Hi [[ session.user.profile.firstName ]]

Internal Bug Hunts: Squashing Security Bugs on a Budget

Far too often, testing software for security flaws falls into the “nice-to-have” category, taking a backseat to the demands of the marketplace and inflexible feature release schedules. In addition to the expense of hiring an outside security testing team, testing for and fixing obscure security bugs is a brake on an engineer’s ability to put new code in the hands of their customers. Fortunately, there is a workaround to this dilemma that will allow you to promote application security awareness while helping to reduce security bugs in your applications.

An internal bug hunt contest - in which your employees compete for prizes by finding and reporting security bugs - enables you to harness the creativity and problem-solving skills of your workforce while reducing security bugs in your applications. It can also help promote a culture of security awareness - without a large security testing budget.

An internal bug hunt contest can you help you:

• Find and remediate vulnerabilities before external entities can exploit them
• Provide a safe platform for your application owners to test for security bugs
• Promote application security awareness
• Engage employees outside of the central security team who want to explore the security domain

In this webcast, you will learn how an internal bug bounty program can help you find security flaws in your applications before criminals or spies, while improving the security culture at your company.
Recorded Sep 19 2017 47 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Pieter Ockers - Sr Program Manager at Adobe
Presentation preview: Internal Bug Hunts: Squashing Security Bugs on a Budget

Network with like-minded attendees

  • [[ session.user.profile.displayName ]]
    Add a photo
    • [[ session.user.profile.displayName ]]
    • [[ session.user.profile.jobTitle ]]
    • [[ session.user.profile.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(session.user.profile) ]]
  • [[ card.displayName ]]
    • [[ card.displayName ]]
    • [[ card.jobTitle ]]
    • [[ card.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(card) ]]
  • Channel
  • Channel profile
  • How to Phish Your Employees For Functional Security Oct 18 2018 4:00 pm UTC 60 mins
    Josh Green of Duo Security
    More than 90% of reported data breaches and security incidents in 2016 involved a successful phishing attack*. Attackers rely on phishing as a primary strategy because it continues to be both effective and efficient, as users remain the most vulnerable attack vector.

    The best defense against phishing is proactively educating your users, through a shame-free campaign that prepares them for real-world phishing attempts. Along with teaching your users what to watch for, an internal phishing exercise can result in faster user reports of possible phish attempts and reinforce your security response plan.

    In this webinar, you will learn how to:

    - Quickly and easily assess your security posture
    - Help build the business case for addressing your organization’s security needs
    - Build and deploy effective phishing simulations within minutes
    - Identify vulnerable users and devices
    - Increase the speed of user reporting for possible phishing messages

    * Verizon 2017 Data Breach Investigations Report, page 30
  • Discovering a Competitive Advantage with ISO 27001 Certification Oct 11 2018 5:00 pm UTC 60 mins
    Jason Eubanks, CRISC, ISO 27001 Lead Auditor, Principal Consultant, Lockpath
    Organizations with mature, enterprise-wide information security risk management programs enjoy a competitive advantage, thanks to ISO 27001 certification that signifies an international standard for safeguarding information. In this webinar, Lockpath's Jason Eubanks, a governance, risk management, and compliance (GRC) consultant and former ISO auditor, will share the business case for earning ISO 27001 certification and the critical role of technology in implementing a successful information security management system (ISMS).

    You'll learn:
    •Challenges and pitfalls with ISO 27001 certification
    •Tips on establishing and maturing an ISMS
    •Strategies for preparing and passing ISO audits
    •Technology's role in earning and maintaining certification

    Learn how ISO 27001 can give you a competitive advantage and strategies for earning certification. Register now to attend this educational webinar.
  • Crypto Conflagration and Securing the Cryptocurrency Ecosystem Oct 4 2018 4:00 pm UTC 60 mins
    Chris Wysopal, Co-Founder and Chief Technology Officer at CA Veracode
    Not only do cryptocurrencies rely on blockchain for their security, but they also rely on an ecosystem of software that runs exchanges, wallets, smart contracts and more. This software ecosystem, as well as the infrastructure on which it runs are required to be secure. Whether you are a builder, investor, or consumer- this webinar will help you learn how to identify the vulnerable aspects of the software that powers the cryptocurrency ecosystem - and how to avoid them.
  • Past the Perimeter: Earned Access Through A Zero-Trust Model Sep 27 2018 4:00 pm UTC 60 mins
    Zoe Lindsey of Duo Security
    Users whose digital lives are increasingly mobile don’t want to be tied to their desks, and an effective security strategy must be flexible enough to protect access from boardrooms and bars, cubicles and coffee shops alike. To do this, companies must ensure that users and their devices meet the same security controls, whether they’re outside or inside the network perimeter.

    Duo adopted the “zero-trust network” model to solve this challenge. All networks and devices are treated as untrusted until proven otherwise, and their health is checked each time a user connects to a protected resource. This approach depends on visibility into whether basic device and network security standards are met. It also requires the ability to enforce granular policy controls based on the results of that health check.

    The perimeter is disappearing, and it’s not coming back… find out how you can get a head start on what’s next.
  • Cloud–delivered Security: Why It’s Your Best Bet Recorded: Sep 20 2018 48 mins
    Greg Mayfield of Tenable
    On-prem vs Cloud-based security? It’s an ongoing debate that SecOps teams face daily.

    With cloud adoption continuing to be a top business initiative, SecOps teams must adapt or risk falling behind. As most on-prem security tools don’t work in the cloud and suffer limitations, SecOps teams are faced with a myriad of new technologies and tools to implement to protect their critical assets. This can be overwhelming as numerous options abound.

    As the attack surface evolves and expands in the cloud, understanding the current state of assets and assessing their risk is an essential first step. Achieving continuous visibility and protection is then the following challenge. This webinar will discuss the opportunities and benefits that SecOps teams face by utilizing cloud-delivered security solutions vs. traditional on-prem solutions.
  • Can the Maturity of Your Cloud Security Strategy Make or Break Your Organization Recorded: Sep 13 2018 65 mins
    Scott Hogrefe, VP of Marketing at Netskope, and Doug Cahill, Senior Analyst at ESG
    New research from Enterprise Strategy Group and Netskope shows that there are business ramifications when it comes to your approach to cloud security.

    Join senior ESG cybersecurity analyst Doug Cahill and Netskope VP Marketing Scott Hogrefe for this webinar to get a deep dive into this research and understand how being a cloud "Discoverer," "Controler," or "Enabler" can make a difference for your organization and your career.

    What you'll learn by attending this webinar:
    - Find out if the risks from threats or data loss increase as you change your strategy
    - Understand the steps other organizations are taking to improve the maturity of their cloud security strategy
    - See how you compare to other organizations
  • Improving Cloud Hygiene Recorded: Sep 6 2018 56 mins
    Scott Pack, Lead Cloud Security Engineer, and Dhwaj Agrawal, Computer Scientist at Adobe
    As one of the first companies to commit wholly to the cloud, we have learned a lot about how to keep our security hygiene levels up even as we support rapid development and deployment cycles. Part of this effort is the development of an internal tool called MAVLink. MAVLink enables us to collect and analyze security data from our cloud infrastructure providers, provide context for application and log data sources, and collect evidence of security controls to make the best decisions possible in keeping Adobe and our customers safe from threats.

    This presentation will discuss…
    - Why we developed MAVLink
    - MAVLink's major capabilities
    - How MAVLink integrates with our cloud infrastructure providers including AWS and Microsoft Azure
    - How we are using MAVLinkto constantly improve our cloud hygiene

    We hope this information will be useful to you as you consider your own best practices and tooling around cloud applications. It will be a serverless cross-cloudy security adventure!
  • How Identity Fits Into a Security-First Approach Recorded: Aug 29 2018 49 mins
    Mark Bowker, Senior Analyst at Enterprise Strategy Group and Swaroop Sham, Senior Product Marketing Manager at Okta
    Securing your workforce and users, in the cloud, and on the go can be difficult. A recent Enterprise Strategy Group (ESG) survey discovered that for nearly 75% of organizations, a username and password was the only barrier between a determined attacker and access to your critical resources.

    Identity Access Management (IAM) can help you drive a security-first approach with usability that your users love and authentication strategies that match your business needs. But IAM doesn’t always have a clear owner.

    Join this webinar featuring Enterprise Strategy Group, Senior Analyst, Mark Bowker, and Okta to discover how:
    - Adaptive multi-factor authentication (MFA) benefits your users and admins
    - Identity protects cloud and on prem applications
    - To go beyond MFA to manage secure access
    - Identity fits and integrates into your IT and Security stacks
  • Managing Top 6 Risks with Cloud Service Providers Recorded: Aug 21 2018 44 mins
    Cliff Turner, Senior Solutions Architect at CloudPassage
    In this webinar, we'll cover the following...

    •Review top six risks with today’s cloud service providers.
    •We will analyze these risks, consider the business impact and show
    you how to proactively manage cloud risk by automating security for
    your cloud management accounts.
    •We will use the AWS CIS foundation benchmarks and the CIS Controls to
    guide our selection of examples for our discussion.
    •With a growing attack surface, it’s important to be aware of the
    risks associated with cloud technology in order to secure and manage
    it properly.
  • A Path to Achieving Network Security ZEN Recorded: Aug 14 2018 57 mins
    Den Jones, Director – Enterprise Security, Adobe
    Finding a balance between a pleasant user experience and stringent security requirements can be a challenge. The need to use a certain username and password for some services while saving additional credentials for other services can contribute to a headache for both security pros and users. Is it even possible to balance security and enhancement of the overall user experience? Adobe believes this is possible. We want to help you achieve this balance by sharing our framework known as Project “ZEN.”


    Project ZEN at Adobe is an initiative based upon principles found in zero-trust frameworks. Since there is no “off-the-shelf” solution to fully deliver on these principles today, ZEN is an investment in pioneering technology and policies to make the path to a zero-trust network more efficient and attainable.

    In this session you will: (a) learn about the principles behind Adobe ZEN, (b) understand the Adobe experience so you can start your own journey by leveraging existing security technology investments and targeted automation technologies, and (c) explore common issues you might encounter along the journey, with guidance on overcoming those issues.
  • Next Step – Securing IaaS (AWS, Azure, GCP) Recorded: Aug 9 2018 38 mins
    Brandon Cook of McAfee
    According to Gartner, the IaaS market grew at a blistering 42.8% in 2017 - twice as fast as SaaS. But, despite last year’s AWS data exposures at Verizon, the RNC, and Dow Jones, most cloud security projects focus on SaaS.

    We’ve worked with AWS and hundreds of IaaS security professionals to develop a tried and true practice specifically designed to protect IaaS environments and the applications and data within them. Join this
    session and discover:
    - Common yet preventable scenarios that result in the loss of corporate data from AWS, Azure and GCP
    - IaaS security best practices for: security configuration auditing, S3 data loss prevention
    operations, user and admin behavior monitoring, and threat prevention
    - Step-by-step guidance on how to gain visibility across all workloads, protect against advanced threats, and discover insights into lateral threat movements
    - Recommendations for creating a successful DevOps workflow that integrates security
  • Extending Network Security Visibility into the Cloud Recorded: Aug 7 2018 54 mins
    Anner Kushnir, VP of Technology at AlgoSec
    Enterprises are taking advantage of the economies of scale of cloud computing and migrating applications to public and private clouds. The new technology offers many advantages, but also requires taking a step back and evaluating whether existing network security tools and processes are relevant and effective in these new environments. To maintain their security posture, network security professionals need unified visibility and control as deployments spread to and across clouds. This is critical both to ensure that cloud payloads are protected against the growing number of attacks and breaches and also to satisfy regulatory compliance requirements such as PCI, HIPAA and NERC.

    In this webinar, Anner Kushnir, VP of Technology at AlgoSec, will share insights on the latest cloud security technologies and best practices for maintaining full-blown corporate security governance as enterprises deploy their applications in the cloud. Attendees will learn:
    •How to quickly bring enterprise network security best practices to cloud and hybrid deployments
    •How to gain full visibility into cloud network topology and filtering
    •Proactively uncover gaps in the compliance posture
    •How to ensure continuous compliance as part of policy change management
  • Eliminating Security Blind Spots in your AWS Environments Recorded: Jul 31 2018 38 mins
    Edward Smith of CloudPassage
    As consumption of cloud services increases, security teams struggle to maintain visibility of the cloud assets in use across multiple environments throughout the enterprise. In fact, 43% of security pros say lack of visibility into cloud environments are their biggest operational headache. Cloud defenders struggle to answer two simple, but important questions: what do I have, and is it secure? The only way to answer these critical questions is with comprehensive security visibility of your AWS public cloud environments.

    Join us for this webinar to learn how to regain security visibility across all of your AWS accounts and how to:
    - Automatically discover all of your AWS assets in use across accounts, services, and regions
    - Reduce your attack surface by identifying and remediating security issues
    - Find and respond to hidden risks by assessing both the control plane and data plane
  • Reducing Risk in Public Cloud Environments Recorded: Jul 24 2018 50 mins
    Greg Mayfield, Director of Product Marketing, Tenable
    As organizations adopt their multi-cloud and hybrid cloud strategies, continuous visibility and protection of these dynamic cloud workloads remains the #1 challenge for security teams. It’s essential to gain live visibility into AWS, Azure and Google Cloud Platform assets in order to continuously assess cloud infrastructure to detect vulnerabilities, malware and misconfigurations.

    This webinar will benefit SecOps teams by highlighting how they can obtain a unified view into cyber risk across their cloud environment to better prioritize response and mitigation. The discussion will highlight processes and tools to eliminate blind spots, secure cloud assets and applications and better integrate with CI/CD processes for fast and efficient remediation.
  • Avoiding the Dreaded DNS Hijack Recorded: Jul 12 2018 40 mins
    Dhivya Chandramouleeswaran of Adobe
    With increasing adoption of cloud services by organizations, there is unfortunately often an absence of decommissioning checks when such services are no longer in use. It is often up to developers and operations teams to properly clean them up. DNS records pointing to deleted cloud artifacts - not yet purged from name servers - create dangling DNS records. When these artifacts have the potential to be reclaimed by nefarious actors, organizations may become vulnerable to domain hijacking and subdomain takeover attacks.

    In this webinar, Dhivya will discuss:
    - How DNS hijacks differ from domain hijacks
    - Alternatives for identification of expired cloud artifacts
    - Attack mechanisms that may be used
    - Possible monitoring schemes and tools organizations can implement
    - Defensive measures to prevent dangling records and subdomain takeovers
  • A GDPR Compliance & Preparation Report Card Recorded: Jun 27 2018 51 mins
    Neil Thacker, CISO, EMEA -- Netskope
    With the General Data Protection Regulation (GDPR) now enforceable, organizations around the world have both interpreted and incorporated new and amended regulatory requirements into their security policies and programs. Join Neil Thacker, CISO, EMEA at Netskope for a discussion of our recent study with the Cloud Security Alliance on how organizations have prepared for meeting the requirements of the GDPR and what has been the initial impact on their businesses.

    Session topics will include:
    · Preparation for the GDPR including budget and personnel
    · Frameworks organizations are using to comply with the GDPR
    · Company demographics, challenging articles and convergence of security, data protection and privacy roles
  • User Behavior Study Screams the Need for Backup Recorded: Jun 26 2018 32 mins
    Aimee Simpson of Code42
    Digital transformation efforts won’t be successful unless IT accounts for the human element: workforce behavior. What’s the relationship between endpoint devices and employee work habits? We dug into the data to find out.

    In a new research study, Code42 examined data storage behavior across more than 1,200 laptops to learn how users get their work done–what files they create, where they store them, and how they share and interact with their data.

    Watch the webinar to learn:
    - The results of the research study on user behavior
    - The user work styles we found consistent across all organizations
    - The types of files users put most at risk of loss, theft or breach
    - Best practices for mitigating the risk of digital transformation efforts
  • A Path to Achieving Network Security ZEN Recorded: Jun 21 2018 47 mins
    Den Jones, Director – Enterprise Security, Adobe
    Finding a balance between a pleasant user experience and stringent security requirements can be a challenge. The need to use a certain username and password for some services while saving additional credentials for other services can contribute to a headache for both security pros and users. Is it even possible to balance security and enhancement of the overall user experience? Adobe believes this is possible. We want to help you achieve this balance by sharing our framework known as Project “ZEN.”


    Project ZEN at Adobe is an initiative based upon principles found in zero-trust frameworks. Since there is no “off-the-shelf” solution to fully deliver on these principles today, ZEN is an investment in pioneering technology and policies to make the path to a zero-trust network more efficient and attainable.

    In this session you will: (a) learn about the principles behind Adobe ZEN, (b) understand the Adobe experience so you can start your own journey by leveraging existing security technology investments and targeted automation technologies, and (c) explore common issues you might encounter along the journey, with guidance on overcoming those issues.
  • Taming the Cloud Together – CCSP & CCSK Cloud Certification Synergy Recorded: Jun 12 2018 58 mins
    David Shearer, CEO, (ISC)2; Jim Reavis, CEO, CSA; Kevin Jackson, GovCloudNetwork ; Rich Mogull, Securosis; B. Dunlap (Mod)
    Certain things go together to make the sum of their parts that much better. Peanut Butter and Jelly. Lennon and McCartney. Batman and Robin. In the ever-changing world of the cloud, cyber security professionals need continuous training and certifications to stay up-to-speed and pairing (ISC)2’s CCSP (Certified Cloud Security Professional) with CSA’s CCSK (Certificate of Cloud Security Knowledge) can put any cyber security practitioner ahead in terms of knowledge, skills and job opportunities. On June 12, 2018 at 1:00PM Eastern, join David Shearer, (ISC)2’s CEO and Jim Reavis, CSA’s CEO, along with other subject matter expects as we explore the differences between each program, the training options available for each, and how these programs are synergistic in nature and together were designed to build on one another.
  • The Evolution of Zero Trust Security: Next Gen Access Recorded: Jun 7 2018 28 mins
    Nick Fisher, Security Product Marketing at Okta
    As breaches fill the headlines, more organizations are adopting a Zero Trust security model and its key principle of "never trust, always verify." Modern implementations of this model are focusing on "Next Gen Access," where identity and authentication can greatly enhance your security posture with less complexity than network-based solutions. Join Nick Fisher of Okta where we’ll discuss how companies today are having success taking a Zero Trust approach to security.
Educational series on cloud computing, security and privacy.
CSA CloudBytes was launched as a webinar series to help us educate the industry on all matters related to the cloud. Our channel is designed to inform our audience about trending topics, new technologies, and latest research. It also allows audience members the opportunity to earn (ISC)2 CPE Credits.

Learn more at cloudsecurityalliance.org. Join the Cloud Security Alliance on LinkedIn and follow us on twitter: @cloudsa, @CSAResearchGuy

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Internal Bug Hunts: Squashing Security Bugs on a Budget
  • Live at: Sep 19 2017 5:00 pm
  • Presented by: Pieter Ockers - Sr Program Manager at Adobe
  • From:
Your email has been sent.
or close