Category: Security by design Page 2 of 3

Yes We Hack and its Partners, or how to get the best out of Bug Bounty ?

What does a YesWehack partner do ?

Every organization is concerned by cybersecurity and most of them can see that traditional solutions (penetration testing & scanners) are not sufficient anymore. As a result, whatever the size or industry, they are increasingly numerous to opt for Bug Bounty.

By 2022, crowdsourced security testing platform products and services will be employed by over 50% of enterprises, up from less than 5% in 2018.

Gartner 2018 Market Guide on Crowdtesting

Indeed, Bug Bounty is the only solution that can pretend to exhaustiveness, responsiveness and continuity in the tests. More importantly, Bug Bounty meets organizations growing need for agility > https://bountyfactory.io/en/mybugbounty.html

For all that, any organization that wishes to set up/implement Bug Bounty programs is not ready to manage by itself yet; indeed the Bug Bounty process involves:
• The program‘s creation : determination of the scope, rules, researchers’ reward grid, etc.
• The program’s day-to-day management and interaction with the researchers
• Vulnerabilities and researchers’ test reports validation and management

Lacking time, resources, skills and process, some organizations can be intimidated by the implementation of a Bug Bounty Program in spite of unrivaled benefits they could get out of it.

This is where our partners step in.

Why Becoming of YesWeHack Partner?

Read More

“A bug bounty program is a practical way to put your work to the test” states Yves Berquin – CoFounder of MatrixReq

Yves Berquin - Cofounder of MatrixReq

Yves Berquin, Cofounder of MatrixReq – GmbH

Presentation of Matrix Requirements and your position

Before we co-founded our German company, Matrix Requirements (matrixreq.com) in 2014, we were project managers in a medical devices company and it was clear to us that we needed a better tool to manage the traceability of the design. We built MatrixALM for ourselves and later on we created Matrix Requirements to launch our application independently.

Matrix Requirements team is 4 people which is quite honorable compared to our results so far: we have about 100 customers totaling about 700 users.

30% of our customers come from the US, about 30% from Germany and the remaining in rest of Europe, Israel, Australia, India, Canada.

My role in the team is more on the back-office, network, databases, Linux servers. Needless to say I’m very concerned about security.

What are the reasons that led you to embark in the bug bounty exercise ?

Even though we are quite small, we are certified ISO13485:2016 and on the way to be ISO27001, and this type of standards mandate that we study the risks of our processes. Of course one obvious risk in our type of business is the intrusion of our information systems.

We’ve had intrusion attempts in the past an we protected ourselves with quite elaborated active rules on our firewalls. We’ve had an audit from a group in KULeuven, and one of their recommendations was to go through a bug bounty exercise.

Why did you chose YesWeHack ?

We first asked a well known US bug bounty company but the pricing was out of reach for us. Then we discovered YesWeHack, through the OVH DLP accelerator (we are also members). We contacted them and found out quickly that their offer matched what we were looking for: a group of researchers that could investigate our security in BlackBox mode. In particular we wanted to be able to talk to the researchers in English and that is a given on that platform.

What are the results of your private phase ?

The private phase was achieved with a group of 10 researchers, and they came back with 5 vulnerabilities. Frankly, we were relieved that none of the reported vulnerabilities were severe, which confirmed that we already had quite a good security maturity.

Of course we can never rest in this field, but what were returned to us were subtle weaknesses that wouldn’t allow by themselves anyone to actually enter our site.

We rewarded the researchers anyway, understanding that sometime a combination of small weaknesses could lead to an actual attack vector. The exchange with the researchers were very fruitful and they gladly checked that our fixes were efficient as well.

That dialogue is really the positive aspect of the exercise: we forced ourselves to reply quickly to the remarks, and they were very quick to answer back and offer suggestions to solve the issues if needed.

What are you waiting from the public phase ?

Opening the bounty to all the ethical hackers on the platforms in YesWeHack should lead to much more return for us, and should help us solidify even more our application and its API. I hope nothing too bad will come out of it but of course I prefer hearing about it this way: we have to detect potential security issues as soon as possible.

A bug bounty program is a practical way to put your work to the test. We hope to learn a lot from this public phase – through ways that we wouldn’t have thought about ourselves.

Today more than ever (think Facebook, British Airways, …) we must stay humble and remember that ‘Security through obscurity’ doesn’t exist and it’s only by putting your cards on the table and be pro-active that you can ensure a decent level of security.

***

Go to MatrixAlm’s Bug Bounty Public Program !

***

YesWeHack rejoint le Pôle d’Excellence Cyber !

C’est avec une fierté non dissimulée que YesWeHack annonce son intégration au Pôle d’Excellence Cyber.

Nous avons été cooptés et nous allons honorer cette confiance au sein du PEC pour contribuer au rayonnnement de savoir-faire français et Européen en termes de CyberSécurité.

YesWeHack va notamment apporter son expertise sur deux disciplines à savoir : le recrutement des talents spécialisés en cybersécurité et la divulgation coordonnée de vulnérabilités.

Déjà presents au coeur de l’écosystème breton avec une base à Rennes, YesWeHack continue de tisser des liens et de coopérer avec tous les acteurs de la région.

OVH Bug Bounty RetEx by Vincent Malguy

As OVH bug bounty manager from March 2016 to March 2018, Vincent Malguy, through this interview, delivers his return of experience to share some tips with people who wonder how to set up and manage a program.

***

The genesis

In the early 2010’s, many companies in the IT sector like Facebook or Google started to launch bug bounty programs and within OVH this appeared as an obvious need. However, it took time to frame the project and to meet all the operational conditions to take the leap.

In 2015, when I was recruited by OVH, it was time to put in place all the bricks to calmly launch a bug bounty.

Back in the day, we identified two issues: the issue of vulnerability export and the legal complexity when paying rewards.

Of course, we evaluated the possibility of launching it without external help but we quickly gave up the idea because it is not our core business.

In any case since the beginning, it has been clear in our minds that a real bug bounty program is, in the long run, a program open to a wide audience.

In January 2016, we met with Korben and Freeman. They presented YesWeWack’s roadmap to launch the first European bug bounty platform.

The timing was perfect and we decided together to launch OVH’s public program on the occasion of “la Nuit du Hack” in June 2016.

Private phase

In this exercise we have the support of the management and technical teams.

Based on that internal mobilization, we started to carry out an additional audit on the initial scope in order to ensure its maturity. We then worked with the communications, legal and accounting teams. Once these prerequisites were gathered and validated, with YesWeHack, we started with a 1 month private window.

Read More

Bug Bounty: Take the leap – [ITW] Alain Tiemblo @BlaBlaCar

Alain Tiemblo – BlaBlaCar Web Security Lead Engineer

Since September 2017, BlaBlaCar has been managing with a select number of security experts a private Bug Bounty program to enhance the operational security of its platform.

Previously accessible only by invitation via BountyFactory.io, YesWeHack’s bug bounty platform, this program has enabled BlaBlaCar to remain proactive on the cyber security of its services.

Thursday April 19, BlaBlaCar’s program is public

What is your role at BlaBlaCar?

I am a backend developer profile, today overseeing application security. When I joined BlaBlaCar, I was in charge of the platform’s performance and security. In mid-2015 and early 2016, our operational security needed to level up significantly, especially following our major fund-raising campaigns, which put BlaBlaCar under the light and pressure. So at that period of time, i took the lead of a small team to mitigate these attacks, and audit/consolidate the platform.

What is your approach to security, including coordinated vulnerability disclosure?

We have kept application security in-house for a long time. Previously, we used classical audits conducted by various companies, by several basic pentest applications, by using static analysis tools, etc. I think it helped to rough out a lot of little things that would have been detected by bug hunters.

In addition, we received a few troll messages on Twitter reporting vulnerabilities without notice and without any details… We also have some emails via customer support about potential security holes, but nothing was disclosed by these contacts, they first wanted to be paid and this, without proof of the existence of a security flaw, so it was impossible for us to enter the game.

Read More

Bug Bounty : Franchir le pas – ITW d’Alain Tiemblo @ BlaBlaCar

Alain Tiemblo - Bug Bounty - Vulnerability Coordination

Depuis septembre 2017, BlaBlaCar propose à un nombre d’experts en sécurité triés sur le volet, un
programme de Bug Bounty privé afin de renforcer la sécurité opérationnelle de sa plateforme. Accessible
jusqu’alors uniquement sur invitation via BountyFactory.io, la plateforme de bug bounty de YesWeHack, ce programme a permis à BlaBlaCar de rester proactif sur la cybersécurité de ses services.

Entretien avec Alain Tiemblo Web Security Lead Engineer – @BlaBlaCar – manager du programme de Bug Bounty.

Jeudi 19 avril le programme de BlaBlaCar est public

Quel est votre rôle au sein de BlaBlaCar ?

Je suis un profil développeur backend, aujourd’hui chapeautant la sécurité applicative. Lorsque je suis arrivé à BlaBlaCar, je m’occupais de la performance et la sécurité de la plateforme. Mi 2015 début 2016, nos besoins en sécurité opérationnelle ont augmenté de manière significative notamment à la suite de nos grosses levées de fonds qui ont suscité quelques convoitises. J’ai alors pris le lead d’une petite équipe afin de mitiger ces attaques, et auditer / consolider la plateforme.

Quelle est votre démarche en termes de sécurité et notamment de divulgation coordonnée de vulnérabilités?

Nous avons pendant longtemps gardé la sécurité applicative en interne. Auparavant, nous faisions appel à des audits classiques menés par diverses entreprises, par plusieurs applications de pentest, en utilisant des outils d’analyses statiques, etc. Je pense que ça a permis de dégrossir beaucoup de petites choses qui auraient été détectées par des chasseurs de failles.

Par ailleurs, on a reçu quelques messages de trolls sur Twitter signalant des failles sans préavis et sans aucun détails…

Read More

https://douwedeboer.pixieset.com/

Interview of EdOverFlow : Bug Hunter & mastermind of security.txt

Photo Courtesy of Douwe De Boer

What is your background ?

I am a web developer, security researcher, and a computer science student at the ETH Zürich. In my spare time, I like to contribute to open-source projects, hunt for security vulnerabilities, and triage reports. For a long time, one of my biggest goals has been to learn something new as often as possible and get to know people who share a similar passion for what they do.

How long have you been bug hunting and what are you driven by ?

I have been bug bounty hunting for roughly one and a half years, but I have been interested in security for quite a while. Curiosity and learning something new are what drive me the most. I find myself constantly wanting to try something new and learn as much about the topic as possible.

Can you explain the genesis of security.txt ?

Read More

Le Réseau Thématique French Tech #Security #Privacy

Guillaume Vassault Houlière, CEO de YesWeHack, est un des ambassadeurs du Réseau Thématique French Tech #Security #Privacy .

Ce réseau a pour objectifs : d’organiser un Tour de France sur la thématique “security & privacy” afin de fédérer l’écosystème, de développer et valoriser à l’international le savoir-faire des acteurs français en matière de cybersécurité.

Ce tour permettra notamment de continuer la sensibilisation des utilisateurs en entreprise (PME, ETI et Grands Groupes) à la sécurité et à la protection des données personnelles. C’est là une des clefs de la réussite de la transformation numérique.

Une des missions principale du réseau est l’identification des startups axées sur la cyber-Securité et la protection des données personnelles. L’idée c’est de procéder à un inventaire des besoins et de motiver des entrepreneurs « emblématiques » pour qu’ils deviennent des business angels et/ou des mentors.

Enfin, le réseau et tous ses acteurs ont pour activité la promotion du fonds French Tech Accélération aux entrepreneurs pouvant réinvestir dans l’écosystème.

En savoir plus sur la feuille de route

Incentive Policy for Coordinated Vulnerability Disclosure

Assessment

For the past ten years or so, organizations have been trying to implement operational policies to avoid “Full Disclosure” reports or “Open Bug Bounty” whose methods are not that good in terms of honesty and responsibility.

Speaking of responsibility, you may be familiar with the notion of “Responsible Disclosure” and you wonder how it differs from the concept of Coordinated Vulnerability Disclosure?

The concept of responsible disclosure has too often been at the root of endless discussions:

On the one hand the vendors denounce “Disclosing a vulnerability without providing patches is not responsible”.
and the other, “Don’t fix this vulnerability as quickly as possible is not responsible”, say security researchers.

During this precious time when both sides argue, the system concerned is at the opponent’s mercy.

In order to move towards greater efficiency and to get out of sterile debates, it is therefore important to avoid speaking of “responsible disclosure”. This is why many organizations advocate the concept of “Coordinated Vulnerability Disclosure” (CVD) in order to promote and strengthen cooperation between the various actors in cybersecurity, all of whom have a common goal: Make the Internet safer.

Coordinated Vulnerability Disclosure

Coordinated Vulnerability Disclosure

Read More

Cybersecurity & Bug Bounty: Attack is the best form of defence

uillaume Vassault-Houlière President of Yes We HackBy Guillaume Vassault-Houlière | CEO of YesWeHack

Through our European platform BountyFactory.io, Bug Bounty is gaining respectability in France and Europe.

Bug Bounty is an innovative and operational practice from the United States that rewards security experts who find security flaws in IT systems.

Within a complex geopolitical context, Europe and France can compete in defending a European model of digital sovereignty.

In the light of new threats and given reports of organizations that are victims of piracy and irreversible damage, some innovative cyber security policies and approaches need to be adopted.

Cybersecurity is a powerful ally for leading digital transformation.

Read More

Page 2 of 3

Powered by WordPress & Theme by Anders Norén