Choluj is a seasoned security professional with an impressive 15-year track record in the field. He is currently VP of Security at ClickHouse, a company renowned for its efficient open-source database solutions. 

Before stepping into this role, Choluj spent nearly six years as CISO at Campaign Monitor and has held various security leadership roles in international financial institutions. Alongside his practical experience, he holds a Master’s Degree in Security and Forensic Computing and a Bachelor’s Degree in Information Technology.

At its core, ClickHouse champions the principles of trust and risk reduction, and it’s this ethos that led them to explore a bug bounty program. Choluj highlights that the company’s aim is not simply compliance but to foster innovation in security and build constructive relationships with the hacker community.

Choluj’s partnership with Bugcrowd started in 2016 at a previous role, which led ClickHouse to choose our platform over others. With Bugcrowd, ClickHouse was able to tap into a global community of hackers to identify and address hidden, high-impact vulnerabilities. 

According to Choluj, a proactive approach is essential for any large-scale assurance program. He underscores the importance of crowdsourced security by saying, “Interacting with the hacker community is vital for our assurance program to operate on a large scale effectively.” 

He praises Bugcrowd’s triage response time and commitment to long-term customer success, both underpinned by a solid track record of experience. The primary challenge for ClickHouse was anticipating attack vectors and attacker ingenuity—an area where Bugcrowd’s expertise has proven invaluable.

Choluj also acknowledges a skills gap in cybersecurity, particularly when bridging the divide between security and engineering. He sees the Bugcrowd platform as a viable solution to this challenge, enabling organizations to augment their internal teams by tapping into the collective creativity of hackers. This approach effectively bridges the workforce gap, fostering a stronger synergy between different domains of expertise.

A wave of digital revolution has prompted organizations to rethink their security strategies. Old-school methods, centered on safeguarding known environments and networks, no longer suffice. Choluj asserts that the shift to remote work, amplified by the pandemic, requires a new focus on securing systems and users, regardless of location.

Choluj’s experience highlights the importance of treating cybersecurity as an ongoing strategic endeavor rather than a one-off project. His partnership with Bugcrowd exemplifies how a platform-driven approach to crowdsourced security can strengthen an organization’s defenses, turning potential vulnerabilities into fortified security measures.

Embracing crowdsourced security is more than a wise business decision in today’s intricate digital landscape; it’s a necessary step towards a secure digital tomorrow.

The post Customer Spotlight: Martin Choluj, VP of Security at ClickHouse appeared first on Bugcrowd.

ExpressVPN takes the privacy and security of its users seriously. Since it operates in the privacy and security space, a security breach is a serious potential issue which could result in the loss of trust from its users. ExpressVPN was concerned about attackers obtaining access to its VPN infrastructure and compromising users through the use of its apps. As part of its in-depth security strategy, ExpressVPN decided to select a managed bug bounty provider as a way to continuously review its products and services and provide the most secure user experience possible.

ExpressVPN has been using the Bugcrowd Platform for managed bug bounty since 2020. Brian Schirmacher, Offensive Security Manager at ExpressVPN, has worked in lockstep with Bugcrowd to ensure the products ExpressVPN delivers to users are as safe as possible. “Bugcrowd allows us to become aware of vulnerabilities in areas we don’t have oversight on, such as vendors making changes to third party integrations without notifying us,” Schirmacher said. The ExpressVPN public program has uncovered nearly 100 valid vulnerabilities to date, and continues to see results as skilled hackers join the program. 

Before Bugcrowd, ExpressVPN was running a self-managed bug bounty program. One key benefit of using the Bugcrowd Platform has been its focus on engineered triage for rapid validation and prioritization of vulnerabilities, which lets ExpressVPN’s engineers focus on remediation instead of filtering noise. Bugcrowd has also streamlined reporting and the reward and disclosure processes. 

ExpressVPN has also found value in Bugcrowd’s CrowdMatch technology, matching the right hackers with the right skill sets to its needs—resulting in both a higher number of hackers reviewing its products and a more specialized group of hackers relevant to its scope. 

ExpressVPN values the straightforward nature of the Bugcrowd Platform. “Bugcrowd offers reasonable terms without some of the admin/overhead/transaction fees that other players in this space have begun to add on. They’ve focused on their core service offering and ensured their primary product continues to meet customer needs,” Schirmacher said. 

Another key differentiating factor for ExpressVPN is the heavy focus that Bugcrowd takes on acting as an independent mediator between companies and hackers. This helps maintain trust, and is a huge priority for Bugcrowd. 

Learn more about ExpressVPN’s Bug Bounty program here. 

The post ExpressVPN Uses Crowdsourced Security to Continuously Improve its Security Posture appeared first on Bugcrowd.

A “threat actor” might sound like a character from some doomed Greek tragedy, but in today’s world they actually inhabit the digital stage, as individuals or groups that attack digital devices, networks or computer systems. 

“Fighting threat actors at T-Mobile is an all-day, everyday team sport,” says Mark Clancy SVP of cybersecurity at T-Mobile. “Like all major companies, we face actors from around the globe with the intent to steal information, abuse our systems, or disrupt our operations. Services we provide to customers and partners on the internet are a frequent target of interest by these actors and ensuring these free from security flaws with our bug bounty program is essential.”

Which is why the company turned to Bugcrowd, the leading provider of crowdsourced security, which provides a platform that uses something called a “bug bounty” program, which employs ethical hackers to locate platform vulnerabilities and address them before bad guys find them. And even just two months into their partnership, Clancy says T-Mobile is benefiting.

“The key to a good bug bounty program is to find things you did not know about before and mitigate them quickly,” he says. “We have been very happy with the rigor and velocity of execution as we ramped up the partnership.”

So how exactly does a bug bounty program work? Here, on the heels of both companies attending the preeminent cybersecurity conference Black Hat in Las Vegas recently, we talk to Casey Ellis, founder and CTO of Bugcrowd to find out more about bug bounty programs and how his company is working with T-Mobile to help keep its customers safe.

What is a bug bounty program and what kinds of companies have them?

A bug bounty program is a sponsored, organized effort that compensates ethical hackers for surfacing and reporting otherwise unknown network and software security vulnerabilities, enabling the digital connected business to manage and reduce their cybersecurity risks. The combination of the diversity of participants and the “pay on success” model is orders of magnitude more effective than traditional consulting approaches to risk discovery. 

Bug bounty programs have continued to grow in scope and popularity, partly due to current security resource models and cost. They can help close the gap between security and development.

Because of the nature of crowdsourced security, there is a misconception that only tech companies use bug bounty programs. This simply isn’t true. Most industries leverage bug bounty programs, even highly regulated industries such as financial services and government. 

Can you walk us through the concept behind crowdsourced security, and how that drives your particular bug bounty program?

The idea behind crowdsourced security is really a simple one — I wanted to build a platform that connects the latent potential of those who hack in good faith around the world with as much of the global cybersecurity community as possible. Crowdsourced security provides the internet builders and defenders with an army of allies to take back control and outpace threat actors.  

So many of the pain points that inspired crowdsourced security a decade ago still exist today — multiplying attack surfaces, under resourced and overburdened teams, and cutting-edge threat actors.

Crowdsourced security helps organizations stay ahead of attackers before they even think about striking, empowering organizations to proactively safeguard their brand and intellectual property while taking back control.

How does this all work with partnership between T-Mobile and Bugcrowd?

Here at Bugcrowd, we love working with customers like T-Mobile who are so committed to protecting their customers, employees, partners and brand. T-Mobile’s bug bounty program launched in July as an opportunity for hackers to hunt on T-Mobile’s applications and systems in order to find potential security vulnerabilities and report them. From there, T-Mobile evaluates the reported vulnerabilities and promptly takes appropriate action.

To encourage research and responsible disclosure of security vulnerabilities, T-Mobile is inviting ethical hackers to work on this program and have a chance to earn a range of payments, dependent on the criticality of the vulnerability submitted. 

It has been really amazing to watch the success of this program over such a short time since launch — we’re seeing incredibly fast remediation times. We’re proud to partner with T-Mobile to help keep their systems secure.

How do you see cybersecurity evolving over the next few years?

Traditionally in security, we fall back on the fundamentals, which is the right place to start. The simple things are vital for a reason. Do them well and ensure that your organization is capable of “outrunning the other guy” before it attempts to “outrun the bear.”

That being said, we’re really entering a new era of cybersecurity, and I believe security is going to become a lot less predictable. One reason for this is the impact of generative AI becoming mainstream. Aspects of hacking are being automated, creating a swath of new techniques, threats, vulnerabilities and opportunities for impact. A broader variety of threat actors now have access to more powerful tools to create a bigger impact faster. If you want to learn more about this, I recommend checking out Bugcrowd’s newest report, Inside the Mind of a Hacker, which dives into the ways hackers are leveraging generative AI.

What makes you confident that Bugcrowd will be ready for this future, and able to continue to help companies like T-Mobile keep threat actors at bay?

At Bugcrowd, we talk a lot about the “burglars and locksmiths” of cybersecurity. Think of threat actors as burglars and the hackers helping organizations through crowdsourced security programs as locksmiths. Both parties use creative ways to try to open a locked door, but only locksmiths have good intentions.

Even though there are a lot of concerns out there about the ways threat actors are going to leverage generative AI, we can’t forget that the locksmiths have access to the same cutting-edge AI technology. According to the “Inside the Mind of a Hacker Report,” 94% of hackers plan to start using AI in the future to help them ethically hack. I’m really encouraged by the ways I’m seeing the hacker community leverage generative AI as a way to streamline their security research workflows.

It’s exciting to partner with industry leaders like T-Mobile, because together we can really make a difference in cybersecurity. By continuing to empower hackers on crowdsourced security platforms, we start to level the playing field, ultimately helping organizations keep their systems and data secure. 

T-Mobile and Bugcrowd launched a revamped public bug bounty program on August 30, 2023. Security researchers can earn up to $10,000 per vulnerability found. To learn more or sign up, check out Bugcrowd.com/T-Mobile.

The post How T-Mobile Is Using a New Bug Bounty Program to Keep Customers Safe from Harm appeared first on Bugcrowd.

Although cybersecurity has increasingly become a global IT priority, it has not fully made the leap into the world of device interoperability and data sharing over a network. With the risk of cyberattacks at a rise, having strong IoT cybersecurity programs in place has become vital to protecting critical infrastructure and developing prevention strategies that build and maintain client trust.

As an industry and market leader in video surveillance and IoT security solutions, Axis Communications is making its mark and spearheading the way for device cybersecurity by developing a multi-layered approach that focuses on enabling a smarter and safer world.

To find out more, we spoke with Andre Bastert, Product Manager at Axis Communications about how they’re prioritizing their security solutions and why they’re using Bugcrowd’s platform and solutions to create a comprehensive cybersecurity protection strategy for their customers.

Q: Tell me a bit about Axis Communications

A: Having been in business nearly 40 years, Axis Communications is an industry leader in video surveillance and IoT solutions. We enable a smarter and safer world by creating solutions that improve security and business performance. As a network technology company, we offer solutions in video surveillance, access control, intercom, and audio systems. Axis has around 4,000 employees that operate in over 50 countries and we collaborate with technology and system integration partners worldwide to deliver exceptional customer solutions.

Q: Why is cybersecurity important for your customers in the IoT and surveillance industry?

A: Axis has integrated cybersecurity considerations into our entire development lifecycle, where we have worked with external security researchers and ethical hackers to help make our products even more secure. Because of this, we saw more opportunity to scale our operations out to a crowd of ethical hackers. Engaging closely with skilled external security researchers who have IoT device knowledge provides an invaluable opportunity to  improve the continuous assessment of our physical security solutions. We decided to partner with Bugcrowd to deliver the bug bounty services that helped expand on our multi-layered cybersecurity strategy. With this approach, we can ensure that we are delivering secure products and solutions while continuing to build trust with our customers.

Q: Why did you choose Bugcrowd?

A: This was an important project for us, and we welcomed Bugcrowd’s ‘crawl, walk, run’ philosophy, as well as their CrowdMatch capabilities. From day one we have been matched with researchers who properly understand our devices and our challenges. This is why we chose the Bugcrowd Platform over competitors– Bugcrowd helps us engage superior hacker talent that aligns with our security goals. Overall, we have benefited from real flexibility, scalability, and from feeling looked after and fully supported. Our partnership with Bugcrowd is helping to create a smarter, safer, and more cybersecure world.

Q: What are the biggest outcomes you have seen?

A: We have been able to identify, confirm, patch, and disclose multiple vulnerabilities in AXIS OS, our Linux-based operating system that drives Axis’ products to search for vulnerabilities and bugs, all while maintaining comprehensive protection for our customers through an integrated program of activity using the Bugcrowd platform, including advanced penetration tests, vulnerability disclosure programs, and attack surface management.

About the customer

Andre Bastert is a Global Product Manager at Axis Communications. He is responsible for cybersecurity in the AXIS OS platform, the Linux-based operating system that powers Axis network products. Vulnerability and lifecycle management as well as driving the security-related functionality roadmap of the AXIS OS platform are his main tasks. Andre started his career at Axis in 2014 as a technical support engineer. Before taking on his current position he worked as a product specialist for AXIS OS platform.

The post Axis Communications Reduces Risk with Bugcrowd’s Cybersecurity Platform appeared first on Bugcrowd.

Media companies like TX Group remain firmly in the bullseye for cyberattackers. Media companies must be extra-vigilant in order to protect themselves. And this is a considerable challenge for TX Group which, among its 3,700 staff and across all its individual companies, employs 500 developers at 50 locations worldwide. TX Group manages over 500 developers in 50+ locations and is constantly launching new digital products and services. 

In November 2020, the company was subjected to a daily barrage of DDoS attacks. TX Group went public and confirmed that other media companies had been attacked as well. This open collaboration resulted in shared information about how to better deal with such an attack and ramp-up DDoS protection. 

TX Group brought the same open-minded approach to vulnerability discovery through the adoption of bug bounty programs on the Bugcrowd Security Knowledge Platform^TM as a core strategy. The company now runs two public programs that have superseded annual audits at the group’s digital companies, vulnerability scanning of on-premises legacy solutions, and a managed SOC. 

Why Bugcrowd?

TX Group chose Bugcrowd after considering proposals from several major bug bounty solution providers, including Bugcrowd, HackerOne, YesWeHack, and Synack. Proposals were evaluated based on a cost-benefit analysis (price), availability of a managed platform, availability of pre-built integrations (e.g. Slack, Jira etc.) and — most important — the ability to provide the SecDevOps team with a customized solution.

Outstanding Results

TX Group’s managed bug bounty program has delivered outstanding results. Even with the company conducting initial audits before commencing programs, up to 20 times more vulnerabilities were discovered in some cases, and a significant number of vulnerabilities were designated as critical. 

Not only are TX Group assets now more secure, but its investments in security can now be more directly tied to results because bounties are paid only for validated vulnerabilities. In contrast, a classic audit always incurs costs, whether valid vulnerabilities are found or not.

Learn More

To learn more, read the TX Group Case Study here.

The post Bugcrowd Uncovers Up to 20x More Vulnerabilities for TX Group appeared first on Bugcrowd.

How did you end up working in cybersecurity?

Adrian: I started out at the NSA – mainly because they offered to pay for me to go to college, which was an opportunity I might have missed out on otherwise. I was originally interested in cryptography, but then I discovered something even more exciting – ethical hacking. Following my time at the NSA, I had security roles at Adobe Systems and Android. I also spent several years consulting, which involved helping to find vulnerabilities in various web apps and operating systems. In 2018, I joined Atlassian as CISO, so now I’m responsible for protecting assets from the inside.

How has cybersecurity changed over the years in your experience?

Adrian: For me, cybersecurity has always been about trying to solve interesting problems, but the landscape has evolved, which has demanded a different approach. Early on, security was primarily seen as a technical issue, whereas now, a lot of the problems in the security space are organizational, so that’s where I try to focus – on people, process, and organization.

Having been on both sides, can you share any insights into the relationship between hackers and security personnel?

Adrian: Twenty years ago, the two communities didn’t interact much – the hackers and the people building defenses were pretty separate. Most people didn’t have a very good grasp of bug hunters at all, to be honest – there was just their glorified image in movies like Hackers or The Matrix. Now, I think there’s a much better understanding of what attackers do and how they work, and greater interaction between those communities.

You’re responsible for security for a large and diverse IT environment – how do ensure everything gets fixed?

Adrian: I don’t think it’s always necessary, or even possible, to fix absolutely everything. My job is more about identifying the right things to fix. A lot of it is pretty basic – making sure you’re updating and patching systems on a regular basis and frequently checking your infrastructure. With continuous updates, you create an environment that’s much harder for an attacker to get to grips with, and if you’re interacting with the environment regularly you’re more likely to identify anomalies that could indicate a problem. One of the key lessons I’ve learnt over the years is that it’s impossible to know about everything in a modern enterprise, so I don’t expect to. I trust in my team and each member’s ability to handle their specific area of responsibility. It’s a strategy that’s working so far – we’re well-equipped to defend against any potential attack.

Why do you use crowdsourced security?

Adrian: We’re bound to have some blind spots, and they’re what concern me the most. But that’s where diversity comes into play. With people from various different backgrounds and with a multitude of experiences, we’re more likely to pick up issues faster. That’s why working with a broad set of people outside the Atlassian environment to look at our systems is incredibly important. No matter how much pen testing we do, no matter how many internal evaluations or analysis tools we run, it’s always going to be beneficial to have other people checking our environment. It’s a win-win situation – either the Crowd finds something we didn’t see, in which case we can fix it. Or they don’t find anything, which validates our efforts.

How are you bringing crowdsourced security to the wider community?

Adrian: At Atlassian, we have a whole ecosystem of partners creating applications that plug directly into the Atlassian infrastructure to extend its functionality, and we make their applications available via our ecosystem marketplace. Many of these partners are fairly small development companies that don’t necessarily have enough employees to warrant a CISO or even a full-time security person – certainly nobody that’s dedicated their life to security. We’ve put a lot of effort into working out how to give those smaller developers access to security talent and robustness. Some of this involves proactive reviews on our part, but we’re also starting to expand our bug bounty program to include coverage for the marketplace as well, so they can leverage the benefits that we’re getting. It’s good for them, good for us, and of course better for our customers as they know they can trust the security of marketplace products as much as our own.

“It’s a win-win situation – either the Crowd finds something we didn’t see, in which case we can fix it. Or they don’t find anything, which validates our efforts.” Adrian Ludwig, CISO, Atlassian

To find out more about Adrian and his work at Atlassian, go to https://www.atlassian.com/blog/technology/a-conversation-with-adrian-ludwig-our-ciso

The post Atlassian’s CISO tells the story of his journey from hacker to security executive appeared first on Bugcrowd.

Bitdefender is a global leader in cybersecurity, protecting over 500 million systems for more than 18 years in more than 150 countries. Powered by its depth of security expertise and rapid pace of research and development, Bitdefender’s long-standing mission is to deliver transformative security technologies to the world’s users and organizations.  

About the Program: 

Bitdefender’s public bug bounty program is focused on identifying vulnerabilities and any assets (infrastructure or products) bearing the Bitdefender brand. Currently the program wants to put a particular spotlight on a new billing and subscription platform and as such, is running a promotion offering substantially increased rewards for any P1 and P2 vulnerabilities found there. 

What’s In It For You: 

They are currently running a reward event where they have increased their P1 and P2 rewards by 50% for any findings in the new billing and subscription service. The specific targets that are a part of this reward event include: 

• Checkout service: https://checkout-service.bitdefender.com
• Checkout sdk: https://checkout-sdk.bitdefender.com
• Central Integration: https://central.bitdefender.com/subscriptions/services

The reward ranges for bugs found on these targets are: 

Scope: 

Assets in scope of the main Bitdefender program include: 

• *.bitdefender.com
• *.bitdefender.net
• Bitdefender Total Security 2020
• Bitdefender GravityZone Business Security
• Bitdefender Antimalware Engines

Skills: 

This is an attractive program for anyone with skills as a web focused pentester.

What Can You Expect From This Program:

When working with the Bitdefender team, you can expect them to: 

• Extend Safe Harbor for your vulnerability research 
• Work with you to understand and validate your report, including a timely initial response to the submission
• Work to remediate discovered vulnerabilities in a timely manner
• Recognize your contribution to improving their security 

Interested in learning more? 

Portswigger’s Web Security Academy: https://portswigger.net/web-security

Cyber Mentor’s video course on Web Application Hacking: https://www.youtube.com/watch?v=24fHLWXGS-M

OWASP’s Mobile Security Guide:  https://owasp.org/www-project-mobile-security-testing-guide/

The post Program Spotlight: Bitdefender appeared first on Bugcrowd.

ExpressVPN operates thousands of VPN servers and makes cross-platform VPN applications for all major desktop and mobile operating systems as well as routers and browser extensions.

About the Program:

ExpressVPN’s public program will be focused on:

• Vulnerabilities in its client applications, especially vulnerabilities that lead to privilege escalation
• Any kind of unauthorized access on its VPN servers
• Vulnerabilities that exposes or puts customer data at risk to unauthorized persons
• Vulnerabilities that weaken, break or otherwise subvert VPN communications in a way that exposes the traffic to other VPN product users 

What’s In It For You:

ExpressVPN has a self-hosted, public bug bounty program since 2016 and is now leveraging the growing talent of the Crowd. This program has a P1 reward range of $2,100 – $2,500 and an average payout of $750. With a variety of target assets and skill types, this program has opportunities for all researchers in both recon and deep-diving security vulnerabilities.

Scope:

Assets in scope include:

• VPN servers
• ExpressVPN iOS application
• ExpressVPN android application
• ExpressVPN Linux application
• ExpressVPN macOS application
• ExpressVPN Windows application
• ExpressVPN Router
• ExpressVPN Firefox extension
• ExpressVPN Chrome extension
• MediaStreamer DNS servers
• ExpressVPN APIs
• expressvpn.com
• *.expressvpn.com
• *.xvservice.net
• *.expressobutiolem.onion
• Apple App Store (886492891)
• Google Play (com.expressvpn.vpn)
• Internal systems:
  1. Employee email
  2. Internal chat messages
  3. Source code hosting
  4. Any vulnerability that compromises the privacy of our employees
• Additionally, any publicly accessible host that is owned or operated by ExpressVPN that is not in the above list may be considered in-scope on a case-by-case basis.

Valid bug reports include any bugs related to the privacy and security capabilities of:

• ExpressVPN’s VPN and DNS servers
• ExpressVPN apps
• ExpressVPN browser extensions
• ExpressVPN websites
• ExpressVPN profiles on the App Store and Google Play Store

Skills:

This is an attractive program for anyone with skills in:

• Web app security
• API security
• Thick client security in Windows, Mac and Linux apps
• Mobile device app service for iOS and Android
• Browser extension security for Edge, Firefox, and Chrome
• Router firmware and related security
• Security and encryption protocol security 

What Can You Expect From This Program:

When working with the ExpressVPN team, you can expect them to:

• Extend Safe Harbor for your vulnerability research
• Work with you to understand and validate your report, including a timely initial response to the submission
• Work to remediate discovered vulnerabilities in a timely manner
• Recognize your contribution to improving their security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change

Interested in learning more?

• Portswigger’s Web Security Academy: https://portswigger.net/web-security
• Cyber Mentor’s video course on Web Application Hacking: https://www.youtube.com/watch?v=24fHLWXGS-M
• OWASP’s Mobile Security Guide:  https://owasp.org/www-project-mobile-security-testing-guide/
• OWASP’s Guide to IoT: https://owasp.org/www-pdf-archive/OWASP-IoT-Top-10-2018-final.pdf

The post Program Spotlight: ExpressVPN Public Bug Bounty appeared first on Bugcrowd.

In today’s fast-paced world, organizations need a fast-paced solution to finding skills and resources. The Upwork platform was launched in 2015 to connect corporate clients with freelancers across the globe. But to safeguard its services and reputation, Upwork must ensure this ground-breaking platform is safe from security breaches and malicious attacks.

We spoke to Alex Bod, Senior information Security Engineer at Upwork, about how he’s helping to keep the company’s business-critical solutions safe with a public bug bounty program.

Tell us a bit about Upwork

Upwork is a flexible talent solution, operating across over 180 countries. We connect organizations to experts in a wide range of fields, from software development and design, to marketing and accounting. Our proposals process, online workspace, and payment protection means teams across the globe can work together easily and with greater confidence. I’ve been there since 2017 in my role as an information security engineer, and it’s a very innovative and rewarding place to work.

Why does Upwork rely on crowdsourced security to protect its platform?

In my opinion, crowdsourced security is the best way for us to find vulnerabilities – it’s on a completely different level to standard pen testing. We have a public bug bounty program with Bugcrowd, which means that we have access to an entire crowd of ethical hackers, all working to locate bugs within our platform. Without that breadth, we’d never be able to find such a wide range of vulnerabilities so quickly.

How does working with Bugcrowd help reassure your clients?

Our larger clients, in particular, are really hot on security. We hold a lot of confidential and sensitive data, so we need to be able to demonstrate to clients big and small that their information is safe with us. By working with Bugcrowd, we can show that we’re committed to the highest levels of security, and provide our clients with reports that prove it. It’s a no-brainer for us, so we’ve always had full support from the board in choosing crowdsourced security.

What successes have you seen from the program so far?

We’ve been running the program for nearly two years now, over which time we’ve fixed and closed more than 429 bugs and vulnerabilities. It’s a seamless process – researchers file their submissions, Bugcrowd’s triage team validates them and passes them to us for resolution. Once we’ve fixed a bug, we ask the hacker who found it to re-test and mark it as fixed if appropriate. Sometimes, if a researcher has put a lot of work in, we reward them even if the submission isn’t valid.

What’s it like working with Bugcrowd?

Our program managers are great! They’re really supportive and helpful. And the program health dashboard means we can always see the value we’re getting at a glance. I don’t think there’s a better way to find vulnerabilities.

“By working with Bugcrowd, we can show that we’re committed to the highest levels of security, and provide our clients with reports that prove it.” Alex Bod, Senior Information Security Engineer, Upwork

Based in Kiev, Ukraine, Alex is an expert in information security with 11 years’ professional experience. To find out more about Alex and his love of Unix, artificial intelligence, and music, you can read his blog here https://www.alexbod.com/.

The post Program Spotlight: Upwork appeared first on Bugcrowd.

Meet the panel:

Chris Merkel, Senior Director for Cybersecurity Operations, Northwestern Mutual

With more than a decade of experience as a senior security leader, Chris is responsible for DevSecOps and counter-threat teams at Milwaukee-based financial services organization Northwestern Mutual.

Dave Farrow, Senior Director Information Security, Barracuda Networks

Responsible for leading and influencing security strategy across the company, Dave helps protect digital assets at security, networking, and storage specialist Barracuda Networks. He also leads the company’s initiatives in evaluating, identifying, and reporting on information protection and security risks while driving resolution, response, and mitigation.

Eric Johnson, Chief Information Officer, SurveyMonkey

Eric oversees the IT vision and roadmap at cloud-based survey company SurveyMonkey. He drives priorities such as security, data infrastructure, business intelligence, and enterprise tools that maximize efficiency.

Harshil Parikh, Head of Security, Medallia

With more than 15 years experience as a security practitioner, Harshil is currently focused on democratization of security at customer experience management company Medallia. He helps ensure the scalability and effectiveness of secure product development lifecycle, DevSecOps, monitoring, and incident response.

Tip 1: Protect your employees

With remote work no longer just an option but a necessity, our panel unanimously agreed that the most important responsibility of security leaders right now is to look after their people so teams can continue to work productively and securely from home.

From an IT security perspective this means protecting employees from the increase in phishing and spamming attacks. “Organizations around the world have just engaged in a broad scale zero trust experiment, with the entire workforce operating in unknown environments all day long,” explains Dave. “To ensure employees don’t become unwitting victims, organizations must have in place email security, endpoint security, and a comprehensive access control program that includes multi-factor authentication.”

Tip 2: Put people first

Security shouldn’t be the only concern for leaders – team health and well-being must also be prioritized in the current environment. “For SurveyMonkey, productivity isn’t tapering off and people are actually working longer hours, but they’re also under additional stress,” comments Eric. “People are our most valuable asset and keeping them healthy is now more important than ever before, but also much harder. We might be used to leading from a technology perspective, but it’s time to switch to a people-first mode.” 

This can mean taking different approaches for employee well-being that are usually taken for granted. For example, our panel agreed that ergonomics are an important factor to take into consideration, and have made stipends or discounted deals available. “We don’t want staff working from the sofa with their laptop on an ironing board!” says Chris. “We’ve partnered with an office equipment specialist to offer discounted products to make sure our staff are safe and comfortable in their working environment.”

It’s also important to bear in mind that there’s no one-size-fits-all for employee health and well-being, as Harshil reminds us. “In the US, we’re generally lucky with large houses and plenty of space, but this isn’t always the case in other parts of the world. Some people will struggle to work productively from home, and it’s important to take this into account when putting solutions in place.”

Tip 3: Ramp up communications

Another vital factor in employee satisfaction is maintaining consistent communications. “We’ve established new patterns for the current work environment, which has meant increasing team meetings from once a week to every other day, to help keep everyone aligned and on track,” says Harshil. “But you need to be cautious not to overwhelm people. We’re trying to retain a balance, so they can continue to focus on their work as well.”

Eric recommends conducting regular surveys to check in on people, as he explains, “We’re sending out a pulse survey every two weeks to get feedback from the company as a whole. It helps us understand how people are feeling and the support that they need.” 

It’s not just about formal contact, however, but also replacing those casual water cooler conversations in the right way. “Although colleagues need to continue to chat, we’ve found that it’s not something that works from a top-down mandate, as people are already working around challenges such as childcare,” advises Chris. “It’s better to have organic happy hours and trivia sessions.”

Tip 4: Regularly revisit your processes

While people are priority number one, and technology is of course essential, process is the third pillar that is vital for resilience and retaining productivity in the new working environment. “We’re putting lots of time and energy into ensuring our processes are rock solid,” affirms Eric. “Whether it’s incident response or user support, we’re constantly revisiting our processes as things change to ensure nothing falls through the cracks.” 

Tip 5: Document changes and decisions as they’re made

With massive organization-wide changes being made rapidly, the only way to keep on top of things is to ensure every decision is documented. “When the dust settles it will be important to go back and review what happened so you can evaluate changes in a calmer light and adjust them as necessary,” explains Dave. “The systems being put in place are likely to last for the foreseeable future and you probably won’t get them all completely right the first time; so leaving a trail of breadcrumbs will help you shore up the changes as you have time.”

Tip 6: Continue to leverage the changes that work

Although many of the transformations made to cope with COVID-19 weren’t meticulously planned in advance, some of them have undoubtedly delivered benefits, and there’s no reason why they shouldn’t remain. In fact, in some cases, you might find employees are reluctant to go back to the old ways. “Now that it’s clear that virtually all of our business functions can operate remotely, it’s likely that the capability for remote work will remain available,” comments Dave.

Embracing remote working doesn’t just impact existing employees, however, but also the way in which organizations recruit and onboard new talent, particularly in areas where security skills are in short supply. “Remote working has proven itself, so there’s less pressure for the security team to be local,” adds Dave. “As a result, we can take advantage of a much wider pool of talent, which will help us optimize security throughout COVID-19 and into the future.” 

While addressing COVID-19 has no doubt been challenging, it’s also enabled organizations to learn important lessons that will benefit them in the future. We hope the advice from our security leaders will help your organization stay secure and productive in these difficult times.

To find out more about how Bugcrowd can help your organization stay secure through COVID-19, go to https://www.bugcrowd.com/try-bugcrowd/.

The post Leading Through Disruption: Six Best Practices from Security Leaders on Coping with COVID-19 appeared first on Bugcrowd.