YesWeHack and OTTO stage Live Bug Bounty Hunting event

Bug Bounty Hunting lets IT security researchers pinpoint and report vulnerabilities in systems in a fully legal way. What's more, the Bounty Hunters can look forward to a financial reward for their efforts. This concept is an officially sanctioned, industry-recognised approach to improving systems' IT security.

Through our collaboration with YesWeHack and our direct interaction with top security researchers we were able to identify and eliminate potential vulnerabilities in real time. For instance, OTTO's own systems were tested for the OWASP Top 10 using the latest tools and methodologies, but also for other vulnerabilities such as a subdomain takeover, in which an attacker gains control over an expired subdomain and misuses it for malicious purposes. Alongside www.otto.de, the security researchers tested numerous other Web applications as well as the OTTO mobile app.

At Nullcon the researchers praised the high security level of the OTTO systems, as it turned out to be tough for them to find chinks in our armour. Nevertheless, they did highlight some interesting vulnerabilities, enabling us to act quickly to maximise our infrastructure security. Some of the attack vectors were extremely specialised, requiring the full creativity and depth of experience of the Bug Bounty Hunters to produce validated findings. Our own OTTO security analysts reviewed and evaluated all vulnerability reports.

The security researchers selected very individual toolset spectrums which ranged from 'standards' such as curl and dig – already installed in our current operating systems – to fully automated, cloud-based tools that can be scaled as necessary. All participants opted to include the Portswigger Burp suite. However, it was also evident that many of them were applying self-developed tools scripted in Python or Bash, for example, to validate potential attack vectors rapidly. Expertise in prototyping was a clear advantage, because speed played a decisive role if you wanted to be first to report a vulnerability in order to cash in for it!

This short YouTube clip summarises the highlights of the event and communicates the lively atmosphere at Nullcon. 

chAm Ende der zwei Tage wurde nicht nur der „Most Valuable Hacker“ gekürt, sondern auch die These bestätigt, dass Sicherheit kein fixer Zustand ist, der erreicht werden kann, sondern ein Thema, an dem kontinuierlich gearbeitet werden muss. Wir als Unternehmen haben diese Veranstaltung genutzt, um unsere internen Prozesse und Tools weiter zu verbessern, damit wir in der Lage sind schnell auf potenzielle Bedrohungen zu reagieren. Die Erkenntnisse aus dieser Veranstaltung nutzen wir, um unsere Softwareentwickler*innen darin zu unterstützen, auch in Zukunft sichere Applikationen und die dafür notwendige IT-Infrastruktur aufzubauen.

Wenn du eine Frage an das Team hast, kommentiere gerne unter dem Artikel. Ich melde mich schnellstmöglich zurück.