Continuous Security - Paris.rb

B6e65829cc035d58fe399073e4244c6a?s=47 Adam Surak
October 04, 2016

Continuous Security - Paris.rb

Talk about how we use public bug bounty program to continuously test our security and our experience with HackerOne for more than a year.

B6e65829cc035d58fe399073e4244c6a?s=128

Adam Surak

October 04, 2016
Tweet

Transcript

  1. Build Unique Search Experiences Adam Surak SRE & Security Engineer

    adam.surak@algolia.com @AdamSurak Continuous Security
  2. @AdamSurak Core Core Core Core Security

  3. @AdamSurak Core Core Core Core Core Core

  4. @AdamSurak Penetration testing Quality varies Very detailed and understandable outcomes

    Higher price* One shot -> outdated in few hours
  5. @AdamSurak Responsive disclosure security@algolia.com “Give me money!” “Give me money

    or I will not tell you what I’ve found!” How do you send money to India, Pakistan, … ?
  6. @AdamSurak Public Bug Bounty Program HackerOne, Bugcrowd, … All the

    reports in one place Protects both reporter and site owner Clean accounting Possible swag-only
  7. @AdamSurak 1 year with HackerOne

  8. @AdamSurak 1 year with HackerOne 12.2% 42.2% 23.2% 22.4%

  9. @AdamSurak All-time vs last 6 months 12.2% 42.2% 23.2% 22.4%

    18.2% 22.9% 13.5% 45.3%
  10. @AdamSurak 1 year with HackerOne

  11. @AdamSurak All-time vs last 6 months All-time Last 6 months

    Response time 2 days 1 day Resolution time 21 days 11 days Bounties $10,125 $4,000
  12. @AdamSurak Learnings PenTesters think differently Beginning is hard Have patience

    with communication You can’t do it best effort There will be noise No matter what, they will use automatic scanners
  13. W e are hiring in Paris and SF QUESTIONS? Build

    Unique Search Experiences adam@algolia.com @AdamSurak