The only way for a security team to effectively manage risk is vulnerability prioritization and management. There are many different prioritization models used across the industry that are based on vulnerability risk and impact. Without a clear prioritization model, how do you know what to fix first? Highest CVSS Score? FIFO? LIFO? Externally known issues? Whatever your prioritization plan is, it needs to be documented and updated as threats to your business change.
Editor's Note: Today I’d like to introduce you to Bugcrowd member Anshuman Bhartiya (anshuman_bh). As an information security professional as well as bug bounty researcher, Anshuman has helped improve the security of many organizations. He has submitted several P1 & P2 bugs leading to his high standing within the programs he is involved in. As an active member on our Bugcrowd forum he also contributes to the bug bounty researcher community. This blog is from one of his responses on the forum that he has allowed us to post here. We are thrilled to share his thoughts and experience on how to successfully approach a target. Thanks!
Mobile devices are relatively new to the connected world, yet the issues surrounding mobile app security have proven much more complex than those around web applications when it comes to threat modeling. With mobile, it's not just about code running on devices, but depends heavily on device security – taking into account different versions, interfaces, platforms, and device integrity (i.e. jailbroken).
Editor's Note: Bugcrowd community researcher, Duarte Silva, shares the story behind how he started working in information security. Duarte is one of Bugcrowd's top researchers, you can follow him on Twitter at @serializingme.
About the Author: Ben Sadeghipour has been participating in bug bounty programs since February of 2014. After his first few bugs, he came to realize that bug bounties are a great way to learn more about web application security as well as make some extra money while going to school - computer science major. Currently Ben is an intern at Bugcrowd and continues to do bug bounty research. You can see more of his work on nahamsec.com.
As promised in our previous blog, Jason Haddix -Director of Technical Operations- is doing an unedited series on using Burp Suite, a very useful tool when searching for Bug Bounties. This video is the first in a month long series.
Bugcrowd loves its researcher and technical community. One responsibility we feel we have here is to empower that community. As a part of this effort we plan to roll out some free training and professional development material. These videos will be free of charge and are aimed at exploring useful practices in the application security. This is part of a larger initiative we are planning at Bugcrowd (more on that later).
[Today I’d like to introduce you to Bugcrowd member Ciaran McNally. (maK0) As a freelance security consultant as well as entrepreneur, Ciaran has helped improve the security of many organizations. We are honored to share is thoughts and experience on how organizations can increase their overall security. Thanks!
Today I thought it would be interesting to our Crowd members to take a look at private bounty program invitations. With both public and private bounty programs and tens of thousands security researchers, how does Bugcrowd choose who to invite to a private program? Is there a secret handshake? A password to a private clubhouse? Do I roll the dice?
One thing we like to highlight at Bugcrowd is creating lasting positive relationships between clients and talented researchers. Today one of our crowd, Duarte Silva, released some of his work on reverse engineering Aruba Networks ArubaOS Firmware package.