Bounty Programs with Michael Vance

https://is1-ssl.mzstatic.com/image/thumb/Podcasts221/v4/19/7c/1c/197c1c4b-2334-6c9f-4d9c-6c94e0aa6dab/mza_2401321671785836310.jpg/600x600bb.jpg

Secrets of AppSec Champions

Chris Lindsey

15 episodes

3 months ago

Join host Chris Lindsey as he digs into the world of Application Security with experts from leading enterprises. Each episode is theme based, so it's more conversational and topic based instead of the general interview style. Our focus is growing your knowledge, providing useful tips and advice. With Chris' development background of 35 years, 15+ years of secure coding and 3+ years running an application security program for large enterprise, the conversations will be deep and provide a lot of good takeaway's that you can use almost immediately.

Technology

Science

RSS

All content for Secrets of AppSec Champions is the property of Chris Lindsey and is served directly from their servers with no modification, redirects, or rehosting. The podcast is not affiliated with or endorsed by Podjoint in any way.

Technology

Science

Bounty Programs with Michael Vance

Secrets of AppSec Champions

24 minutes

11 months ago

Bounty Programs with Michael Vance

In this episode of "Secrets of AppSec Champions," host Chris Lindsey engages with Michael Vance, the CISO at Navient, to explore the nuances of bounty programs and their integration with traditional penetration testing. Michael discusses the journey of transitioning from a managed vulnerability disclosure program (VDP) to a full-scale bug bounty program. He highlights the importance of establishing clear policies and scopes for these programs to ensure effective and safe collaboration with external hackers. Through these structured programs, Navient was able to address resource constraints, boosting their testing capabilities threefold while reducing costs.

The conversation also delves into the historical challenges faced by companies in managing security reports, often due to mistrust and insufficient communication channels. Michael and Chris stress the value of legal, structured avenues for ethical hacking, enabling companies to receive and act on security findings without friction. They discuss the potential risks, such as the involvement of 'black hat' hackers, and how employing established platforms like Bugcrowd or HackerOne helps mitigate these concerns by vetting participants and managing the process. This approach not only enhances security but also publicly demonstrates the company's commitment to safeguarding data.

Towards the end, Michael shares invaluable advice for security practitioners: the critical need to fully understand the problems they are tasked with solving, which often involves grasping both technical and business aspects. This holistic understanding is crucial for devising effective security measures. The episode concludes with Chris thanking Michael for his insights, reaffirming the episode's focus on creating efficient, secure systems for managing and mitigating vulnerabilities through both internal efforts and external collaborations.

Key Topics by time stamps:
04:40 Transitioning App Security Services: From Ethical Hacking to Testing Stream

06:43 Boosting Application Workload Capacity through Efficient Testing Measures

10:02 Establishing Policies and Rules for Ethical Hacking

14:47 Evaluating the Effectiveness of Repeated Testing

19:51 Reviving a Project and Uncovering Unexpected Flaws

21:59 Effective Security: Understanding the Problem

For more amazing application security information, please visit the following LinkedIn communities:
https://www.linkedin.com/company/appsec-hive

Provided by Mend.io (https://mend.io)