic threat models. Incentives oriented towards Bounties quality and effort. Machine-readable reports.

  27. Public bounty Private bounty Crowds Pen testing Threat intel sharing Fuzzing farms

  28. Find efficient vuln discovery methods, strive for automation. Small crowds can have high impact.

  29. Thank You! blog.cobalt.io

  30. Questions?

  31. R — 
 www.r-project.org RStudio — 
 www.rstudio.com data.table ggplot

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Managing Dependencies and Runtime Security ActiveState Deminar Managing Dependencies and

Managing Dependencies and Runtime Security ActiveState Deminar Managing Dependencies and

Managing Dependencies and Runtime Security ActiveState Deminar Managing Dependencies and Runtime Security About ActiveState Track-record: 97% of Fortune 1000, 20+ years open source Polyglot: 5 languages - Python, Perl, Tcl, Go, Ruby

727 views • 47 slides
SPECIFIC SEARCH OF CROWDSOURCED OPENSTREETMAP DATASET AND WIKI Prof. Stefan Keller and Michel

SPECIFIC SEARCH OF CROWDSOURCED OPENSTREETMAP DATASET AND WIKI Prof. Stefan Keller and Michel

OGRS 2012 ONTOLOGY BASED DOMAIN SPECIFIC SEARCH OF CROWDSOURCED OPENSTREETMAP DATASET AND WIKI Prof. Stefan Keller and Michel Ott Yverdon-les-Bains, 26. October 2012 The Problem: Finding Tags in OSM OpenStreetMap (OSM) crowdsourced

148 views • 12 slides
Truth discovery in crowdsourced detection of spatial events Robin Wentao Ouyang Mani Srivastava

Truth discovery in crowdsourced detection of spatial events Robin Wentao Ouyang Mani Srivastava

Truth discovery in crowdsourced detection of spatial events Robin Wentao Ouyang Mani Srivastava Alice Toniolo Timothy J. Norman 2 Mobile crowdsourced event detection Potholes, graffiti, bike racks, flora, 3 Truth discovery Given

478 views • 24 slides
MANAGING SOIL FOR MANAGING SOIL FOR MANAGING SOIL FOR MANAGING SOIL FOR ADVANCING FOOD

MANAGING SOIL FOR MANAGING SOIL FOR MANAGING SOIL FOR MANAGING SOIL FOR ADVANCING FOOD

MANAGING SOIL FOR MANAGING SOIL FOR MANAGING SOIL FOR MANAGING SOIL FOR ADVANCING FOOD ADVANCING FOOD SECURITY AND ADAPTING SECURITY AND ADAPTING TO CLIMATE CHANGE TO CLIMATE CHANGE R. Lal Carbon Management and Sequestration Center g q

582 views • 55 slides
Crowdsourced translation using MediaWiki Siebrand Mazeland i18n/L10n contractor, Wikimedia

Crowdsourced translation using MediaWiki Siebrand Mazeland i18n/L10n contractor, Wikimedia

Crowdsourced translation using MediaWiki Siebrand Mazeland i18n/L10n contractor, Wikimedia Foundation Community Manager, translatewiki.net FOSDEM 2014 | Crowdsourced translation using MediaWiki | February 1, 2014 | Siebrand Mazeland | CC-BY-SA

456 views • 19 slides
Crowdsourced Classification with XOR Queries: An Algorithm with Optimal Sample Complexity

Crowdsourced Classification with XOR Queries: An Algorithm with Optimal Sample Complexity

Crowdsourced Classification with XOR Queries: An Algorithm with Optimal Sample Complexity Daesung Kim and Hye Won Chung School of Electrical Engineering, KAIST ISIT, 2020 Introduction Crowdsourcing A method to label data with very small

502 views • 21 slides
Security Structures Beyond GOs Municipal Analysts Group of NY luncheon Amy Laskey, Managing

Security Structures Beyond GOs Municipal Analysts Group of NY luncheon Amy Laskey, Managing

Security Structures Beyond GOs Municipal Analysts Group of NY luncheon Amy Laskey, Managing Director September 8, 2017 Agenda Explain the relationship between the Issuer Default Rating (IDR) and security ratings Discuss the limited

235 views • 21 slides
CrowdQ: Crowdsourced Query Understanding Gianluca Demar8ni, Beth

CrowdQ: Crowdsourced Query Understanding Gianluca Demar8ni, Beth

CrowdQ: Crowdsourced Query Understanding Gianluca Demar8ni, Beth Trushkowsky, Tim Kraska, Michael J. Franklin Scenario Find the birthdate of the mayor of

316 views • 15 slides
C+I Metrics Initiative Introducing a Crowdsourced Bottom-Up Approach to Developing

C+I Metrics Initiative Introducing a Crowdsourced Bottom-Up Approach to Developing

C+I Metrics Initiative Introducing a Crowdsourced Bottom-Up Approach to Developing Transdisciplinary Scholarship Metrics Ivica Ico Bukvic, Director Creativity+Innovation ico@vt.edu Overview 1. Background 3. Demo+Experience Motivation

530 views • 26 slides
Designing, Building and Managing a Cyber Security Program Based on the NIST Cybersecurity

Designing, Building and Managing a Cyber Security Program Based on the NIST Cybersecurity

Designing, Building and Managing a Cyber Security Program Based on the NIST Cybersecurity Framework (NIST CSF) A Business Case Agenda and Objectives The Digital Innovation Economy The Cyber Security Problem The Cyber Security Solution

260 views • 22 slides
DEVELOPMENT The Ports, Our Economy and National Security: Managing the Contours and Linkages A

DEVELOPMENT The Ports, Our Economy and National Security: Managing the Contours and Linkages A

PORT OPERATIONS AND SUSTAINABLE DEVELOPMENT The Ports, Our Economy and National Security: Managing the Contours and Linkages A Paper Presented By M.J. Khalil Nigerian Ports Authority To The Technical Committee for Maritime Security,

537 views • 25 slides
Using Openstreetmap crowdsourced data and La Landsat im imagery for la land cover mapping in

Using Openstreetmap crowdsourced data and La Landsat im imagery for la land cover mapping in

Using Openstreetmap crowdsourced data and La Landsat im imagery for la land cover mapping in in th the La Laguna de Bay area of f th the Philippines Brian A. Johnson*, Kotaro lizuka, lsao Endo, Damasa B. Magcale-Macandog, Milben Bragais

389 views • 13 slides
CORPUS CREATION FOR NEW GENRES: A Crowdsourced Approach to PP Attachment Mukund Jha, Jacob

CORPUS CREATION FOR NEW GENRES: A Crowdsourced Approach to PP Attachment Mukund Jha, Jacob

CORPUS CREATION FOR NEW GENRES: A Crowdsourced Approach to PP Attachment Mukund Jha, Jacob Andreas, Kapil Thadani, Sara Rosenthal, Kathleen McKeown Background Supervised techniques for text analysis require annotated data LDC

543 views • 37 slides
Managing Security Investment Part IV Tyler Moore Computer Science & Engineering Department,

Managing Security Investment Part IV Tyler Moore Computer Science & Engineering Department,

Notes Managing Security Investment Part IV Tyler Moore Computer Science & Engineering Department, SMU, Dallas, TX September 27, 2012 Baseline investment models Information security risk management Measuring the security level Notes

439 views • 6 slides
RaceMob: Crowdsourced Data Race Detec,on Baris Kasikci, Cris,an

RaceMob: Crowdsourced Data Race Detec,on Baris Kasikci, Cris,an

RaceMob: Crowdsourced Data Race Detec,on Baris Kasikci, Cris,an Zamfir, and George Candea School of Computer & Communica3on Sciences Tuesday 12 November 13 Data Races

767 views • 25 slides
Testing to Improve User Response of Crowdsourced S&T Forecasting System Sponsors: Charles

Testing to Improve User Response of Crowdsourced S&T Forecasting System Sponsors: Charles

Testing to Improve User Response of Crowdsourced S&T Forecasting System Sponsors: Charles Twardy, GMU C4i Center, Adam Siegel, Inkling Markets Team members: Kevin Connor Andrew Kreeger Neil Wood Project Background SciCast central

218 views • 21 slides
CROWDSOURCED ANNUAL MEETING IDEAS Natalie Zundel, CFRE 1 Our Agenda Scroll through real world

CROWDSOURCED ANNUAL MEETING IDEAS Natalie Zundel, CFRE 1 Our Agenda Scroll through real world

5/1/2019 CROWDSOURCED ANNUAL MEETING IDEAS Natalie Zundel, CFRE 1 Our Agenda Scroll through real world ideas Discuss & share the knowledge in the room Complete your three item action plan 2 3 Item Action Plan 1 2 3 Pin a

384 views • 5 slides
Collective Annotation: From Crowdsourcing to Social Choice Ulle Endriss Institute for Logic,

Collective Annotation: From Crowdsourcing to Social Choice Ulle Endriss Institute for Logic,

Collective Annotation Tulane, 14 March 2014 Collective Annotation: From Crowdsourcing to Social Choice Ulle Endriss Institute for Logic, Language and Computation University of Amsterdam joint work with Raquel Fern andez, Justin

418 views • 16 slides
C OMPLAINT M ANAGEMENT S YSTEM : C ROWDSOURCING A N E XAMPLE Indian Institute of Technology Kanpur

C OMPLAINT M ANAGEMENT S YSTEM : C ROWDSOURCING A N E XAMPLE Indian Institute of Technology Kanpur

C OMPLAINT M ANAGEMENT S YSTEM : C ROWDSOURCING A N E XAMPLE Indian Institute of Technology Kanpur Commonwealth of Learning Vancouver MOOC on M4D 2013 Abhinav Tripathi Arnium Technologies Pvt. IIT Kanpur www.arnium.com MOOC on M4D 2013 A

491 views • 7 slides
Our approach to open source in the cloud Enable Integrate Release Contribute Engineering

Our approach to open source in the cloud Enable Integrate Release Contribute Engineering

Our approach to open source in the cloud Enable Integrate Release Contribute Engineering Field leadership: Youve leadership: added a couple Theres so more hours to my much to weekend reading learn assignment Media

290 views • 18 slides
Top-k Queries over Uncertain Scores Qing Liu, Debabrota Basu, Talel Abdessalem, St ephane

Top-k Queries over Uncertain Scores Qing Liu, Debabrota Basu, Talel Abdessalem, St ephane

Top-k Queries over Uncertain Scores Top-k Queries over Uncertain Scores Qing Liu, Debabrota Basu, Talel Abdessalem, St ephane Bressan CoopIS 2016 Qing Liu et.al. Top-k Queries over Uncertain Scores 1 / 19 Top-k Queries over Uncertain Scores

779 views • 57 slides
CTA Design Study CTA Design Study - Swiss Hardware Contributions - Swiss Hardware Contributions

CTA Design Study CTA Design Study - Swiss Hardware Contributions - Swiss Hardware Contributions

CTA Design Study CTA Design Study - Swiss Hardware Contributions - Swiss Hardware Contributions Isabel Braun Insttut for Partcle Physics, ETH Zrich CHIPP Plenary Meeting 2009, Appenberg Participating Institutes Participating Institutes

442 views • 16 slides
Indirect Searches for Dark Matter with CTA Brian Humensky, for the CTA Consortium Columbia

Indirect Searches for Dark Matter with CTA Brian Humensky, for the CTA Consortium Columbia

Aquarius, Springel et al. arXiv:0809.0898 Indirect Searches for Dark Matter with CTA Brian Humensky, for the CTA Consortium Columbia University Cosmic Visions, University of Maryland March 24, 2017 Dark Matter Cherenkov Telescope Array

812 views • 32 slides
MOBILITY TRENDS AND COVID-19 IN Northwestern University THE CITY OF CHICAGO Transportation

MOBILITY TRENDS AND COVID-19 IN Northwestern University THE CITY OF CHICAGO Transportation

MOBILITY TRENDS AND COVID-19 IN Northwestern University THE CITY OF CHICAGO Transportation Center PREPARED BY DIVYAKANT THALYAN AND HANI S. MAHMASSANI CONTACT: DR. HANI S. MAHMASSANI-- MASMAH@NORTHWESTERN.EDU AVAILABLE DATA FROM THE CITY OF

602 views • 9 slides

More recommend