October 10th Chapter Meeting

Venue is Oracle 5815 Owens Drive Pleasanton, CA 94588

Please arrive at 6:45 – Registration is required – email programs@isc2-eastbay-chapter.org AND conferencedirector@isc2-eastbay-chapter.org to assure we list you for pizza count and we have your name at the door to let you in.

Running a Successful Crowdsourced Security Program: Tips on How to Not Fail: Running A Successful Crowdsourced Security Program_ Tips On How Not To Fail

Scaling application and infrastructure security has been, and continues to be, a problem most organizations tend to face, but often don’t have the resources or bandwidth to tackle effectively. This is a fundamentally human problem. There are plenty of scanners, but we still need people to validate those results and to find the issues that scanners aren’t capable of catching – as well as identifying any exposed attack surface that the automated tools aren’t even covering. Enter the idea of the “crowd.” While crowdsourced security through bug bounties is not a new concept, adoption has only recently begun to pick up. Which is surprising considering there’s tremendous ROI and value to be gained from the crowd-at-large with relatively little effort.

So in what ways can an organization leverage the power of the crowd (which is just a fancy word for a large contingent of humans with highly diverse and creative security skill sets)? And more importantly, how can one do so successfully? That’s what I aim to cover with this presentation. As someone who has been directly involved in the creation, management, and growth of hundreds of crowdsourced security programs, I bring both a ground floor and 30,000 foot view of the current landscape of crowdsourced security. This talk is aimed to help organizations and security teams: a) Realize the value and varying ways they can leverage the crowd (crowdsourcing security has the potential to go well beyond just bug bounties); and b) Provide practical tips for running a successful program, as well as how to grow your program over time. I see a lot of badly managed or under-utilized programs in the wild, and want to help educate the world in terms of what can be accomplished through the power of crowdsourced security (hint: it’s a lot), and how to run a more effective program. 

Bugcrowd, Inc. BugCrowd

Bugcrowd is the #1 crowdsourced security company. More Fortune 500 organizations trust Bugcrowd to manage their Bug Bounty, Vulnerability Disclosure, and Next Gen Pen Test programs. Bugcrowd’s award-winning platform combines actionable, contextual intelligence with the skill and experience of the world’s most elite hackers to help leading organizations identify and fix vulnerabilities, protect customers, and make the digitally connected world a safer place. Based in San Francisco, Bugcrowd is backed by Blackbird Ventures, Costanoa Ventures, Industry Ventures, Paladin Capital Group, Rally Ventures, Salesforce Ventures and Triangle Peak Partners. Learn more at www.bugcrowd.com.

Grant (McCracken)
Currently the Director of Solutions at Bugcrowd, Grant has extensive experience in the crowdsourced security space – having been directly involved with the creation and maintenance of hundreds of crowdsourced security programs over the last few years. An OSCP, with a background in application security, Grant understands the hacker side of security, as well as the necessary logistical components and considerations to take into account when running and managing successful crowdsourced security programs.