AppSec Europe 2016 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Defender [clear filter]
Thursday, June 30


Framework Security: Have You Hugged A Developer Today?
For years security nerds like us have been saying the same thing: It’s *your* problem. Integrate security awareness throughout your SDLC, educate your developers, hire us at some expense to come in and tell you the same annually. Ultimately relying on developers to be infallible is an expensive loosing proposition. 

We’d like to present a different idea: It's our problem. Writing secure software shouldn't require developers to become security specialists. At Immunio we've been working on ways of modifying application frameworks to defend against common vulnerabilities automatically. We're trying to remove some of the burden on developers and make security a fundamental part of the stack. 

In this presentation we'll share with you our experiences extending these frameworks and discuss some of the strategies we've taken that have worked, the challenges we've had to face, and how a simple change of approach could change application security. 


- Introduction 
- The Problem: Frameworks make coding easy and security hard 
- Example: Rails helpers and safe_buffers 
- Example: Rails directory traversal 
- Application Defense In Depth 
- The trouble with WAFs 
- Security is a framework responsability 
- Perfect Code is a Pipe Dream 
- State Makes Hard Problems Easy(ish) 
- Today Security is an Afterthought 
- Building Self-Defending Frameworks 
- Problem: Command and Control 
- Everything You Know About XSS Defense Is Wrong 
- ESAPI is Crapy 
- HTML Is Machine Readable By Design! 
- Use The Source Luke! 
- Using Lexical Analysis To Escape On-the-fly 
- Lexing to Determine Context 
- Escaping 
- Problem: Application Interpolations 
- Dynamic Whitelisting 
- Problem: HTML Is a Horrible Mismash 
- Protecting Javascript 
- CSS 
- Problem: HTML Is Just Horrible 
- Browser Insanity 
- 'Developer' Insanity 
- Generalizing The Approach 
- SQLi 
- Problem: String building 
- Bash 
- Everything Is Just Structured Data! 
- The Power of a Security Aware Framework 
- Attacker Identification 
- Active Response 
- Forensics 
- Conclusion 

avatar for Oliver Lavery

Oliver Lavery

Oliver Lavery is VP of Research and Development at Immunio. He's a software developer, penetration tester, and consultant with over 15 years of experience in the industry. When not coming up with defensive algorithms, he enjoys making kernels involuntarily do his bidding, breaking... Read More →

Thursday June 30, 2016 10:20 - 11:05
Room A (Michelangelo Ballroom Sect. 3)


Surviving the Java serialization apocalypse
The hidden danger of Java deserialization vulnerabilities – which often lead to remote code execution – has gained extended visibility in the past year. The issue has been known for years; however, it seems that the majority of developers were unaware of it until recent media coverage around commonly used libraries and major products. This talk aims to shed some light about how this vulnerability can be abused, how to detect it from a static and dynamic point of view, and -- most importantly -- how to effectively protect against it. The scope of this talk is not limited to the Java serialization protocol but also other popular Java libraries used for object serialization.

The ever-increasing number of new vulnerable endpoints and attacker-usable gadgets has resulted in a lot of different recommendations on how to protect your applications, including look-ahead deserialization and runtime agents to monitor and protect the deserialization process. Coming at the problem from a developer’s perspective and triaging the recommendations for you, this talk will review existing protection techniques and demonstrate their effectiveness on real applications. It will also review existing techniques and present new gadgets that demonstrates how attackers can actually abuse your application code and classpath to craft a chain of gadgets that will allow them to compromise your servers.

This talk will also present the typical architectural decisions and code patterns that lead to an increased risk of exposing deserialization vulnerabilities. Mapping the typical anti-patterns that must be avoided, through the use of real code examples we present an overview of hardening techniques and their effectiveness. The talk will also show attendees what to search the code for in order to find potential code gadgets the attackers can leverage to compromise their applications. We’ll conclude with action items and recommendations developers should consider to mitigate this threat.

avatar for Alvaro Muñoz

Alvaro Muñoz

Principal Security Researcher, Micro Focus Fortify
Alvaro Muñoz(@pwntester) works as a Principal Software Security Researcher with Micro Focus Fortify, Software Security Research (SSR) team. Before joining the research organization, he worked as an Application Security Consultant helping top enterprises to deploy their application... Read More →
avatar for Christian Schneider

Christian Schneider

Whitehat Hacker, Christian Schneider
Christian Schneider (@cschneider4711) writes software since the nineties, works as a freelance software developer since 1997, and focuses on Java since 1999. Aside from the traditional software engineering tasks he support clients in the field of IT security. This includes penetration... Read More →

Thursday June 30, 2016 11:35 - 12:20
Room A (Michelangelo Ballroom Sect. 3)


The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZAP: Attack Surface, Backdoors, and Configuration
There are a number of reasons to use source code to assist in web application penetration testing. Access to source code can help to make better use of penetration testers’ time by giving them access to answers about what underlying software is doing. In addition, access to source code provides penetration testers with deeper insight into the overall behavior of target systems. Finally, with the benefit of source code, penetration testing reports can help to highlight specific sections of code that are associated with identified vulnerabilities – allowing development teams to remediate vulnerabilities more efficiently. 

The United States Department of Homeland Security (DHS) Science and Technology (S&T) Directorate has funded some research that can be used by penetration testers looking to benefit from source code access during their testing engagements. This technology is currently available in the open source ThreadFix plugin for the OWASP ZAP and dynamic application security testing tool, and will be used throughout the presentation to provide practical examples attendees can use for their own penetration tests. 

This presentation walks through the “ABCs” of source code assisted web application penetration testing, covering issues of attack surface enumeration, backdoor identification, and configuration issue discovery. A web application’s attack surface refers to dynamically exposed endpoints where an attacker can control inputs to an application. These include the URLs an application will respond to as well as the entry points – parameters, cookies, HTTP headers – that the application uses that may change application behavior. Having access to the source lets an attacker enumerate all of these URLs as well as parameters and other entry points. Knowing these allows pen testers greater application coverage during testing. For example, some applications have page configurations such as landing pages that link back into the application, but where an application does not have outbound links. These would not be detected during a typical application crawl. Also, application with multi-step workflows may make it difficult for penetration testers to understand all steps in a workflow process. The presentation will walk through these scenarios and then demonstrate how the use the OWASP ZAP plugin to pre-seed the spidering process makes application scans more thorough. 

In addition to identifying legitimate attack surface that can be hard for penetration testers to find on their own, access to source code can help to identify potential backdoors that have been intentionally added to the system. These backdoors can represent hidden or secret inputs that an application will accept, but that have been obfuscated so that they can be hard or impossible for pen testers to find on their own. Having access to the source can help identify potentially suspicious attack surface endpoints such as hidden admin consoles or secret backdoor parameters. The presentation will then demonstrate how the results of attack surface seeding, when combined with the results from standard application crawls, can help identify suspicious inputs that can represent application back doors. 

Finally, the presentation will look at how access to source code can help identify configuration settings that may have an adverse impact on the security of the deployed application. Specifically, how misconfiguration in platforms allowing auto-binding can allow attackers extensive control over inputs to an application – beyond what even security-knowledgeable developers might expect. Having access to source code can identify and enumerate these potential issues in ways that would be either difficult or time-consuming for penetration testers to find on their own. Demonstrations of these scenarios will also be provided.

avatar for Dan Cornell

Dan Cornell

CTO, Denim Group
A globally recognized application security expert, Dan Cornell holds over 20 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies... Read More →

Thursday June 30, 2016 11:35 - 12:20
Room B (Tiziano Ballroom Sec. 1)


Attack Patterns for Black-Box Detection of Logical Vulnerabilities in Multi-Party Web Applications
An increasing number of business critical, online applications leverage trusted third parties in conjunction with web-based security protocols to meet their security needs. For instance, many online applications rely on authentication assertions issued by identity providers to authenticate users using a variety of web-based single sign-on (SSO) protocols (e.g., SAML SSO v2.0, OpenID Connect). Similarly, online shopping applications use online payment services and Cashier-as-a-Service (CaaS) protocols to obtain proof-of-payment before delivering the purchased items (e.g., Express Checkout and PayPal Payment Standard). We refer to this broad class of protocols as security-critical Multi-Party Web Applications (MPWAs). Three entities take part in the protocols: the User (through a web browser B), the web application (playing the role of Service Provider, SP), and a trusted third party (TTP). The design and implementation of the protocols used by security-critical MPWAs are prone to logical errors. Several logical vulnerabilities have been reported in the last few years. For example, over 20% of the Alexa top 20,000 US websites have vulnerable Facebook SSO implementation (Zhou et al. 2014). The problem is exacerbated by the fact that most of the commercial automatic web vulnerability scanners have almost no support for logical vulnerabilities and the solutions proposed in security research papers for detecting logical vulnerabilities do not provide experimental evidence of applicability in more than one MPWA scenario (e.g., CaaS or SSO). 
In this presentation, we show a new approach towards automatic black-box detection of logical vulnerabilities in MPWAs. Our approach is based on an observation and a conjecture. The observation is that, regardless of their purpose, the security protocols at the core of MPWAs share a number of features: 
1) by interacting with SP (and/or TTP), User authenticates and/or authorizes some actions, 
2) TTP (SP, resp.) generates a security token, 
3) the security token is dispatched to SP (TTP, resp.) through the web browser, and 
4) SP (TTP, resp.) checks the security token and completes the protocol by taking some security-critical decisions. 
The conjecture is that the attacks found in the literature (and possibly many more still to be discovered) are instances of a limited number attack patterns. For instance, the incorrect handling of the OAuth 2.0 access token by a vulnerable SP can be exploited by an attacker hosting another SP (Wang et al. 2013). If the victim User logs into the attacker’s SP, the attacker obtains an access token (issued by TTP) from the victim and can replay it in the vulnerable SP to login as the victim. A similar attack was previously discovered (Armando et al. 2008) in the SAML-based implementation deployed by Google. (Here the SAML authentication assertion is replayed instead of the OAuth 2.0 access token) Similar attacks have also been detected in CaaS-enabled scenarios (e.g., Pellegrino et al. 2014, Sun et al. 2014). 
We selected 13 prominent attacks reported in real-world MPWAs and analyzed their similarities. This led us to identify 7 application-independent attack patterns (targeting 6 different replay attacks and a login CSRF attack) that concisely describe the actions performed by attackers while performing these attacks. These attack patterns are leveraged by a black-box security testing module that automatically collects and analyzes different HTTP traffic samples of the MPWA under test for selecting the appropriate attack patterns which in turn automatically generates attack test cases targeting logical vulnerabilities in the MPWA. 
We implemented our ideas on top of OWASP ZAP (the most popular, open-source penetration testing tool) and discovered 21 previously unknown vulnerabilities in prominent MPWAs (e.g., developer.linkedin.com, pinterest.com, open.sap.com, stripe checkout), including MPWAs that do not belong to SSO and CaaS families. 

avatar for Alessandro Armando

Alessandro Armando

Associate Professor & Head of Research Unit, University of Genova & FBK
avatar for Roberto Carbone

Roberto Carbone

Researcher, Fondazione Bruno Kessler
Dr. Roberto Carbone is a researcher of the Security & Trust Research Unit of Bruno Kessler Foundation (FBK-ICT) in Trento, since November 2010. He obtained the MSc degree in Computer Engineering at the University of Genova in 2005 and received his Ph.D. from the same University in... Read More →
avatar for Luca Compagna

Luca Compagna

Researcher, SAP
Dr. Luca Compagna is part of the Security Research team at SAP where is contributing to the research strategy and to the software security analysis area in particular. He received his Ph.D. in Computer Science jointly from the U. of Genova and U. of Edinburgh. His area of interests... Read More →
avatar for Avinash Sudhodanan

Avinash Sudhodanan

Early Stage Researcher, Fondazione Bruno Kessler
Avinash Sudhodanan is an Early Stage Researcher at the Security & Trust Unit of Fondazione Bruno Kessler and a 3rd year PhD student at University of Trento. He is focusing his research on Automatic Analysis of Browser-Based Security Protocols (in the context of the EU project SECENTIS... Read More →

Thursday June 30, 2016 12:25 - 13:30
Room A (Michelangelo Ballroom Sect. 3)


Bug Hunting on the Dark Side
A defender has to secure all entries to a system. If only one entry is not secured the system will eventually be owned. One single mistake is enough. This is often frustrating because everybody makes mistakes and defenders usually have to operate on the passive end. 

Fortunately, _everybody_ makes mistakes. Even the attackers. In this presentation, we are going to show a collection of bugs and mistakes that help to turn the tables on the adversary: 
* Simple typos that ruin the otherwise stealthy APT campaign. 
* Thoroughly planned command & control architectures that fall apart because of overlooked crypto dependencies. 
* Bugs in malware that render the functionality useless. 

There will be plenty of examples from the OWASP top 10 vulnerabilities that attackers and malware authors have run in to: SQL injections, remote file inclusion vulnerabilities, broken session management, server mis-configurations, broken random numbers generators, ... 

Hilarious, scary, and a lot of face palms

avatar for Felix Leder

Felix Leder

Director Detection Technology, Blue Coat
Felix Leder leads the detection technology research at Blue Coat. Taking things apart has been a life time passion for him. His hobbies, like collecting bugs in malware and botnet takeovers, have resulted in successful take-downs of large malicious networks. As a member of The Honeynet... Read More →

Thursday June 30, 2016 14:10 - 14:55
Room A (Michelangelo Ballroom Sect. 3)


Automated Mobile Application Security Assessment with MobSF
Mobile Application market is growing like anything and so is the Mobile Security industry. With lots of frequent application releases and updates happening, conducting the complete security analysis of mobile applications becomes time consuming and cumbersome. In this talk I will introduce an extendable, and scalable web framework called Mobile Security Framework (https://github.com/ajinabraham/YSO-Mobile-Security-Framework) for Security analysis of Mobile Applications. Mobile Security Framework is an intelligent and automated open source mobile application (Android/iOS) pentesting and binary/code analysis framework capable of performing static and dynamic analysis. It supports Android and iOS binaries as well as zipped source code. During the presentation, I will demonstrates some of the issues identified by the tool in real world android applications. The latest Dynamic Analyzer module will be released at OWASP AppSec. Attendees Benefits * An Open Source framework for Automated Mobile Security Assessment. * One Click Report Generation and Security Assessment. * Framework can be deployed at your own environment so that you have complete control of the data. The data/report stays within the organisation and nothing is stored in the cloud. * Supports both Android and iOS Applications. * Semi Automatic Dynamic Analyzer for intelligent application logic based (whitebox) security assessment.

avatar for Ajin Abraham

Ajin Abraham

Security Engineer, IMMUNIO
Ajin Abraham is a Security Engineer for IMMUNIO with 6+ years of experience in Application Security including 3 years of Security Research. He is passionate on developing new and unique security tools. Some of his contributions to Hacker's arsenal include OWASP Xenotix XSS Exploit... Read More →

Thursday June 30, 2016 16:15 - 17:00
Room B (Tiziano Ballroom Sec. 1)


OWASP Security Knowledge Framework: Making the web secure by design
OWASP Security Knowledge Framework The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. The 4 Core usage of SKF: - Security Requirements OWASP ASVS for development and for third party vendor applications - Security knowledge reference (Code examples/ Knowledge Base items) - Security is part of design with the pre-development functionality in SKF - Security post-development functionality in SKF for verification with the OWASP ASVS Check the online demo: https://securityknowledgeframework.org/demo.php

avatar for Glenn ten Cate

Glenn ten Cate

Security manager ING BE, ING
As a coder, hacker, speaker, trainer and security researcher employed at ING Belgium Glenn has over 15 years experience in the field of security. One of the founders of defensive development def[dev]eu a security training and conference series dedicated to helping you build and maintain... Read More →

Thursday June 30, 2016 16:15 - 17:00
Room A (Michelangelo Ballroom Sect. 3)


Calm down, HTTPS is not a VPN
We're writing year 2016. As far as the transport layer security is concerned during the past two years many bugs were found and squashed which makes most tech people probably feel better. 
Also especially for the most secured protocol in the internet -- HTTP -- security features like HSTS, HPKP, preloading, certificate transparency came up, one could be tempted now to think "mission accomplished", confidentiality and integrity issues on the transport layer for HTTP are solved now
-- albeit the mentioned security features could be more used.

But with respect to privacy there are often misconceptions: One is about the information security values: When is HTTPS a must, for which information security values and when it is not mandatory. Sometimes there even seems to be a current technical misbelief like switching on HTTPS is like a VPN or TOR -- last but not least sponsored by some big players in the internet.

This talk will clean up those fundamental misunderstandings and show how much privacy you really have against prying eyes while using HTTPS.

It will start with basics at the network layer, we're looking at the TLS encryption, at several browser fingerprints in the TLS handshakes and at current certificate validation strategies. Taking this alone identifies your browser and the site you're connecting to and often more. 

But what can an adversary tell about the content? 

Real world examples add a couple of bits to this as nowadays your browser often doesn't connect to a single server. Depending on the site (size, content), number of clients from an IP address, browser settings and browsing behavior of the user(s) more resources are needed to determine what
content is being request from the client. Here the talk will shed some light into it how good it is possible also while using HTTPS to tell something about the content transferred.

avatar for Dirk Wetter

Dirk Wetter

Dirk is an independent security consultant which has more than 18 years experience in information security, even more in the world of Unix/Linux. He has also a profound networking knowledge from his past. He is engaged in OWASP Germany / Europe and chaired a couple of conferences... Read More →

Thursday June 30, 2016 17:05 - 17:50
Room A (Michelangelo Ballroom Sect. 3)
Friday, July 1


Game of Hacks: Play, Hack and Track
We created “Game of Hacks”– a viral web app marketed as a tool to train developers on secure coding – with the intention of building a honeypot. Game of Hacks, built using the node.js framework, displays a range of vulnerable code snippets challenging the player to locate the vulnerability. Within 24 hours we had 35K players test their hacking skills...we weren't surprised when users started breaking the rules. Join us to: • Play GoH against the audience in real time and get your claim for fame. • Understand how vulnerabilities were planted within Game of Hacks. • See real attack techniques (some caught us off guard) and how we handled them. • Learn how to avoid vulnerabilities in your code and how to go about designing a secure application. • Hear what to watch out for on the ultra-popular node.js framework.

avatar for Amit Ashbel

Amit Ashbel

Cyber Security Evangelist
Amit has been with the security community for more than a decade where he has taken on multiple tasks and responsibilities, including technical and Senior Product lead positions. Amit adds valuable product knowledge including experience with a wide range of security platforms and... Read More →

Friday July 1, 2016 11:35 - 12:20
Room B (Tiziano Ballroom Sec. 1)


Analyzing and Detecting Flash-based Malware

Adobe Flash is a popular platform for providing dynamic and multimedia
content on web pages. Despite being declared dead for years, Flash still
is deployed on millions of devices. Unfortunately, the Adobe Flash
Player increasingly suffers from vulnerabilities, and attacks using
Flash-based malware regularly put users at risk of being remotely
attacked. We present Gordon, a method for the comprehensive analysis and
detection of Flash-based malware. By analyzing Flash animations at
different levels during the interpreter’s loading and execution process,
our method is able to spot attacks against the Flash Player as well as
malicious functionality embedded in ActionScript code. To achieve this
goal, Gordon combines a structural analysis of the container format with
guided execution of the contained code—a novel analysis strategy that
manipulates the control flow to maximize the coverage of indicative code
regions. In doing so, Gordon significantly outperforms related
approaches when applied to samples shortly after their first occurrence
in the wild, demonstrating its ability to provide timely protection for
end users.

avatar for Christian Wressengger

Christian Wressengger

TU Braunschweig
Christian Wressnegger is a full-time researcher at the Institute of System Security of the TU Braunschweig, Germany. Before joining academia to pursue a PhD, he has been working in Anti-Virus industry and in data analytics for computer security applications using machine learning... Read More →

Friday July 1, 2016 11:35 - 12:20
Room A (Michelangelo Ballroom Sect. 3)


2016 State of Vulnerability Exploits
Yearlong study of new trends in vulnerability exploits to identify, prioritize and mitigate the most relevant issues. Exploits data from 20+ top exploit-kits including Angler, Nuclear, SweetOrange, Magnitude, Rig, Neutrino and others is included. Also included is data from numerous exploit frameworks like Exploit-db, Core security, Immunity, Qualys, DSquare, Agora, White phosphorous and others.

avatar for Amol Sarwate

Amol Sarwate

Director of Vulnerability and Compliance Labs, Qualys Inc.
As Director of Vulnerability Labs at Qualys, Amol Sarwate heads a worldwide team of security researchers who analyze threat landscape of exploits, vulnerabilities and attacks. He is a veteran of the security industry who has worked for the last 15 years on firewalls, vulnerability... Read More →

Friday July 1, 2016 12:25 - 13:10
Room C (Tiziano Ballroom Sec. 2)


Securing AngularJS Applications
Since its birth, the Web evolved from a system to share and view scientific documents to a full-blown platform for sophisticated applications. While in the beginning most Web applications were implemented purely on the server-side, modern ones heavily rely on client-side components.

AnuglarJS is the latest addition in this process. Within an Angular application the server is merely a data storage facility with a few additional access checks. The core of the application is running on the client-side.

As Angular is specifically designed to work on the client-side, it attempts to remove the main points of friction for developers. By providing a templating system, two-way bindings and custom directives, DOM interactions can be reduced to a bare minimum.

From a security point of view this is very interesting as Angular removes the need for using some DOM APIs with very sharp edges (innerHTML, document.write). On the other hand, Angular introduces new ways of approaching application development that are largely unexplored in terms of security.

This talk provides an in-depth introduction to the security of Angular applications. It first introduces the core design ideas and security principles of AngularJS. Then, based on the experience of the Google Security Team, shows common security pitfalls that are specific to Angular applications. In general, the talk covers Angular's string interpolation functionality, strict auto-escaping templates, URL-based directives and insecure legacy APIs. All the presented issues are based on real-world bugs. The talk will demonstrate how to find and prevent these issues in practice.


Sebastian Lekies

Sebastian Lekies is an Information Security Engineer at Google and a PhD Student at the Ruhr-University Bochum. His research interests encompass client-side Web application security and Web application security testing. He graduated from University of Mannheim with a M.Sc. in Business... Read More →

Friday July 1, 2016 14:10 - 14:55
Room A (Michelangelo Ballroom Sect. 3)


The Cool Factor: Security's Secret Weapon
What sets the security team apart from any other engineering team at a company? Why do Chris Hemsworth fans know about backdoors and payloads? How do you design a swag t-shirt that people would actually want to wear? These questions and more will be answered in this talk. 

The security team stands in a unique position in their company because of the rich topic area they deal with. Their caliber of talent will make or break the company in a day. The stakes are high. Security incidents as interesting as they are scary. We can use this to our advantage to roll out effective and popular security awareness campaigns that will move the needle towards a more secure environment. 

This talk will dive into examples of security awareness in pop culture, guidance for creating a security culture program, and the secret to the perfect t-shirt

avatar for Marisa Fagan

Marisa Fagan

Sr Trust Engagement Manager, Salesforce
Marisa Fagan brings 9 years of experience building communities in the Information Security industry to her role as Senior Technology Program Manager at Salesforce. On the Trust Engagement team, she contributes to securing the human element of the the threat landscape. Previously... Read More →

Friday July 1, 2016 15:00 - 15:45
Room D (Tiziano Ballrom Sec. 3)


Running a bug bounty: what you need to know.
Having a bug bounty program is one of the most cost-effective and productive methods of finding security vulnerabilities today. Bug bounty programs provide substantial value in terms of findings, only require payment for valid results, and bring a level of depth via manual testing that goes beyond the capabilities scanners and other traditional pen-testing tools – often serving as a valuable complement to automated testing. But, as anyone who has tried to run a bug bounty program knows, it's no simple or small undertaking... 

Coming from the unique position of being professionals who have helped to create and manage hundreds of bug bounty programs, we're uniquely positioned to cover key bounty concepts, and provide advice on how to run a successful bug bounty program. Whether you're already running a bug bounty program, looking to run a bug bounty program, or are a researcher who participates in programs, this talk aims to deepen your knowledge on the subject. 

The talk will be broken up into two parts: 

1) The first segment will cover setting up a bug bounty program, including specific tips/guidance for creating a successful program. Having setup and run a range of bounty programs – some requiring more work than others – these are some invaluable insights into what it takes to make a program successful. Some of the key concepts and questions that will be covered include (but are not limited to): 

Scoping - how to focus researchers on the targets that matter to you. What considerations should you make when setting your scope? 
Compensation - how much should you pay, and what does that get you? 
Public vs. private bounties - is this open to the world, or only a select group? 
Managed vs. self-managed - are you planning on processing all the vulnerabilities yourself, or do you plan to outsource the initial processing of submissions? 
Getting the most out of your program - thoughts on what should be in/out of scope, standard exclusions, and other information to provide researchers with everything they need to be successful. 
Your promise to the researchers - response times, communication, and public disclosure. What do you bring to the table? 
Researcher engagement and participation - how do you keep researchers engaged and participating in your program? 
Access, etc - how will researchers be testing your app? Credentials/access/etc? 

2) The second segment will cover the validation and processing of researchers' submissions. Using the experience we've gained from having processed tens of thousands of researcher submissions, we will provide insight into the back end of security operations for a bug bounty program. Key topics include: 

Tips for evaluating researcher submissions - anyone who has done a bounty, knows the submission volume can be overwhelming at times. How do you deal with and process these submissions? 
What makes up a good report? - some thoughts for researchers, on how to write quality submissions. 
Communicating with researchers - how do you communicate with researchers, deal with unhappy researchers, etc? 
Thoughts on recommended vulnerability priority ratings - what priority level and payout should you give for any given vulnerability? 
Working with a team - some real-world learning experiences and tips for working as a team and applying those lessons to issues as they arise. 
And of course, some classic submission horror stories… 

By the end of the talk, attendees who managed to stay awake will have a behind-the-scenes understanding of how to successfully setup, run, and participate in a bug bounty program.


Shpend Kurtishaj

Shpend Kurtishaj occasional bounty hunter himself, and work for Bugcrowd (a crowdsourcing bug bounty platform), helping run and manage client’s bounty programs. He’s worked on hundreds of bounty programs, processed thousands of submissions, and have a litany of valuable insights... Read More →
avatar for Grant McCracken

Grant McCracken

Solutions Architect, Bugcrowd
Grant has been with Bugcrowd, a crowdsourced cybersecurity solution, for roughly two years - initially helping process bounty submissions as an Application Security Engineer/Analyst, and later transitioning to his current role of Solutions Architect. With a background in appsec, and... Read More →

Friday July 1, 2016 16:15 - 17:00
Room D (Tiziano Ballrom Sec. 3)