Name: Hacker-Powered Data - Security Weaknesses and Embracing Risk With HackerOne
Start: 2021-12-29T17:00:00Z
End: 2021-12-29T17:26:02.000Z
Location: BrightTALK
Rating: 0

HackerOne closes the security gap between what organizations own and what they can protect. HackerOne's Attack Resistance Management blends the security expertise of ethical hackers with asset discovery, continuous assessment, and process enhancement to find and close gaps in the ever-evolving digital attack surface. This approach enables organizations to transform their business while staying ahead of threats. Customers include The U.S. Department of Defense, Dropbox, General Motors, GitHub, Goldman Sachs, Google, Hyatt, Lufthansa, Microsoft, MINDEF Singapore, Nintendo, PayPal, Slack, Twitter, and Yahoo. In 2021, HackerOne was named as a ‘brand that matters’ by Fast Company.

Achieving actual attack resistance is hard. Security teams are stretched thin, attack surfaces are expanding, and digital threats are increasingly difficult to detect. Automated security can find vulnerabilities in unknown assets. However, visibility alone doesn’t drive meaningful remediation. Findings from automation often lack context and force security teams to spend time combing through false positives to find the few critical vulnerabilities that require fixing. In this session, Chris Evans, CISO and Chief Hacking Officer, and Alex Rice, CTO, will discuss his security strategy for combining the power of automated scanning with the security expertise of ethical hackers to drive down risk and achieve Attack Resistance Management for HackerOne.

How Human Experts Give you a Security Advantage

Join this fireside chat with Howard Holton, CTO of GigaOm, to learn how Pentest as a Service (PTaaS) aligns to modern digital business cycles and fits into a broader strategy for building resistance to attacks by cybercriminals. 

GigaOm’s Radar Report states that “PTaaS represents the revolution in the pentesting space that was long overdue.” PTaaS builds on the efficacy of penetration testing methods and adds modern SaaS-like features, such as an interface that clients access to review centralized findings—vulnerabilities that have been exploited, potentially in real-time, direct communications with pen testers, standardized testing methods, and integrations with other technologies.
GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. 
Key takeaways:
-Today’s business practices require modern approaches to application security that can keep pace with changing digital landscapes and evolving threats, which is especially important for penetration testing.
-PTaaS is an emerging solution that benefits security operations teams with a SaaS platform for more efficient program and engagement management.
-Certain PTaaS providers leverage crowdsourced communities of ethical hackers, including vetted and certified pentesters, for greater diversity and scale in the pentester pool.

How Pentest as a Service Fits Into a Modern Application Security Strategy

On July 4th, 2022, Chief Digital and Artificial Intelligence Office (CDAO), Directorate for Digital Services (DDS), DoD Cyber Crime Center (DC3), and HackerOne publicly launched the Hack U.S. bug bounty challenge, allowing ethical hackers from around the globe to earn monetary rewards for reporting of critical and high vulnerabilities from within the DoD Vulnerability Disclosure Program (VDP) published scope.
 
Watch this webinar to hear Corben Leo, a security researcher from the Hack U.S. program, discuss:
-How the Hack U.S. Bug Bounty Challenge was performed
-Results of the Hack U.S. Bug Bounty Challenge
-Key differences between VDP's and bug bounty programs
-How both VDP's and bug bounty programs can benefit your agency

How Security Researchers Strengthen the DOD's Security

In this session, some of world’s top ethical hackers share everything you've ever wanted to know. Hear about their most exciting find, learn about their strategies for identifying the most critical bugs to your organizations, and find out about what makes a successful ethical hacking program from their point of view.

Key takeaways
- Understand what motivates ethical hackers
- Learn their strategies for identifying the most business-critical bugs
- Get the tips for running a program that top ethical hackers will want to work on

Ask a Hacker in 2023

52% of security-conscious enterprises in a recent HackerOne survey don’t know how much of their attack surface is secured, and not one respondent was confident their organization was fully in control of its attack surface.

Any veteran security leader can confirm that organizations rarely know the full extent of their IT infrastructure, but the use of hybrid and multi-cloud environments, adoption of microservice architectures, and inherited assets from mergers and acquisitions make the shortfall more extensive than IT teams could have imagined in the past.

In this webinar, cybersecurity veterans Michiel Prins, co-founder and head of professional services at HackerOne, and Naz Bozdemir, senior product marketing manager at HackerOne, demystify how organizations can gain control over their full attack surface and minimize exploitable risks.

This discussion will cover:
-The consequences of an expanding attack surface and incomplete visibility into it
-The role of Attack Surface Management (ASM) in modern security programs
-Important considerations when selecting an ASM partner
-The impact of combining automation with human security expertise

Outsmart Cybercriminals with Proactive Attack Surface Management

What’s your definition of a zero day? Exactly what a zero day is, and how one should be tackled when it comes to bug bounty, has been a contentious issue for years. Drawing on his experience at Project Zero and as a longstanding member of the hacking community, Chris will explore the evolution of zero days, from Stuxnet to Log4j. He will explain why zero days are not usually rewarded in bug bounty programs and why Log4j was unique in this regard, drawing on hacker and customer data and stories from the incident. Chris will share his philosophy on a ‘pay for value’ approach to zero days and how progressive CISOs can work alongside the hacking community to reduce the risk from zero-days, in whichever definition applies.

Why Isn’t Anyone Paying Bounties for Zero Days?

HackerOne has enhanced data visualization and analysis capabilities. For many bug bounty programs, the functionality available through the dashboards is sufficient. Some programs however want to utilize their bug bounty program data as input to external tools such as custom workflows, report delivery, and Machine Learning. This talk demonstrates step-by-step how the robust HackerOne API can be utilized to securely access your program's data to power these and many other external applications.

All Your Data Belongs to You

Traditionally pentesting has been slow and shallow, making it difficult for modern security organizations to keep pace with innovation and compliance demands. This, coupled with the frequency of security incidents, is making enterprise security teams realize the increasing need for on-demand access to high-quality pentesting resources—and traditional consulting firms are unable to deliver due to limited FTE teams, slow launch times, delayed results, and manual reporting efforts. In this session we will cover the advantages the HackerOne platform provides to customers conducting pentests, including an easy and fast way to scope and launch a pentest, real-time results so that your teams can remediate issues faster, and transparency and direct communication with pentesters during testing. We’ll also provide insights into the future of the HackerOne platform.

Running Scaleable and Efficient Pentesting Programs with HackerOne

As the vulnerability landscape changes through application deployment, cloud migrations, product launches, mergers and acquisitions, and more, detecting security risks before they become threats is critical to effectively defending your attack surface. Even when armed with security risk insights, what are the best ways to maximize efficacy and strengthen your security posture? 

Join Hyatt Hotels and DoD Cyber Crimes Center (DC3) to learn how they use vulnerability trends to inform security actions and apply those actions throughout the SDLC for a stronger security posture.

Strengthen Your Security Posture with a Continuous Cycle of Vuln Intelligence

Security vulnerabilities discovered in applications are almost always rooted in security flaws in source code. Here, weaknesses may be logical errors, missing validation, insufficient logging, poor secrets management, missing user permissions checks, unsafe string concatenation, misconfigurations, and much more. 

In this session, you'll learn the importance of incorporating secure code review in the software development lifecycle. While automated scans are helpful and powerful tools, they're no replacement for code review by human experts.

Secure Code Review: Catching Vulnerabilities at the Source

On February 9, The New York Times cybersecurity reporter Nicole Perlroth released the highly anticipated book, This is How They Tell Me The World Ends. Within, she reveals the untold story of the cyberweapons market — the most secretive, invisible, government-backed market on earth — and a first look at a new kind of global warfare.

In this session, HackerOne CTO Alex Rice will moderate a panel featuring Zoom Head of Assurance Sandra McLeod and Nicole Perlroth herself to explore these untold stories, discuss what the future holds for cybersecurity, delve into what enterprises can learn from government cybersecurity, and explore the role hackers play in the past and future of cyber defense, security compliance, and risk reduction.

This is How They Tell Me the World Ends

Security leaders often struggle to keep pace with the evolving nature of their attack surfaces. Many fall behind in their ability to identify and remediate critical vulnerabilities. Do you know where you stand?

Join this webinar to:
Gain insights from HackerOne’s application security testing benchmark analysis.
Learn how your security testing (both human-led and automated scans) stacks up against your peers’.
Use this knowledge to set realistic and achievable targets for application security testing at your organization.

App Security Testing Benchmarks - How Does Your Methodology Stack Up?

HackerOne CTO and Co-founder Alex Rice and Sales Engineering Manager Laurie Mercer dive into how organizations can reduce risk to their software supply chains through hacker-powered security and propose solutions for how to address vulnerabilities in open source software.

Securing the Software Supply Chain with Hacker-Powered Security

Is it possible to replace the cost of traditional penetration tests with a Hacker-Powered security program? Join our discussion with Forrester to discuss new application security trends, Forrester's Total Economic Impact Methodology, and their findings when it comes to traditional vs new approaches to cybersecurity.

Forrester Study on the Total Economic Impact of Crowdsourced Pen Tests

Security reviews and assessments can take a lot of effort and still not provide the results you are looking for, especially in the face of ever-expanding web portfolios and supply chain risk. Application security teams are already stretched thin. But doing automation right and knowing where and what to look for can save you time and money - and make your organization more secure. HackerOne - curator of the world’s largest ethical hacker community - and PortSwigger - creators of Burp Suite, the world’s leading toolkit for web security testing - bring you key learnings that will help you develop best practices and ensure you’re getting the most from your investments in web security.

This workshop will provide tips from two perspectives: Leanne Shapton - application security engineer at Shopify and Joel Noguera, white hat ethical hacker. Topics include:

- Shopify’s approach to incorporate security into product review processes to support the development of their app-store and marketplace
- How automated vulnerability scanning complements penetration testing, bug bounty programmes and other security processes
- Advice for how security teams can partner with software developers
- How to balance automation with human intuition
- How to identify weaknesses faster to spend more time on what matters

How to Perform Effective Web Application Security Assessments

Attack surfaces are expanding, spurred on by the continuous release of new digital services and business transformation. In this session, you will learn why it’s time to implement an attack resistance management strategy to find unknown risks missed by automated tools, then unlock the security expertise of ethical hackers to identify critical gaps and prioritize fixes for your exploitable assets.

About the Speaker:
Sean Ryan is a Sr. Principal, Product Marketing Manager at HackerOne, where he helps organizations to identify the gaps in their security posture and improve their attack resistance. Prior to joining HackerOne, Sean worked for a prominent industry analyst firm covering identity security, and before that he led the market & competitive intelligence practice for a Fortune 500 IT infrastructure and security software provider.

Build Resistance to Attacks by Unlocking the Value of Ethical Hackers

In this session, GitHub CSO Michael Hanley and HackerOne will explore how leveraging data can help security teams accelerate delivery.

DevSecOps: Bridging Security with Development

Vulnerabilities are a fact of life; risk comes with it. Today, companies, enterprises, & governments are embracing collaboration with hackers to find vulnerabilities before criminals have a chance to exploit them. Using 6 years of data from 1,300+ bug bounty programs & 100,000+ valid vulnerabilities, this talk offers new analysis of the most common vulnerabilities not found on the OWASP top 10.

Hacker-Powered Data - Security Weaknesses and Embracing Risk With HackerOne

Cyber Security

Hackerone

Vulnerability Intelligence

Vulnerability Management

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

The application development community features top thought leadership focusing on optimal practices in software development, SDLC methodology, mobile app development and application development platforms and tools. Join top software engineers and coders as they cover emerging trends in everything from enterprise app development to developing for mobile platforms such as Android and iOS.

Application Development

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Hacker-Powered Data - Security Weaknesses and Embracing Risk With HackerOne

Presented by

About this talk

More from this channel