Expert Panel: Bug Bounty Trends and What They Mean

Last year saw dramatic shifts in the cybersecurity landscape. The number of data breaches and cyber-attacks is skyrocketing. CISOs and security leaders are struggling to find and invest in the best approaches to combat cybercrime for their organizations.

Traditional application security testing methods just aren’t cutting it anymore, leaving so many organizations vulnerable. To get a better understanding on what is top of mind for cyber security leaders this year, we surveyed more than 250 CISOs, CIOs, CTOs and CIOs across different industries and regions.

Join our live CISO panel discussion which will outline this year’s top security goals and concerns:

1. Overcoming cybersecurity resource shortages
2. Managing increasingly complex tools and proving their ROI
3. Addressing perceived concerns in running a VDP or Bug Bounty Program

Featuring:
David Baker, CSO, Bugcrowd
Geoff Poer, CISO, Chronos
Martin Rues, CISO, Outreach.io
Maxime Rousseau, CSO, Personal Capital

There is no silver bullet against targeted and enduring attacks, and the reality is that if an external threat has enough resources at its disposal there is nothing that will make companies 100% protected.

Now more than ever, companies need to reexamine how they think about cybersecurity, empower their security teams, and prioritize security programs against competing internal initiatives.

Building and maintaining the appropriate mix of cybersecurity resources, processes, and company-wide emphasis can be a challenge for all companies regardless of their size or security maturity.

Register now to learn 3 core lessons learned from the Equifax data breach, and why many security leaders are adding Vulnerability Disclosure programs to patch vulnerabilities faster, give visibility and priority to known issues, and refine their SDLC.



About Bugcrowd:
The pioneer and innovator in crowdsourced security testing for the enterprise, Bugcrowd harnesses the power of more than 65,000 security researchers to surface critical software vulnerabilities and level the playing field in cybersecurity.

Security vendor products are held to a higher standard of security—and for good reason as the very existence of their organization could be at risk due to a vulnerability. Many of these vendors are turning to bug bounty programs to not only find any vulnerabilities in their products and services, but also to provide assurance to their clients.

Join our CISO panel for a live discussion on the following topics:
1. Protecting complex environments and highly sensitive data
2. Overcoming cybersecurity resource shortages
3. Achieving security coverage at scale

Featured speakers:
Alvaro Hoyos, CISO @ OneLogin
Dave Farrow, Sr Dr., Information Security @ Barracuda Networks
David Baker, CSO @ Bugcrowd, formerly CISO @ Okta
Gene Meltser, Enterprise Security Architect @ Sophos

Traditional methods for vulnerability discovery are failing us. With rapidly expanding attack surfaces, motivated adversaries, and the growing shortage of full-time infosec professionals, organizations are fighting a losing battle. One thing is clear: We need a new approach.

Enter the Bug Bounty model. Bug bounties have quickly evolved from a “nice to have” to a “must have” for most application security teams.

What’s behind this trend? Why are bug bounties growing, and why now?

Join our expert panel as we discuss the key findings from The 2017 State of Bug Bounty Report.

Speakers:
- Casey Ellis, Founder & CEO of Bugcrowd
- Jeremiah Grossman, Chief of Security Strategy at SentinelOne
- HD Moore, Founder of The Metasploit Project

In the past several years, bug bounty programs have disrupted the pen test norm, and provide organizations with a robust and all-encompassing security assessment solution. Instructure, the company behind Canvas Learning Management System (LMS), made the switch three years ago and have never looked back.

In this webinar, we will explore...
• Why Instructure replaced their last three penetration tests and the results they’ve found
• The three fundamental differences between the penetration testing model and the bug bounty model
• How organizations running bug bounty programs have seen improved results in both volume and quality in vulnerability submissions

Security vendor products are held to a higher standard of security—and for good reason as the very existence of their organization could be at risk due to a vulnerability. Many of these vendors are turning to bug bounty programs to not only find any vulnerabilities in their products and services, but also to provide assurance to their clients.

Join our security panel for a live discussion on the following topics:
1. What unique appsec challenges come along with complex & high-risk environments
2. How to design security programs to provide robust coverage of those technologies
3. Why bug bounties were so quickly adopted within the security industry
4. Open Q&A with the panelists

Featured speakers:
Alvaro Hoyos, Chief Security Officer @ OneLogin
David Farrow, Sr Director, Information Security @ Barracuda Networks
David Baker, VP Operations @ Bugcrowd, formerly CISO @ Okta
Gene Meltser, Enterprise Security Architect @ Sophos

Bugcrowd surveyed 100 CISOs and security decision makers and found that today’s application security teams are facing 3 distinct issues that lead to vulnerability:

1. Active and efficient adversaries
2. A ballooning attack surface
3. Cybersecurity resource shortage

When combined, these adverse conditions form a ‘vulnerability cycle’ – leaving organizations susceptible to a breach or worse.

View this ondemand webinar to:

- Get plans to combat these 3 issues in 2017
- Learn how to dissect each component of the vulnerability cycle
- Discover security tools and best practices
- Find out top CISO investments for 2017

Bug Bounty programs are critical to the security programs of thousands of organizations, but many still have not embraced them. Join security leader Johnathan Hunt, VP Information Security at InVision, Paul Ross, SVP of Marketing at Bugcrowd to discuss why that situation must change, through topics including:

- How a security expert changed his mind about bug bounties
- Why no bug bounty means missed vulnerabilities
- How Bugcrowd finds a P1 bug every 27 hours

We will explore InVision’s bug bounty experience from conception to being critical to their customers’ confidence in their security.

*Register for the webinar now*

“Whether or not you’re going to have the good guys working for you or not, doesn’t mean the bad guys are going to stop working”

- Johnathan Hunt, Invision

Over the past twelve months we’ve witnessed a shift in how companies are tackling their application security challenges. Join a CISO, an AppSec guru, and IoT security expert to hear industry leading perspectives on the trends that have emerged over the past year, and what to look forward to in the next.

Our all-star panel of industry experts includes Jeremiah Grossman, Founder of WhiteHat Security and Chief of Security Strategy with SentinelOne, Daniel Miessler, Project Leader: OWASP IoT Security Project and Richard Rushing, CISO at Motorola Mobility, for a discussion on what trends every security professional needs to be aware of for 2017.

The critical trends you need to know about will include:
• How crowdsourcing security assessment will improve pen testing in 2017
• Why IOT security is becoming every CISO’s problem
• How will AI and Machine Learning impact protecting your company’s fate?

Despite thousands of large and small organizations running bug bounty programs, there is still a lot of fear and uncertainty about these in the cybersecurity community. In this webinar we will explore 7 myths about Bug Bounty programs, the hackers who are involved, and the impact they are having on the security posture of organizations around the world.

When you attend this webinar you will:

- Learn if a bug bounty program is right for your organization
- Understand if a bug bounty encourages hackers to attack your systems
- Explore the real benefits of bug bounty programs – and find out if they actually work
- Get insight on whether these programs are too hard and costly to manage

Bug bounty programs are moving from the realm of novelty towards becoming best practice. While bug bounty programs have been used for over 20 years, widespread adoption by enterprise organizations has just begun to take off within the last few. Bug bounty programs have increased 210% percent since 2013.

Bug bounties provide an opportunity to level the cybersecurity playing field, strengthen the security of products, and cultivate a mutually rewarding relationship with the security researcher community.

Join Bugcrowd, SANS, and a customer panel as we discuss the momentum behind crowdsourced security.

Topics covered:
1. How bug bounties fit with a robust security strategy
2. Why bug bounties are being adopted by all types of organizations
3. How Okta saved the equivalent cost of two full-time employees with Bugcrowd

Our 2016 State of Bug Bounty Report announced that bug bounty programs adoption has increased 210% since 2013.

As more and more companies leverage the capabilities of the global researcher community to identify critical vulnerabilities, we must ask...has the bug bounty economy reached a tipping point?

Join Bugcrowd as we unpack the top trends in crowdsourced cybersecurity and review the key findings from The State of Bug Bounty Report 2016.

Register to learn:
- Bug bounties, defined: Quick history and evolution
- What motivates a bug hunter
- Maturity of the bug bounty economy

This guest webcast features Jake Kouns of Risk Based Security and Christine Gadsby of Blackberry who will be giving their Black Hat 2016 talk, analyzing the real risk of using OSS and the best way to manage its use within your organization.

Through real world examples and personal experience, the speakers will...
- Examine the current hype around OSS, highlighting what organizations should be the most concerned about, and how to evaluate the true cost of using OSS
- Explore how to utilize learnings from your incident response function to create smarter products and avoid maintenance costs of OSS
- Introduce a customized OSS Maturity Model and walk through the stages of organizational maturity with regards to how they prioritize and internalize the risk presented by OSS

Learn more about Jake Kouns:
https://www.blackhat.com/us-16/speakers/Jake-Kouns.html

Learn more about Christine Gadsby:
https://www.blackhat.com/us-16/speakers/Christine-Gadsby.html

Catch Kymberlee Price's Black Hat 2016 talk in a live webcast. This presentation will address some best practices and templates to help security teams build or scale their incident response practices.

In our wired, connected world, software flaws are inevitable – so why not utilize the nature of our connected world to work with a distributed immune system made up of thousands of security researchers? This webcast will provide in-depth analysis based on extensive academic research, conversations with CISOs experienced in running such programs, and the security researcher community.

In this webinar, we will highlight the business, technology, and organizational values companies derive from these bug bounty programs. Finally, the talk will identify the common myths, fears and barriers for participation, and suggest recommendations to counter these barriers.

Key Takeaways:
- Bug Bounty program evolution and myth busting
- Lessons from Barracuda’s Bug Bounty program
- How businesses and technology derive value from bug bounty programs
- The art of running a successful & effective bug bounty program