Since 2012, Bugcrowd has been empowering organizations to take back control and stay ahead of threat actors by uniting the collective ingenuity and expertise of their customers and trusted alliance of elite hackers, with their patented data and AI-powered Security Knowledge Platform™. Their network of hackers brings diverse expertise to uncover hidden weaknesses, adapting swiftly to evolving threats, even against zero-day exploits. With unmatched scalability and adaptability, their data and AI-driven CrowdMatch™ technology in their platform finds the perfect talent for your unique fight. They are creating a new era of modern crowdsourced security that outpaces threat actors.

The cybersecurity event on 16 April 2024 commenced with an introduction from David Gerry, CEO of Bugcrowd, where he outlined Bugcrowd’s vision for the future and plans for growth and expansion throughout the Asia Pacific region in 2024/5 and beyond.

Next in line was a sharing by industry thought leader, Casey Ellis, Founder & CSO, Bugcrowd, on the "Cybersecurity trends in 2024 – AI Safety and the Role of Crowdsourced Security". Casey started his career as a hacker and soon became a cybersecurity entrepreneur pioneering the Crowdsourced Security as a Service model, launching the first bug bounty programs on the Bugcrowd platform. Casey has advised the US Department of Defence, Australian and UK Intelligence Communities, plus US House and Senate legislative initiatives including pre-emptive protection of cyberspace ahead of the 2020 Presidential Elections.

AI is changing software from a collection of functional systems concerned with trading data and handling transactions according to a predetermined set of rules, to an evolutionary ecosystem that creates new assets and modifies the rules as it goes. This has huge implications not just for cybersecurity in the conventional sense but for the safety of AI’s interactions with the people it serves.

Emerging AI safety legislation in the US and EU is concerned not with whether systems are safe in the conventional sense (i.e. that they work as intended) but whether they could exacerbate or create moral and social harms – whether for example they could confirm biases that favor one section of the population and disadvantage another. In his introductory session, Casey Ellis explored the scope of AI safety and suggest how the principles and practices of crowdsourced security could hold vital clues.

We also had the opportunity to gain insights, and participate in briefing opportunities with members of the hacker community led by Sajeeb Lohani, Celebrated Whitehat hacker and in the Hacker Hall of Fame for Amazon, Yahoo, Github, AT&T, US Defence and others, where we discussed a plethora of topics from ethical hacking, and strategies for effective threat management, emerging cybersecurity trends and vulnerabilities and the role of AI-powered security. His keynote sharing was on "Leveraging the power of Ethical hackers".

They discussed a range of topics from unlocking the secrets of effective threat management with their panel of cybersecurity experts plus representatives from the Hacker community, and dived into the realm of cybersecurity and cybercrime analytics as their line-up of hackers and technologists debate the crucial role ethical hacking plays in fortifying digital defences.

They examined strategies, best practices, and insights on harnessing the ethical hacker's prowess to stay one step ahead in the ever-evolving threat landscape, and also reviewed on proactive cybersecurity measures that can redefine the way organizations safeguard their digital assets.

This was then followed by a discussion with experienced CISOs led by Nick McKenzie, who has held CISO/Senior Exec positions at NAB, Standard Charter Bank, J.P. Morgan, UBS, NatWest and now with Bugcrowd; he moderated the session on "Getting the Balance right, with security testing for business agility.

The future of cybersecurity and testing regimes was mapped and canvassed and this was done using a variety of security testing solutions to protect their digital assets at different stages of development. They include pen testing, SAST/ DAST and bug bounty programmes. The panel discuss on project delivery, business costs, scalability and volume of current test solutions, the affect of security assurance if it compromises business agility. Point-in-time penetration test, continuous assurance or a time-boxed bug bounty solutions along with decision making and cost implications were explored and so in this session, technologists and CISOs debated on how to keep future testing regimes aligned with the needs of the business and how to keep the benefits in sight in a rising tide of cost and complexity.

Announcement 1 - Penetration Testing

Dave Gerry, CEO of Bugcrowd, the co-host for this event, announced an innovative perspective on penetration testing.. a decades-old technique., it was pioneered by the RAND Corporation and the US government in the 1960s in response to burgeoning concerns that data carried on emerging computer networks would be intercepted. RAND employed “tiger teams” that used adversarial techniques to identify vulnerabilities in computer systems.

Since then, the practice of employing ethical hackers to find weaknesses in cyber defenses before an attacker has the chance to discover them has remained fundamentally the same. However, the way testing is done and the environment in which it takes place have changed beyond recognition. Penetration testing is now both a regulatory requirement and a regulated industry. For example, penetration testing is a mandatory requirement for certification under ISO 27001, the internationally recognized standard for information security management systems.

Bugcrowd introduced enhancements to its Penetration Testing as a Service (PTaaS) in

several major markets last year, and it’s now available in Singapore, as Bugcrowd has successfully obtained the necessary government approvals.

Their licence from the Cybersecurity Services Regulation Office saves potential customers the time and expense of having to undergo a longer due diligence process when selecting a pentesting supplier. Working with licensed suppliers is mandatory for government departments and recommended for other organizations.

Having offered pentesting services for years, Bugcrowd’s ability to provide a crowdsourced solution is not the only thing that sets us apart. At the heart of our PTaaS is a commitment to reducing the management overhead for pen tests, thus reducing the

amount of work that our clients have to put in. Legacy pen test solutions are slow, non-transparent, and low impact, and other PTaaS providers deliver what are often only shallow vulnerability assessments.

At Bugcrowd, their customers are able to buy, set up, and launch a human-driven, high- impact pen test, as they are able to access a team matched to their precise needs with just a few clicks, cutting configuration time from days to hours. With no let-up in the volume and intensity of cybersecurity threats, customers are no longer focused solely on suppliers’ ability to discover vulnerabilities; customers also value suppliers’ ability to reduce the management overheads associated with ensuring and enhancing cybersecurity. At Bugcrowd, they are committed to bringing this simplicity and lightness of touch not only to penetration testing but to the range of services they offer.

Announcement 2 - AI Bias Assessment Offering

Dave also announced that Bugcrowd will launch the AI Bias Assessment Offering for LLM

Applications and their First solution in Bugcrowd’s AI Safety and Security portfolio that unleashes human ingenuity to find data bias beyond the reach of traditional testing

Nestled on the Bugcrowd Platform. AI Bias Assessment taps the power of the crowdto help enterprises and government agencies adopt Large Language Model (LLM) applications safely, efficiently, and confidently. LLM applications run on algorithmic models that are trained on huge sets of data. Even when that training data is curated by humans, which it often is not, the application can easily reflect “data bias” caused by stereotypes, prejudices, exclusionary language, and a range of other possible biases from the training data. Such biases can lead the model to behave in potentially unintended and harmful ways, adding considerable risk and unpredictability to LLM adoption.

Some examples of potential flaws include Representation Bias (disproportionate representation or omission of certain groups in the training data), Pre-Existing Bias (biases

stemming from historical or societal prejudices present in the training data), and Algorithmic Processing Bias (biases introduced through the processing and interpretation of data by AI algorithms). Bugcrowd AI Bias Assessments are private, reward-for-results engagements on the Bugcrowd Platform that activate trusted, third-party security researchers (aka a “crowd”) to identify and prioritize data bias flaws in LLM applications. Participants are paid based on the successful demonstration of impact, with more impactful findings earning higher payments.

The Bugcrowd Platform’s industry-first, AI-driven approach to researcher sourcing and activation, known as CrowdMatch™, allows it to build and optimize crowds with virtually any skill set, to meet virtually any risk reduction goal, including security testing and beyond. “Bugcrowd’s work with customers like the US DoD’s Chief Digital and Artificial Intelligence Office (CDAO), along with their partner ConductorAI, has become a crucial proving ground for AI detection by unleashing the crowd for identifying data bias flaws,” said Dave Gerry, CEO of Bugcrowd.

For over a decade, Bugcrowd's unique "skills-as-a-service" approach to security has consistently uncovered more high-impact vulnerabilities than traditional methods. Their customer base, which numbers nearly 1,000, has benefited from this approach, which also provides a clearer line of sight to ROI. With unmatched flexibility and access to a decade of vulnerability intelligence data, the Bugcrowd Platform has evolved over time to reflect the changing nature of the attack surface – including the adoption of mobile infra, hybrid work, APIs, crypto, cloud workloads, and now AI. In 2023 alone, customers found almost 23,000 high-impact vulnerabilities using the Bugcrowd Platform, helping to prevent potential breach-related costs of up to $100 billion.

“As the leading crowdsourced security platform provider, Bugcrowd is uniquely positioned to meet the new and evolving challenges of AI Bias Assessment, just as we’ve met the emergent security challenges of previous technology waves such as mobile, automotive, cloud computing, crypto, and APIs,” said Casey Ellis, Founder and Chief Strategy Officer of Bugcrowd.

Truly, overall, a truly amazing and powerful event where we gained insight, knowledge and perspectives into the latest developments in cybersecurity and engage in discussions with leading CISOs and the hacker community around the world, and also work and partner with Bugcrowd - they truly stand out from the crowd! This event truly delivered to share a deep-dive exploration into the evolving landscape of cybersecurity!

For more information on Bugcrowd, pls visit https://www.bugcrowd.com/