Embed Size (px)
Citation preview
What made you decide to launch the Bug Bounty program?
Daniel Diez, Head of the Digital Factory Division, Groupe ADP :
The Group Security team took the lead on this project. I had no prior experience of Bug Bounty, but we very quickly saw the model’s advantages and power. And although I never had any particular doubts or worries, now all I see is the benefits. The bugs reported by hunters are vulnerabilities that we and our auditors may not have seen otherwise, and which could therefore be exploited by bad guys.
Eric Vautier, Groupe CISO, Group ADP :
In cyber security, anticipation is everything. You need to stay a step ahead of the hackers. This means keeping a close eye on market innovations. In the digital world, doing “old-style” protection means you are clearly behind the game. And a good way to catch up is to work directly with se-curity researchers who use hackers’ methods and think like them.
Daniel Diez, Head of the Digital Factory Division, Groupe ADP :
We started Bug Bounty wondering if we could suc-cessfully adapt the model to our way. Today, it is one of the pillars of our web security strategy. Of course, it’s vital to set the program’s rules carefully: you have to structure the tests in the right way so that the hunters don’t “disperse” their efforts. You need to identify the right “boundaries”, and this is where the program setup is essential. We started with a tightly drawn scope and expanded it as we went along.
What value can Bug Bounty add compared to tra-ditional cyber security solutions (e.g. pen test)?
Daniel Diez, Head of the Digital Factory Division, Groupe ADP :
Continuous testing. This is Bug Bounty’s big stren-gth. Pen tests are run at a given point in time – not following every minor delivery. While with Bug Bounty, we have hunters working continuously, remaining alert to anything new, which means they can detect whether any change creates potential vulnerabilities.
Eric Vautier, Groupe CISO, Group ADP :
In a perfect world we should systematically test each update on our website. This would mean run-ning a pentest every week, or even more often... And everyone knows that’s not feasible. Bug Bounty makes such continuous verification possible.
Daniel Diez, Head of the Digital Factory Division, Groupe ADP :
I’ve been getting reports we never got from our pen tests – way more in-depth reports, particular-ly on the website navigation experience. Auditors don’t necesserily have this approach. What’s more, a pentest has a limited timeframe, whereas hunters take the time they need to go as far as possible. As time goes by, they also get increasingly familiar with our scope, which means they can go even more in depth.
Eric Vautier, Groupe CISO, Group ADP :
A Bug Bounty program can also be used to re-port more functional, not just technical, applica-tion vulnerabilities. For me, this is what genuinely differentiates it from the pentest. It is a completely different angle. A pen test often relies on automated tools, while Bug Bounty builds on these tools with a more human approach.
Eric Vautier, Groupe CISO, Group ADP
Daniel Diez, Head of the Digital Factory Division, Groupe ADP :
What is also interesting is the interactions with hun-ters. They help us understand the vulnerabilities they’ve found and how to fix them effectively. In this way we can leverage their expertise. For sure, Bug Bounty demands some investment. You have to be available to understand what the hunters have tried to do, to talk to them...
But they force us to ask ourselves fresh questions: How a bad guy would get round our protection measures?
Is Bug Bounty the end of pen testing? Or will it always remain complementary?
Daniel Diez, Head of the Digital Factory Division, Groupe ADP :
For me, neither works without the other. For one thing, we are not necessarily testing the same things with both. And we cannot set off into the unknown without having some minimum level of certainty in advance. Bug Bounty comes in at a more mature stage in the logical flow of events. You need to leverage a minimum base level of security before launching Bug Bounty.
That said, today, within the current scope, we no longer need to run pentests. Bug Bounty is enough on its own. You need to set the bar at the right level at the outset, and it then becomes a recurring process.
How does Bug Bounty fit with your agile approach?
Daniel Diez, Head of the Digital Factory Division, Groupe ADP :
Like everyone, we have tools to manage sources, builds, projects and performance analytics. We also use tools to log and track each new vulnerability re-port from the Bug Bounty program. For each sprint we verify which relevant data we can include, so we can deal with issues as they come.
Why have you gone public? How has that changed your approach with Bug Bounty?
Eric Vautier, Groupe CISO, Group ADP :
The main advantage is to maximise our risk coverage by multiplying the number of potential tests. Also, it gives us a single channel for reporting vulnerabili-ties in our website.
What comes next?
Eric Vautier, Groupe CISO, Group ADP :
We are going to open up new scopes, on other ap-plications and with other business entities using the same model: private program first, then going public.
Daniel Diez, Head of the Digital Factory Division, Groupe ADP
About YesWeHack : YesWeHack offers companies an innovative approach to cybersecurity with Bug Bounty (pay-per-vulnerability discovered), connecting more than 15 000 cyber-security experts (ethical hackers) across 120 countries with organizations, to secure their exposed scopes and reporting vulnerabilities in their websites, mobile apps, infrastructure and connected devices. Founded in 2013, YesWeHack is today the #1 Bug Bounty European platform. www.yeswehack.com
![[Webinar] The Art & Value of Bug Bounty Programs](https://img.dokumen.tips/doc/110x75/55c3b26cbb61eb723f8b465d/webinar-the-art-value-of-bug-bounty-programs.jpg)
