Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Continuous Security - Paris.rb

Adam Surak
October 04, 2016
Technology
2
110

Continuous Security - Paris.rb

Talk about how we use public bug bounty program to continuously test our security and our experience with HackerOne for more than a year.

Adam Surak

October 04, 2016
Tweet

More Decks by Adam Surak

See All by Adam Surak
Own your reliability - Velocity Amsterdam 2016
adamsurak
2
480
Own your reliability - Amsterdam
adamsurak
1
98
Own your reliability - Tech Summit 2016
adamsurak
1
140

Other Decks in Technology

See All in Technology
OpenTelemetry を使ったトレースエグザンプラーの活用 / otel-trace-exemplar
k6s4i53rx
2
630
0→1開発における技術選定において一番大切なこと
bicstone
1
320
CSSDAY 2024
kevinshallvari
0
180
ここが嬉しいABAC ここが辛いよABAC #再解説+補足編
masahirokawahara
0
180
PHP"オレ"カンファレンスの告知
ysknsid25
0
310
Tableau事例紹介 / Tableau Case Study of Eureka
kazuya_araki_tokyo
1
170
"好き"との生活/Regularly update profile with GitHub Actions
judeeeee
0
140
Garoon 開発チーム / Garoon development team
cybozuinsideout
PRO
1
2.9k
SREとその組織類型
tatsuo48
8
1.5k
Discord とビルダー&チャットボットの使い方 / How to use Discord and Builder & Chatbots
ks91
PRO
0
130
巨大なテーブルのテーブル定義を無停止で安全に誰でも変更できるようにする / Table-definitions-for-huge-tables-can-be-modified-by-anyone-safely-and-non-disruptively
freee
1
720
「ふりかえりのふりかえり」をふりかえり、実のあるふりかえりにする
naitosatoshi
0
210

Featured

See All Featured
Pencils Down: Stop Designing & Start Developing
hursman
116
11k
Automating Front-end Workflow
addyosmani
1354
200k
Fireside Chat
paigeccino
19
2.6k
Building Effective Engineering Teams - LeadDev
addyosmani
26
1.8k
Documentation Writing (for coders)
carmenintech
59
3.9k
The Invisible Customer
myddelton
114
12k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
225
51k
Creatively Recalculating Your Daily Design Routine
revolveconf
209
11k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
355
22k
Designing with Data
zakiwarfel
95
4.8k
How to name files
jennybc
64
92k
Designing on Purpose - Digital PM Summit 2013
jponch
110
6.4k

Transcript

  1. Build Unique Search Experiences Adam Surak SRE & Security Engineer

    [email protected] @AdamSurak Continuous Security

  2. @AdamSurak Core Core Core Core Security

  3. @AdamSurak Core Core Core Core Core Core

  4. @AdamSurak Penetration testing Quality varies Very detailed and understandable outcomes

    Higher price* One shot -> outdated in few hours

  5. @AdamSurak Responsive disclosure [email protected] “Give me money!” “Give me money

    or I will not tell you what I’ve found!” How do you send money to India, Pakistan, … ?

  6. @AdamSurak Public Bug Bounty Program HackerOne, Bugcrowd, … All the

    reports in one place Protects both reporter and site owner Clean accounting Possible swag-only

  7. @AdamSurak 1 year with HackerOne

  8. @AdamSurak 1 year with HackerOne 12.2% 42.2% 23.2% 22.4%

  9. @AdamSurak All-time vs last 6 months 12.2% 42.2% 23.2% 22.4%

    18.2% 22.9% 13.5% 45.3%

  10. @AdamSurak 1 year with HackerOne

  11. @AdamSurak All-time vs last 6 months All-time Last 6 months

    Response time 2 days 1 day Resolution time 21 days 11 days Bounties $10,125 $4,000

  12. @AdamSurak Learnings PenTesters think differently Beginning is hard Have patience

    with communication You can’t do it best effort There will be noise No matter what, they will use automatic scanners

  13. W e are hiring in Paris and SF QUESTIONS? Build

    Unique Search Experiences [email protected] @AdamSurak