Tag Archives: value

HR use case shows value of Oracle Analytics Cloud

By detailing the business challenges of a waste management company, Myles Gilsenan demonstrated the value Oracle Analytics Cloud can give organizations.

Gilsenan, director of Oracle business analytics at Perficient, a consulting firm based in St. Louis that works on digital projects with enterprises, spoke about Oracle Analytics Cloud (OAC) at a breakout session of Oracle Analytics’ annual user conference May 19. The conference, which began on May 12 and has sessions scheduled through August 18, was held online due to the COVID-19 pandemic.

Unifying platforms

Oracle’s analytics platform had been a patchwork of nearly 20 business intelligence products until June 2019, when the software giant streamlined its BI platform into three products — Oracle Analytics Cloud, Oracle Analytics Server and Oracle Analytics for Applications. Oracle Analytics Cloud is its SaaS offering aimed at business users and featuring natural language generation and other augmented intelligence capabilities to foster ease of use.

It’s a transformation that’s been well received.

“The Oracle Analytics Cloud has enabled Oracle to rapidly play catch-up to some of the incumbents in the analytics space,” said Mike Leone, an analyst at Enterprise Strategy Group. “It provides data-centric organizations with a cloud service anchored in simplicity. While OAC focuses on data visualization and augmented analytics, there’s a lot more under the covers — intelligent automation, recommendations, natural language querying and numerous third-party integrations.”

Daily traffic volume for the Washington, D.C., area is displayed on an Oracle Analytics Cloud dashboard.
An Oracle Analytics Cloud dashboard shows the traffic volume per day for the Washington, D.C., area.

Similarly, Doug Henschen, an analyst at Constellation Research, said the Oracle analytics reorganization was significant.

“Oracle has done a nice job of unifying its strategy and technology across cloud, on-premises and application-integrated deployments with Oracle Analytics Cloud, Oracle Analytics Server and Oracle Analytics for Applications, respectively,” he said. “It’s all one code base.”

The Oracle Analytics Cloud has enabled Oracle to rapidly play catch-up to some of the incumbents in the analytics space.
Mike LeoneSenior analyst, Enterprise Strategy Group

In addition, he added, the way the platform is packaged gives users flexibility.

“The packing gives them a data model, data integration capabilities, dashboards and reports that are prebuilt for Oracle’s cloud ERP and [healthcare management] apps, yet all of these prebuilt features can be extended to customer-specific data and analysis requirements,” Henschen said. “It’s a way to get started quickly but without being limited to prebuilt content.”

While Oracle Analytics Cloud is designed to be accessible to both technical and non-technical users alike, ironically it’s through one organization’s difficulty getting started that Gilsenan demonstrated what he said are its actual ease of use and capability to quickly deliver value.

Perficient’s client, which he did not name, was a provider of waste management services including waste removal, recycling and renewable energy. One of the company’s main goals when it began using Oracle Analytics Cloud was to join human resources data from Taleo and PeopleSoft, human resources software platforms owned by Oracle.

Specifically, according to Gilsenan, the client wanted greater visibility into such HR metrics as the cost of vacant positions, the time it took to fill vacant positions, quality of hires, employee career progression and talent optimization.

“What they really wanted was to track employees from the recruiting channel all the way through career progression at the company,” he said. “And over time, they wanted to build up a data set to be able to say that people who come through a certain channel turn out to be successful employees, and they would then of course emphasize those channels.”

The company’s data, however, came from disparate systems, including one that was on premises. And when the company started trying to unify its data in Oracle Analytics Cloud, it ran into trouble.

“They had a sense that OAC is an agile, cloud-based environment, and you should be able to get value very quickly,” Gilsenan said. “There were a lot of expectations, and people were expecting to see a dashboard very, very quickly. But there were organizational things that caused issues.”

One of the biggest was that the company’s expert in the subject matter was also working on many other things and didn’t have enough time to devote to the project. Other members of the team working on the project also had competing responsibilities.

As a result, according to Gilsenan, when it started taking longer to complete the project than originally planned, company management concluded that Oracle Analytics Cloud was too complicated.

“When it came to integrating data sources, there was some technical expertise that was needed, but by and large it was the idea that they couldn’t focus,” Gilsenan said. “It was a classic organizational issue.”

Rather than a different analytics platform, what the company really needed was some outside help, according to Glisenan. It brought in Perficient, and within four weeks delivered an HR analytics system in Oracle Analytics Cloud.

Perficient’s first step was to restore the waste management company’s confidence in Oracle Analytics Cloud by showing executives success stories. It then helped the company define success criteria, develop a plan and move into the execution phase.

Perficient helped the waste management company develop a dashboard and six reports that covered critical HR metrics such the quality of hires and the cost of open positions.

“They became very competent in the platform, and right then and there made plans to roll out Oracle Analytics Cloud to the rest of the company [beyond HR],” Gilsenan said.

Focus on HR

While the waste management company is now using Oracle Analytics Cloud throughout its organization, HR has been a particular focus of the platform. Oracle even unveiled a specialized HR version of Oracle Analytics for Cloud HCM at the start of its virtual user conference, though that’s not the tool Perficient’s client is now using.

“Oracle is looking to deliver a more holistic approach to HR analytics,” Leone said. “They’ve spent a ton of time researching various aspects of HR to deliver a comprehensive launching pad for organizations looking to modernize HR with advanced analytics. It’s about using more data from several entities together to help accurately measure success, failure and the likelihood of each. This is where Oracle is making significant strides in helping to modernize analytical approaches.”

Go to Original Article
Author:

For Sale – MSI Z97 Gaming 5 Motherboard with Intel i7-4790K, 16GB Crucial Ballistix RAM and Cooler

Hey @Roan thanks for the offer. To be honest the cooler has little value any more, and even less so when sold alone, it was only £17 when I bought it new, so there’s not much point in me taking it out of the bundle really, even if I gave it no value as part of the bundle price.

Looking at another sale on here a couple of months ago, a set with the same motherboard and CPU, with some slightly faster RAM and an aftermarket cooler sold for £230 including delivery, so I’ll drop to £215inc and leave the cooler in there?

Let me know what you think.

EDIT – Postage would be via Hermes at this price, as insured Royal Mail delivery comes to £26.

Go to Original Article
Author:

HCI storage adoption rises as array sales slip

The value and volume of data keep growing, yet in 2019 most primary storage vendors reported a drop in sales.

Part of that has to do with companies moving data to the cloud. It is also being redistributed on premises, moving from traditional storage arrays to hyper-converged infrastructure (HCI) and data protection products that have expanded into data management.

That helps explain why Dell Technologies bucked the trend of storage revenue declines last quarter. A close look at Dell’s results shows its gains came from areas outside of traditional primary storage arrays that have been flat or down from its rivals.

Dell’s storage revenue of $4.15 billion for the quarter grew 7% over last year, but much of Dell’s storage growth came from HCI and data protection. According to Dell COO Jeff Clarke, orders of VxRail HCI storage appliances increased 82% over the same quarter in 2018. Clarke said new Data Domain products also grew significantly, although Dell provided no revenue figures for backup.

Hyper-converged products combine storage, servers and virtualization in one box. VxRail, which relies on vSAN software from Dell-owned VMware running on Dell PowerEdge, appears to be cutting in on sales of both independent servers and storage. Dell server revenue declined around 10% year-over-year, around the same as rival Hewlett Packard Enterprise’s (HPE) server decline.

“We’re in this data era,” Clarke said on Dell’s earnings call last week. “The amount of data created is not slowing. It’s got to be stored, which is probably why we are seeing a slightly different trend from the compute side to the storage side. But I would point to VxRail hyper-convergence, where we’ll bring computing and storage together, helping customers build on-prem private clouds.”

The amount of data created is not slowing. It’s got to be stored.
Jeff ClarkeCOO, Dell

Dell is counting on a new midrange storage array platform to push storage revenue in 2020. Clarke said he expected those systems to start shipping by the end of January.

Dell’s largest storage rivals have reported a pause in spending, partially because of global conditions such as trade wars and tariffs. NetApp revenues have fallen year-over-year each of the last three quarters, including a 9.6% dip to $1.38 billion last quarter. HPE said its storage revenue of $848 million dropped 12% from last year. HPE’s Nimble Storage midrange array platform grew 2% and Simplivity HCI increased 14% year-over-year, a sign that 3PAR enterprise arrays fell and the vendor’s new Primera flagship arrays have not yet generated meaningful sales.

Jeff Clarke, Dell COO
Dell Technologies COO Jeff Clarke

IBM storage has also declined throughout the year, dropping 4% year-over-year to $434 million last quarter. Pure Storage’s revenue of $428 million last quarter increased 16% from last year, but Pure had consistently grown revenue at significantly higher rates throughout its history.

Meanwhile, HCI storage revenue is picking up. Nutanix last week reported a leveling of revenue following a rocky start to 2019. Related to VxRail’s increase, VMware said its vSAN license bookings had increased 35%. HPE’s HCI sales grew, while overall storage dropped. Cisco did not disclose revenue for its HyperFlex HCI platform, but CEO Chuck Robbins called it out for significant growth last quarter.

Dell/VMware and Nutanix still combine for most of the HCI storage market. Nutanix’s revenue ($314.8 million) and subscription ($380.0 million) results were better than expected last quarter, although both numbers were around the same as a year ago. It’s hard to accurately measure Nutanix’s growth from 2018 because the vendor switched to subscription billing. But Nutanix added 780 customers and its 66 deals of more than $1 million were its most ever. And the total value of its customer contracts came to $305 million, up 9% from a year ago.

Nutanix’s revenue shift came after the company switched to a software-centric model. It no longer records revenue from the servers it ships its software on. Nutanix and VMware are the dominant HCI software vendors.

“It’s just the two of us, us and VMware,” Nutanix CEO Dheeraj Pandey said in an interview after his company’s earnings call. “Hyper-convergence now is really driven by software as opposed to hardware. I think it was a battle that we had to win over the last three or four years, and the dust has finally settled and people see it’s really an operating system play. We’re making it all darn simple to operate.”

Go to Original Article
Author:

Salesforce Trailhead app makes learning more convenient

SAN FRANCISCO — Salesforce customers see the value in the Trailhead learning platform and its new mobile app.

Trailhead Go for iOS is one of two new mobile apps that Salesforce announced here at Dreamforce 2019. Trailhead Go is a mobile extension of Trailhead, Salesforce’s free customer success learning platform enabling Salesforce users and nonusers to follow different paths to learn Salesforce skills. It now also offers Amazon Partner Connect to learn how to build Amazon Alexa skills and AWS. By the end of the year, Trailhead plans to roll out live and on-demand training videos.

Salesforce provides customer success tools to users before they even become customers. For most businesses, this model is flipped, providing these tools to users after they sign contracts, said Gerry Murray, a research director at IDC.

“It’s not only about how the product works, it’s about teaching the line- of-business people to elevate their skills or further their careers in and out of their companies,” Murray said. “Trailhead Go makes it all that more convenient.”

Making education accessible

A skills gap costs companies $1.3 trillion each year, said Sarah Franklin, general manager of Trailhead, in a keynote. While many workers think they can fill that gap with education, it has become more and more inaccessible. Over the last 20 years, student tuition has increased by 200%, and student debt has increased by 163%.

Anyone who has access to the Trailhead Go app can learn, said Ray Wang, principal analyst and founder at Constellation Research.

“You don’t have to go to school; you don’t need a computer; you just need a phone,” he said.

Customers see benefits

Trailhead Go app screenshot
This personalized homepage of the Trailhead Go app shows what trails a user is working on with a quick navigation bar at the bottom.

Supermums, based in London, equips moms with Salesforce skills through a combination of training, mentoring, work experience and job search support to get them into the Salesforce ecosystem. Trainees go through a customized six-month program where they earn 50 to 100 Trailhead badges. Trainees can benefit from the Trailhead app because they’ll be able to learn on the go, making it easier to fit into their schedules, said Heather Black, a certified Salesforce administrator and CEO of Supermums.

“[Trailhead Go] will help me complete more trails and fit it into my life while I’m busy supporting a team and juggling kids,” she said. “Trailhead Go makes this accessible to more people.”

Trailhead has also branched out beyond technical skills and into functional skills, Black said.

“It helps you develop as a person, as well as help you be successful in a Salesforce career,” she said.

Trailhead is great for helping learn the basics when people are entering the CRM world, said Sayantani Mitra, a data scientist at Goby Inc., a company that specializes in accounts payable automation.

“Read them, learn them, ask the community, ask people questions, do them multiple times,” Mitra said.

The best way to learn anything is practice, practice and practice more.
Sayantani MitraData scientist, Goby

But just getting a Salesforce certification won’t get someone a job, Mitra said. They have to know what they’re doing.

“The best way to learn anything is practice, practice and practice more,” Mitra said.

Mitra plans to use the Trailhead Go app particularly on long-haul flights.

“When I go home to India … you cannot watch movies for 20 hours or sleep for 20 hours; you need something more,” she said.

Trailhead Go is generally available now for free on the Apple App Store.

Go to Original Article
Author:

Assessing the value of personal data for class action lawsuits

When it comes to personal data exposed in a breach, assessing the value of that data for class actions lawsuits is more of an art than a science.

As interest in protecting and controlling personal data has surged among consumers lately, there have been several research reports that discuss how much a person’s data is worth on the dark web. Threat intelligence provider Flashpoint, for example, published research last month that said access to a U.S. bank account, or “bank log,” with a $10,000 balance was worth about $25. However, the price of a package of personally identifiable information (PII) or what’s known as a “fullz” is much less, according to Flashpoint; fullz for U.S. citizens that contain data such as victims’ names, Social Security numbers and birth dates range between $4 and $10.

But that’s the value of personal data to the black market. What’s the value of personal data when it comes to class action lawsuits that seek to compensate individuals who have had their data exposed or stolen? How is the value determined? If an organization has suffered a data breach, how would it figure out how much money they might be liable for?

SearchSecurity spoke with experts in legal, infosec and privacy communities to find out more about the obstacles and approaches for assessing personal data value.

The legal perspective

John Yanchunis leads the class action department of Morgan & Morgan, a law firm based in Orlando, Fla., that has handled the plaintiff end for a number of major class action data breach lawsuits, including Equifax, Yahoo and Capital One.

The 2017 Equifax breach exposed the personal information of over 147 million people, and resulted in the credit reporting company creating a $300 million settlement fund for victims (which doesn’t even account for the hundreds of millions of dollars paid to other affected parties). Yahoo, meanwhile, was hit with numerous data breaches between 2013 and 2016. In the 2013 breach, every single customer account was affected, totaling 3 billion users. Yahoo ultimately settled a class action lawsuit from customers for $117.5 million.

When it comes to determining the value of a password, W-2 form or credit card number, Yanchunis called it “an easy question but a very complex answer.”

“Is all real estate in this country priced the same?” Yanchunis asked. “The answer’s no. It’s based on location and market conditions.”

Yanchunis said dark web markets can provide some insight into the value of personal data, but there are challenges to that approach. “In large part, law enforcement now monitors all the traffic on the dark web,” he said. “Criminals know that, so what are they doing? They’re using different methods of marketing their product. Some sell it to other criminals who are going to use it, some put it on a shelf and wait until the dust settles so to speak, while others monetize it themselves.”

As a result, several methods are used to determine the value of breached personal data for plaintiffs. “You’ll see in litigation we’ve filed, there are experts who’ve monetized it through various ways in which they can evaluate the cost of passwords and other types of data,” Yanchunis said. “But again, to say what it’s worth today or a year ago, it really depends upon a number of those conditions that need to be evaluated in the moment.”

David Berger, partner at Gibbs Law Group LLP, was also involved in the Equifax class action lawsuit and has represented plaintiffs in other data breach cases. Berger said that it was possible to assess the value of personal data, and discussed a number of damage models that have been successfully asserted in litigation to establish value.

One way is to look at the value of a piece of information to the company that was breached, he said.

“In other words, how much a company can monetize basically every kind of PII or PHI, or what they are getting in different industries and what the different revenue streams are,” Berger said. “There’s been relatively more attention paid to that in data breach lawsuits. That can be one measure of damages.”

Another approach looks at the value of an individual’s personal information to that individual. Berger explained that this can be measured in multiple different ways. In litigation, economic modeling and “fairly sophisticated economic techniques” would be employed to figure out the market value of a piece of data.

Another approach to assessing personal data value is determining the cost of what individuals need to do to protect themselves from misuse of their data, such as credit monitoring services. Berger also said “benefit-of-the-bargain” rule can also help; the legal principle dictates that a party that breaches a contract must pay the victim of the breached contract an amount in damages that puts them in the same financial position they would be in if the contract was fulfilled.

For example, Berger said, say a consumer purchases health insurance and is promised reasonable data security, but if the insurance carrier was breached then “[they] got health insurance that did not include reasonable data security. We can use those same economic modeling techniques to figure out what’s the delta between what they paid for and what they actually received.”

Berger also said the California Consumer Privacy Act (CCPA), which he called “the strongest privacy law in the country,” will also help because it requires companies to be transparent about how they value user data.

“The regulation puts a piece on that and says, ‘OK, here are eight different ways that the company can measure the value of that information.’ And so we will probably soon have a bunch of situations where we can see how companies are measuring the value of data,” Berger said.

The CCPA will go into effect in the state on Jan. 1 and will apply to organizations that do business in the state and either have annual gross revenues of more than $25 million; possess personal information of 50,000 or more consumers, households or devices; or generates more than half its annual revenue from selling personal information of consumers.

Security and privacy perspectives

Some security and privacy professionals are reluctant to place a dollar value on specific types of exposed or breached personal data. While some advocates have pushed the idea of valuing consumer’s personal data as a commodities or goods to be purchased by enterprises, others, such as the Electronic Frontier Foundation (EFF) — an international digital rights group founded 29 years ago in order to promote and protect internet civil liberties — are against it.

An EFF spokesperson shared the following comment, with part of which being previously published in a July blog post titled, “Knowing the ‘Value’ of Our Data Won’t Fix Our Privacy Problems.”

“We have not discussed valuing data in the context of lawsuits, but our position on the concept of pay-for-privacy schemes is that our information should not be thought of as our property this way, to be bought and sold like a widget. Privacy is a fundamental human right. It has no price tag.”

Harlan Carvey, senior threat hunter at Digital Guardian, an endpoint security and threat intelligence vendor, agreed with Yanchunis that assessing the value of personal data depends on the circumstances of each incident.

“I don’t know that there’s any way to reach a consensus as to the value of someone’s personally identifiable data,” Carvey said via email. “There’s what the individual believes, what a security professional might believe (based on their experience), and what someone attempting to use it might believe.”

However, he said the value of traditionally low-value or high-value data might be different depending on the situation.

“Part of me says that on the one hand, certain classes of personal data should be treated like a misdemeanor, and others like a felony. Passwords can be changed, as can credit card numbers; SSNs cannot. Not easily,” Carvey said. “However, having been a boots-on-the-ground, crawling-through-the-trenches member of the incident response industry for a bit more than 20 years, I cringe when I hear or read about data that was thought to have been accessed during a breach. Even if the accounting is accurate, we never know what data someone already has in their possession. As such, what a breached company may believe is low-value data is, in reality, the last piece of the puzzle someone needed to completely steal my identity.”

Jeff Pollard, vice president and principal analyst at Forrester Research, said concerns about personal data privacy have expanded beyond consumers and security and privacy professionals to the very enterprises that use and monetize such data. There may be certain kinds of personal data that can be extremely valuable to an organization, but the fear of regulatory penalties and class action lawsuits are causing some enterprises to limit the data they collect in the first place.

“Companies may look at the data and say, ‘Sure, it’ll make our service better, but it’s not worth it’ and not collect it all,” Pollard said. “A lot of CISOs feel like they’ll be better off in the long run.”

Editor’s note: This is part one of a two-part series on class action data breach lawsuits. Stay tuned for part two.

Security news director, Rob Wright, contributed to this report.

Go to Original Article
Author:

Get the Best Deal of the Season for Xbox Game Pass and Forza Games – Xbox Wire

With Xbox Game Pass, you can experience the ultimate value and freedom to play over 100 great games, including new Xbox One games from Microsoft Studios the day they release.

Microsoft is excited to announce a special offer that unites Forza and Xbox Game Pass fans. Starting today, get the best deal of the season for Xbox Game Pass and Forza games, just in time to hone your skills for the Forza Horizon 4 launch on October 2. For a limited time, get a year of Xbox Game Pass ($120 value), Forza Horizon 3, and Forza Motorsport 7 to keep – all for just $99. This offer is open to new as well as existing Xbox Game Pass members, starting September 13 through September 30, so get it today!

You can take advantage of this offer on Xbox.com or from your Xbox One console. You can begin playing games with Xbox Game Pass immediately and will receive codes to download Forza Horizon 3 and Forza Motorsport 7 via Xbox Message Center, likely within 7-10 days, but no later than October 21, 2018.

If you have a knack for racing or have just always been interested in giving the Forza series a try, this is the offer for you. Not only will you receive access to Forza Horizon 4 the day it launches on October 2, but you can also check out the most recent titles from the Forza Horizon and Motorsport series with this limited-time offer.

Forza Motorsport 7 lets you experience the thrill of motorsport at its limit with the most comprehensive, beautiful, and authentic racing game ever made. Forza Horizon 3 puts you in charge of the Horizon Festival where you can customize everything, hire and fire your friends, and explore Australia in over 350 of the world’s greatest cars. Make your Horizon the ultimate celebration of cars, music, and freedom of the open road. How you get there is up to you!

From recent blockbusters to critically-acclaimed indie titles, Xbox Game Pass lets you discover and download games you’ve always wanted to play or revisit favorites that you’ve been missing. With new games added every month, and the option to cancel anytime, Xbox Game Pass is your ticket to endless play.

Stay tuned to Xbox Wire for more news on Xbox Game Pass and all things Forza Motorsport. For the latest in Xbox Game Pass news, follow us on Twitter and Instagram. Until next month, game on!

Bugcrowd CTO explains crowdsourced security benefits and challenges

Crowdsourced security can provide enormous value to enterprises today, according to Casey Ellis, but the model isn’t without its challenges.

In this Q&A, Ellis, chairman, founder and CTO of San Francisco-based crowdsourced security testing platform Bugcrowd Inc., talks about the growth of bug bounties, the importance of vulnerability research and the evolution of his company’s platform. According to the Bugcrowd “2018 State of Bug Bounty Report,” reported vulnerabilities have increased 21% to more than 37,000 submissions in the last year, while bug bounty payouts have risen 36%.

In part one of this interview, Ellis expressed his concerns that the good faith that exists between security researchers and enterprises is eroding and discussed the need for better vulnerability disclosure policies and frameworks. In part two, he discusses the benefits of crowdsourced security testing, as well as some of the challenges, including responsible disclosure deadlines and the accurate vetting of thousands of submissions.

Editor’s note: This interview has been edited for clarity and length.

When it comes to responsible vulnerability disclosure, do you think companies are at a point now where they generally accept the 90-day disclosure period?

Casey Ellis: No. No, I think technology companies are, but it’s very easy working in technology to see adoption by technology companies and assume that it’s normal now. I see a lot of people do that and I think it’s unwise, frankly.

I think that’s where we’ll end up eventually, and I think we’re moving toward that type of thing. But there are caveats in terms of, for example, complex supply chain products or vehicles or medical devices — the stuff that takes longer than 90 days to refresh and test, patch, and deploy out to the wild. The market is not used to that kind of pressure on public disclosure yet, but I think the pressure is a good thing.

The bigger problem is in terms of general vulnerability disclosure; that’s not accepted outside of the tech sector yet — at all, frankly.

There’s been a lot of talk about security automation and machine learning at RSA Conference again this year. Where do you see that going?

Ellis: It depends on your definition of automation at that point. Is it automation of decision-making or is it automation of leverage and reaching that decision?

For the customers, they just want to know what they need to go and fix. But we have to prioritize the submissions.
Casey EllisBugcrowd

Using Bugcrowd as an example, we’re heavy users of machine [learning] and automation within our platform, but we’re not doing it to replace the hackers. We’re doing it to understand which of the conversations we’re having as these submissions come in are most important. And we’re trying to get to the point where we can say, ‘Okay, this bug is less likely to be important than this other bug. We should focus on that first.’

For the customers, they just want to know what they need to go and fix. But we have to prioritize the submissions. We have to sit in front of that customer and have these conversations at scale with everyone who’s submitting, regardless of whether they’re very, very valuable in terms of the information or they’re getting points for enthusiasm but not for usefulness. It’s actually a fun and a valuable problem to solve, but it’s difficult.

How do you prioritize and rank all of the submissions you receive? What’s that process like?

Ellis: There’s a bunch of different things because the bug bounty economic model is this: The first person to find each unique issue is the one who gets rewarded for it. And then, the more critical it is, the more they get paid. And this is what we’ve been doing since day one because the premise was these are two groups of people that historically suck at talking to each other.

So we said we’re going to need to pull together a human team to help out, and then what we’ll do is we’ll learn from that team to build the product and make the product more effective as we go. It’s a learning loop that we’ve got internally, as well. And what they’re doing is, basically, understanding what’s a duplicate [submission], what’s out of scope and things like that. There are simple things that we can do from a filtering standpoint.

Duplicates get interesting because you have pattern matching and Bayesian analysis and different things like that to understand what the likelihood of a duplicate is. Those are the know things. Then there’s the heavy stuff — the critical importance, wake up the engineering team stuff.

There’s also a bunch of stuff we do in terms of analyzing the vulnerability against the corpus [of known vulnerabilities] to understand what that is, as well as who the submitter is. Because if they’re a notorious badass who comes in and destroys stuff and has a really high signal-to-noise ratio then, yes, that’s probably something that we should pay attention to.

There’s a bunch of really simple stuff or comparatively simple stuff that we can do, but then there’s a bunch of much more nuanced, complicated stuff that we have to work out. And then we’ve got the human at the end of [the process] because we can’t afford to get it wrong. We can’t say, no to something that’s actually a yes. The whole thing gets basically proofed, and then those learnings go back into the system and it improves over time.

Do you receive a lot of submissions that you look at and say, ‘Oh, this is nonsense, someone’s trying to mess with us and throw the process off’?

Ellis: Yes. There’s a lot of that. As this has grown, there are a bunch of people that are joining in for the first time, and some of them are actively trolling. But then, for every one of those, there are 10 that are just as noisy, but it’s because they think they’re doing the right thing even though they’re not.

If someone runs Nessus and then uploads a scan and says, ‘That’s a bug!’ then what we do at that point is we say, ‘No, it’s not. By the way, here are some different communities and education initiatives that we’ve got.’

We try to train them to see if they can get better because maybe they can. And if they’ve initiated that contact with us, then they’re clearly interested and enthusiastic, which is a great starting point because just because they don’t know how to be useful right now doesn’t mean they can’t be in the future. We give the benefit of the doubt there, but obviously, we have to protect the customer from having to deal with all of that noise.

When it comes to that noise in crowdsourced bug hunting, do you think those people are looking more at the reward money or the reputation boost?

Ellis: It’s usually both. Money is definitely a factor in bug bounties, but reputation is a huge factor, too. And it goes in two directions.

There’s reputation for the sake of ego, and they’re the ones that can get difficult pretty quickly, but then there’s also reputation for the sake of career development. And that’s something that we actually want to help them with. That’s been an initiative that we’ve had from day one, and a bunch of our customers actually have people in their security teams that they hired off the platform.

Jason Haddix [Bugcrowd vice president of trust and security] was number one on the platform before we hired him. We think this is actually a good thing in terms of helping address the labor shortage.

But, to your point, if someone comes in and says, ‘Oh, this is a quick way to get a high-paying career in cybersecurity,’ then we have to obviously temper that. And it does happen.

Last question: What activity on your platform has stood out to you lately?

Ellis: There’s a real shift toward people scaling up in IoT. We have more customers coming onboard to test IoT. I think the issue of IoT security and awareness around the fact that it’s something that should actually be addressed is in a far better state now than it was when IoT first kicked off years ago.

And the same thing that happened in web and mobile and automotive is happening in IoT. With IoT, it was ‘We don’t have the people [for security testing]. Okay, where are we going to get them?’ I think the crowd is reacting to that opportunity now and starting to dig into the testing for IoT.

And here’s the thing with IoT security: For starters, bugs that are silicon level or at a hardcoded level are probably out there, but the cost to find them and the value of having them [reported] hasn’t justified the effort being put in yet.

That’s usually not what people are talking about when they’re talking about IoT bugs. It’s usually either bugs that are CVEs [Common Vulnerabilities and Exposures] in the supply chain software that forms the operating system or bugs that are in the bespoke stuff that sits on top. And, usually, both of those things can be flushed and changed.

We’re not at the point where you’ve got a more common issue and you’re not able to change it ever. I assume that will happen at some point but, hopefully by the time we get there, people are going to be thinking about design with security more in mind for the first place, and all that older stuff will be at end-of-life anyway.

For Sale – 8gb of DDR3 ram

As title,
2 sticks of corsair value ram, 8gb 1600mhz.
Around 2 years old and last used this morning when my upgrades were delivered.

£22.50 delivered, £20 collected
Payment via BT

Cheers for looking

Price and currency: 22.50
Delivery: Delivery cost is included within my country
Payment method: bank transfer
Location: Nottingham
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I have no preference

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

For Sale – 8gb of DDR3 ram

As title,
2 sticks of corsair value ram, 8gb 1600mhz.
Around 2 years old and last used this morning when my upgrades were delivered.

£22.50 delivered, £20 collected
Payment via BT

Cheers for looking

Price and currency: 22.50
Delivery: Delivery cost is included within my country
Payment method: bank transfer
Location: Nottingham
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I have no preference

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

For Sale – 8gb of DDR3 ram

As title,
2 sticks of corsair value ram, 8gb 1600mhz.
Around 2 years old and last used this morning when my upgrades were delivered.

£22.50 delivered, £20 collected
Payment via BT

Cheers for looking

Price and currency: 22.50
Delivery: Delivery cost is included within my country
Payment method: bank transfer
Location: Nottingham
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I have no preference

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.