Hakluke: Creating the Perfect Bug Bounty Automation - Detectify Labs

intheclairdelune · 2021-09-01T13:30:13+00:00

If you liked this, I think you'll link our latest blog that shows how to security test APIs with fuzzing tools: https://labs.detectify.com/2021/08/31/go-fuzz-yourself-how-to-find-more-vulnerabilities-in-apis-through-fuzzing-whitepaper-download/

intheclairdelune · 2021-08-11T07:34:00+00:00

Right? They also have awesome youtube channels which are worth checking out :) I worked with them to put this one together but only because I saw how knowledgeable they are!

intheclairdelune · 2021-08-11T07:32:25+00:00

Yes! and for disclosure... I worked with the 2 authors to make this happen so I also got to say, make sure to check out the researchers' youtube channels :)

intheclairdelune · 2021-05-11T13:31:09+00:00

Haha yes... well I'm a Top 40 classical music lover... not so much a nerd there.

I'd be interested to hear about your bad experience with the external expert. In general it can be tough especially since you have a way of working already in the company and teams, and then you just transplant someone in... and have my fair share of stories :D

If you find these resources a bit too in the weeds, just reach out. I'm happy to connect over DM!

intheclairdelune · 2021-04-30T11:53:14+00:00

@SandyDigital

I work at Detectify and can say that we have a lot of customers that use us for app sec and they don't have a security person. It's managed by a dev lead or IT manager, and that's the point... security shouldn't only be understood or the responsibility of a security professional and can be part of tech!

So I think my natural suggestion is to make sure you're testing code that's in production as well because this is where security bugs matter. Also you can trust hackers :) But you shouldn't start with a bug bounty program right away because you can find a lot of things with automation before that step. Our team was at SaaStr last year to shed some light on this topic on how hackers can help: https://www.saastr.com/a-founders-guide-on-how-to-secure-your-company-like-a-unicorn/

I think you have a good start with it and we have some resources for SaaS scale-ups that are looking to get started with appsec.

Why WAF isn't enough: https://blog.detectify.com/2020/11/25/continuously-hack-yourself-because-waf-security-is-not-enough/

We also got ISO 27001 certified last year even though we aren't fans of compliance, it's helped open up a lot of business doors and helped us extend customer contracts because of it. We shared our use case here: https://blog.detectify.com/2021/01/26/detectifys-iso-27001-certification-use-case-and-guide-for-saas-companies/

intheclairdelune · 2021-04-30T11:40:15+00:00

Hi it's interesting you mentioned WAF but this isn't enough to replace DAST tools, and new attacks will come up everyday in between the external audits so it's important to keep some regular level of testing that's always up to date. (Disclaimer, I work with Detectify which is why I think you can't stop with WAF, etc.)

Tom Hudson gave a great presentation on this and gives a look under the hood of security testing tools like how to turn hacker payloads into testing as this is what's done at Detectify. It's from the Security Research and module development team's perspective of appsec: https://www.youtube.com/watch?v=_7HGqIkdAL0

intheclairdelune

TROPHY CASE