Far too often, testing software for security flaws falls into the “nice to have” category, taking a backseat to the demands of the marketplace and inflexible feature release schedules. In addition to the expense of hiring an outside security testing team, testing for and fixing obscure security bugs hinders an engineer’s ability to put new code in the hands of customers. Fortunately, there is a workaround to this dilemma that promotes application security awareness while helping to reduce security bugs in your applications.
Internal bug hunts, in which employees compete for prizes by finding and reporting security bugs, enable security teams to harness the creativity and problem-solving skills of the workforce while reducing security bugs in their applications. Pieter Ockers explains how bug hunts promote a culture of security awareness by involving participants outside of the security team in a fun and challenging activity.
An internal bug hunt contest can you help you:
Pieter details how to structure a bug hunt program, how to fund it, how to sell it to senior leadership and decision makers, and how to measure the impact.
Pieter Ockers is a senior security program manager and a member of Adobe’s product security incident response team (PSIRT). In an effort to bend the growth curve of application vulnerabilities reported to Adobe’s PSIRT by third-party security researchers, Pieter launched an internal bug hunt contest at Adobe as a cost-effective method to reduce security vulnerabilities while increasing security awareness and building a community of internal pen testers. Based in San Francisco, Pieter is passionate about engaging with the security research community to build a stronger, more secure and resilient ecosystem.
©2017, O'Reilly Media, Inc. • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • firstname.lastname@example.org