Closing Keynote: Measuring and maximizing vuln discovery efforts

Speaker: Mike Shema, VP of SecOps and Research, Cobalt.io

The crowdsourced security model has been embraced by organizations running bug bounty programs. These programs are intended to discover and resolve vulns in production applications. However, without good preparation or supporting processes, they too often deviate from an effective part of the security development lifecycle into a source of noise. This presentation demonstrates how to measure and manage the time and budget invested in vuln discovery in order to make these kinds of programs successful. It covers strategies for keeping a program focused on positive, risk-based contributions to development.

This presentation shows various metrics collected from real-world data to help organizations determine how to make vuln discovery cost-effective, efficient, and reduce risk. These metrics include guidance on how to model bounty programs, how to monitor their effectiveness, and considerations for allocating budgets.

The presentation also explores what the emergence of bounty programs implies about trends in appsec automation and where major gaps remain. Tools must remain part of any crowdsourced security model. From budgeting to communications, there are more challenges to building a useful appsec program than just determining whether a bug exists.

BIOGRAPHY

Mike Shema is VP of SecOps and Research at Cobalt.io, where he organizes crowdsourced pen tests. Mike’s experience with information security includes managing product security teams, building web application scanners, and consulting across a range of infosec topics. He’s put this experience into books like Anti-Hacker Tool Kit and Hacking Web Apps. He has taught hacking classes and presented research at conferences around the world.