The flaws in hordes, the security in crowds
The crowdsourced security model has been embraced by organizations running bug bounty programs. These programs are designed to discover and resolve vulnerabilities in production apps, but too often they deviate from an effective part of the security development lifecycle into a source of noise. This presentation questions what role such programs have in improving security and the pitfalls they pose for security budgets. It covers strategies for keeping a program focused on positive, risk-based contributions to development and avoiding the traps that make it a distraction.
The presentation explores what the emergence of bounty programs implies about trends in appsec automation, where major gaps remain. Tools must remain part of any crowdsourced security model, just as there can be alternate strategies for selecting crowds to perform security testing. From budgeting to communications, there are more challenges to building a useful appsec program than just determining whether a bug exists.
This presentation shows various metrics collected from real-world data to help organizations determine how to make vulnerability discovery cost-effective, efficient, and reduce risk.