Name: Why Isn’t Anyone Paying Bounties for Zero Days?
Start: 2023-01-10T17:00:00Z
End: 2023-01-10T17:58:52.000Z
Location: BrightTALK
Rating: 5

HackerOne closes the security gap between what organizations own and what they can protect. HackerOne's Attack Resistance Management blends the security expertise of ethical hackers with asset discovery, continuous assessment, and process enhancement to find and close gaps in the ever-evolving digital attack surface. This approach enables organizations to transform their business while staying ahead of threats. Customers include The U.S. Department of Defense, Dropbox, General Motors, GitHub, Goldman Sachs, Google, Hyatt, Lufthansa, Microsoft, MINDEF Singapore, Nintendo, PayPal, Slack, Twitter, and Yahoo. In 2021, HackerOne was named as a ‘brand that matters’ by Fast Company.

Grammarly Shares How It Pinpoints the Most Critical Flaws in Its Attack Surface with Help from Ethical Hackers.
As a company selling writing assistant software to enterprises, Grammarly understands that product security is not a one-and-done initiative. Join this executive fireside chat to hear directly from Grammarly’s CISO about the value they get from adversarial testing via the HackerOne platform and its legion of ethical hackers.

Alex Rice, CTO and Co-founder at HackerOne and Suha Can, CISO at Grammarly will discuss how bug bounty and penetration tests fit into Grammarly’s preemptive security programs and how Suha measures the value of these solutions.

Register for the webinar to discover:

-How to effectively leverage bug bounty and pentesting in your application security strategy.
-The value of working with a crowdsourced security platform.
-How to prove the value of preemptive security initiatives to your non-security stakeholders.

The Impact of Preemptive Security

A well-designed and purposefully run bug bounty program can have a tremendous impact on your organization's attack resistance. A few fundamental steps will help you hit the ground running, so you can successfully launch and maintain a high-performing bounty program.

In this webinar, HackerOne’s field experts will walk you through what you need to know, drawing on their firsthand experience planning bug bounty programs for organizations ranging from federal governments to SMBs and global enterprises. You’ll learn how they set up customers for success and how mature programs operate to derive maximum value.

Key takeaways:
- Pre-launch steps for an effective public or private bug bounty program
- Day-to-day operational practices to ensure consistent results and maximum ROI
- Real-world examples of how bug bounty programs drive hacker engagement and track results 
- How HackerOne Bounty can help reduce recurring vulnerabilities by up to 98% and enable organizations to release secure products faster

Frontline Tips for Managing a High-Performing Bug Bounty Program

Only 10% of IoT vendors disclose timelines for acknowledging and resolving reported threats—and a staggering 73% of consumer IoT companies are in breach of the Product Security and Telecommunications Infrastructure (PSTI) Act, with no vulnerability disclosure policy (VDP) at all.

David Rogers, MBE, chair of the Fraud and Security Group at the GSMA, and Laurie Mercer, Director of Solutions Engineering at HackerOne, discuss the state of vulnerability disclosure in global consumer IoT, and strategies you can adopt to implement a transparent, productive, and compliant VDP at your organization.

Key Takeaways:
-Understanding VDP policy trends and projections and how they affect you
-Learn which companies pass the disclosure threshold test (and which ones fail)
-Get policy recommendations for incentivizing security researchers
-Discover how IoT leaders like Samsung, Apple, and Panasonic structure their VDPs

The Critical Need for Vulnerability Disclosure in the IoT Security Landscape

Achieving actual attack resistance is hard. Security teams are stretched thin, attack surfaces are expanding, and digital threats are increasingly difficult to detect. Automated security can find vulnerabilities in unknown assets. However, visibility alone doesn’t drive meaningful remediation. Findings from automation often lack context and force security teams to spend time combing through false positives to find the few critical vulnerabilities that require fixing. In this session, Chris Evans, CISO and Chief Hacking Officer, and Alex Rice, CTO, will discuss his security strategy for combining the power of automated scanning with the security expertise of ethical hackers to drive down risk and achieve Attack Resistance Management for HackerOne.

How Human Experts Give you a Security Advantage

For the past six years, HackerOne has been surveying ethical hackers to get their perspective on the cybersecurity landscape, the evolution of risk, and what motivates them to help. The 2022 Hacker-Powered Security Report shines a light on the risks organizations face from an ever-expanding attack surface—and the trends uncovered by the most diverse community of security experts in the world.

Watch our webinar on-demand, featuring ethical hacker Jonathan Bouman and HackerOne’s Chris Evans (CISO), and Alex Rice (CTO) as they break down the report's findings—plus go beyond the report with specifics (and answers to your questions!) about how hackers can help you understand and protect your full attack surface.

Key takeaways:
—What motivates hackers and how do they approach finding vulnerabilities and reporting them to organizations.
—How HackerOne Top Ten Vulnerability data is evolving—and what that means for your security priorities.
—Benchmarking data on median and average bounty prices in your industry to inform your own program.
—Insights into the risks hackers find in key industries—from software to financial services, retail, automotive, and pharmaceuticals.

Live Analysis: 2022 Hacker Powered Security Report: Insights and Takeaways

Join this fireside chat with Howard Holton, CTO of GigaOm, to learn how Pentest as a Service (PTaaS) aligns to modern digital business cycles and fits into a broader strategy for building resistance to attacks by cybercriminals. 

GigaOm’s Radar Report states that “PTaaS represents the revolution in the pentesting space that was long overdue.” PTaaS builds on the efficacy of penetration testing methods and adds modern SaaS-like features, such as an interface that clients access to review centralized findings—vulnerabilities that have been exploited, potentially in real-time, direct communications with pen testers, standardized testing methods, and integrations with other technologies.
GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. 
Key takeaways:
-Today’s business practices require modern approaches to application security that can keep pace with changing digital landscapes and evolving threats, which is especially important for penetration testing.
-PTaaS is an emerging solution that benefits security operations teams with a SaaS platform for more efficient program and engagement management.
-Certain PTaaS providers leverage crowdsourced communities of ethical hackers, including vetted and certified pentesters, for greater diversity and scale in the pentester pool.

How Pentest as a Service Fits Into a Modern Application Security Strategy

On July 4th, 2022, Chief Digital and Artificial Intelligence Office (CDAO), Directorate for Digital Services (DDS), DoD Cyber Crime Center (DC3), and HackerOne publicly launched the Hack U.S. bug bounty challenge, allowing ethical hackers from around the globe to earn monetary rewards for reporting of critical and high vulnerabilities from within the DoD Vulnerability Disclosure Program (VDP) published scope.
 
Watch this webinar to hear Corben Leo, a security researcher from the Hack U.S. program, discuss:
-How the Hack U.S. Bug Bounty Challenge was performed
-Results of the Hack U.S. Bug Bounty Challenge
-Key differences between VDP's and bug bounty programs
-How both VDP's and bug bounty programs can benefit your agency

How Security Researchers Strengthen the DOD's Security

In this session, some of world’s top ethical hackers share everything you've ever wanted to know. Hear about their most exciting find, learn about their strategies for identifying the most critical bugs to your organizations, and find out about what makes a successful ethical hacking program from their point of view.

Key takeaways
- Understand what motivates ethical hackers
- Learn their strategies for identifying the most business-critical bugs
- Get the tips for running a program that top ethical hackers will want to work on

Ask a Hacker in 2023

52% of security-conscious enterprises in a recent HackerOne survey don’t know how much of their attack surface is secured, and not one respondent was confident their organization was fully in control of its attack surface.

Any veteran security leader can confirm that organizations rarely know the full extent of their IT infrastructure, but the use of hybrid and multi-cloud environments, adoption of microservice architectures, and inherited assets from mergers and acquisitions make the shortfall more extensive than IT teams could have imagined in the past.

In this webinar, cybersecurity veterans Michiel Prins, co-founder and head of professional services at HackerOne, and Naz Bozdemir, senior product marketing manager at HackerOne, demystify how organizations can gain control over their full attack surface and minimize exploitable risks.

This discussion will cover:
-The consequences of an expanding attack surface and incomplete visibility into it
-The role of Attack Surface Management (ASM) in modern security programs
-Important considerations when selecting an ASM partner
-The impact of combining automation with human security expertise

Outsmart Cybercriminals with Proactive Attack Surface Management

HackerOne has enhanced data visualization and analysis capabilities. For many bug bounty programs, the functionality available through the dashboards is sufficient. Some programs however want to utilize their bug bounty program data as input to external tools such as custom workflows, report delivery, and Machine Learning. This talk demonstrates step-by-step how the robust HackerOne API can be utilized to securely access your program's data to power these and many other external applications.

All Your Data Belongs to You

Traditionally pentesting has been slow and shallow, making it difficult for modern security organizations to keep pace with innovation and compliance demands. This, coupled with the frequency of security incidents, is making enterprise security teams realize the increasing need for on-demand access to high-quality pentesting resources—and traditional consulting firms are unable to deliver due to limited FTE teams, slow launch times, delayed results, and manual reporting efforts. In this session we will cover the advantages the HackerOne platform provides to customers conducting pentests, including an easy and fast way to scope and launch a pentest, real-time results so that your teams can remediate issues faster, and transparency and direct communication with pentesters during testing. We’ll also provide insights into the future of the HackerOne platform.

Running Scaleable and Efficient Pentesting Programs with HackerOne

As the vulnerability landscape changes through application deployment, cloud migrations, product launches, mergers and acquisitions, and more, detecting security risks before they become threats is critical to effectively defending your attack surface. Even when armed with security risk insights, what are the best ways to maximize efficacy and strengthen your security posture? 

Join Hyatt Hotels and DoD Cyber Crimes Center (DC3) to learn how they use vulnerability trends to inform security actions and apply those actions throughout the SDLC for a stronger security posture.

Strengthen Your Security Posture with a Continuous Cycle of Vuln Intelligence

Security vulnerabilities discovered in applications are almost always rooted in security flaws in source code. Here, weaknesses may be logical errors, missing validation, insufficient logging, poor secrets management, missing user permissions checks, unsafe string concatenation, misconfigurations, and much more. 

In this session, you'll learn the importance of incorporating secure code review in the software development lifecycle. While automated scans are helpful and powerful tools, they're no replacement for code review by human experts.

Secure Code Review: Catching Vulnerabilities at the Source

On February 9, The New York Times cybersecurity reporter Nicole Perlroth released the highly anticipated book, This is How They Tell Me The World Ends. Within, she reveals the untold story of the cyberweapons market — the most secretive, invisible, government-backed market on earth — and a first look at a new kind of global warfare.

In this session, HackerOne CTO Alex Rice will moderate a panel featuring Zoom Head of Assurance Sandra McLeod and Nicole Perlroth herself to explore these untold stories, discuss what the future holds for cybersecurity, delve into what enterprises can learn from government cybersecurity, and explore the role hackers play in the past and future of cyber defense, security compliance, and risk reduction.

This is How They Tell Me the World Ends

Security leaders often struggle to keep pace with the evolving nature of their attack surfaces. Many fall behind in their ability to identify and remediate critical vulnerabilities. Do you know where you stand?

Join this webinar to:
Gain insights from HackerOne’s application security testing benchmark analysis.
Learn how your security testing (both human-led and automated scans) stacks up against your peers’.
Use this knowledge to set realistic and achievable targets for application security testing at your organization.

App Security Testing Benchmarks - How Does Your Methodology Stack Up?

HackerOne CTO and Co-founder Alex Rice and Sales Engineering Manager Laurie Mercer dive into how organizations can reduce risk to their software supply chains through hacker-powered security and propose solutions for how to address vulnerabilities in open source software.

Securing the Software Supply Chain with Hacker-Powered Security

Is it possible to replace the cost of traditional penetration tests with a Hacker-Powered security program? Join our discussion with Forrester to discuss new application security trends, Forrester's Total Economic Impact Methodology, and their findings when it comes to traditional vs new approaches to cybersecurity.

Forrester Study on the Total Economic Impact of Crowdsourced Pen Tests

What’s your definition of a zero day? Exactly what a zero day is, and how one should be tackled when it comes to bug bounty, has been a contentious issue for years. Drawing on his experience at Project Zero and as a longstanding member of the hacking community, Chris will explore the evolution of zero days, from Stuxnet to Log4j. He will explain why zero days are not usually rewarded in bug bounty programs and why Log4j was unique in this regard, drawing on hacker and customer data and stories from the incident. Chris will share his philosophy on a ‘pay for value’ approach to zero days and how progressive CISOs can work alongside the hacking community to reduce the risk from zero-days, in whichever definition applies.

Why Isn’t Anyone Paying Bounties for Zero Days?

Cyber Attacks

Hackers

attack surface

Cloud Security

Ransomware

security vulnerabilities

Log4j

Hackerone

Stuxnet

Risk

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

The application development community features top thought leadership focusing on optimal practices in software development, SDLC methodology, mobile app development and application development platforms and tools. Join top software engineers and coders as they cover emerging trends in everything from enterprise app development to developing for mobile platforms such as Android and iOS.

Application Development

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Why Isn’t Anyone Paying Bounties for Zero Days?

Presented by

About this talk

More from this channel