Browse Category

Events

My thoughts on receiving the Top Government Bug Bounty Program (GBBP) Researcher Award

Last week, I attended the Researcher Appreciation Ceremony held alongside the prize ceremony of Jaga the STACK Finale 2022. The Researcher Appreciation Ceremony was held as part of GovTech’s Crowdsourced Vulnerability Discovery Programme (CVDP), where they will present various awards, such as the Top GBBP Researcher award.

I could vividly recall that the entire event was filled with not only students, but also working professionals looking for young and bright individuals for internships or job offers, as the student competition includes categories for a variety of education level (e.g. University). Not forgetting that the organiser also invited the local white hat community to attend this event.

Receiving the Top GBBP Researcher and Most Staunch Supporter Awards

It was an honour to be the recipient of the following two awards:

  1. Top GBBP Researcher
  2. Most Staunch Supporter

It was an even greater honour to be able to receive the awards from our Senior Minister of State, Dr Janil Puthucheary.

Receiving the awards from our Senior Minister of State, Dr Janil Puthucheary.
Receiving the awards from our Senior Minister of State, Dr Janil Puthucheary.

Government Bug Bounty Program (GBBP)

The Government Bug Bounty Program (GBBP) is held multiple times within a year, whereby GovTech, the organiser, will liaise with various Singapore government agencies to invite them onto the program. After they have been on-boarded, they will provide a list of assets allowed to be tested by the invited white hat security researchers.

Keep Reading
RSA Conference 2016 Asia Pacific & Japan

My Thoughts on RSA Conference 2016 APAC

Last week, I attended the RSA Conference 2016 Asia Pacific & Japan which was held at Marina Bay Sands (MBS), Singapore. It was a pretty enriching experience as I get to not only hear directly from various security vendors about how their products are beneficial to the industry, but also get to attend keynote sessions with top-rated speakers in the information security industry.

RSA Conference 2016 Asia Pacific & Japan

RSA Conference 2016 Asia Pacific & Japan

There were many security vendors in the Sands Grand Ballroom level 5 with their respective booths being setup with their newest products. Each booths run their own product demonstration in every 1 or 2 hours intervals. Can see that most of the presenters are pretty enthusiastic in sharing their products’ new features.

RSA Conference 2016 Asia Pacific & Japan

To see the full list of exhibitors which have setup a product demonstration booth to share about their products, you can check out this link.

There were also some companies which also gotten a place to share about their products in an open area called the Demo Theatre. It is like a mini stage with a number of chairs. Unfortunately, there were not many attendees. I’m glad I attended a few sessions though and learnt quite a bit about how an enterprise can incorporate various types of products to improve on their security defenses to protect their company’s information and data.

RSA Conference 2016 Asia Pacific & Japan

Check out the full list of sessions at the Demo Theatre on this link.

Moving on to the best part of the event, the keynote sessions. Having attended the session on 21 July 2016, I sat in for all 4 of the keynote sessions.

RSA Conference 2016 Asia Pacific & Japan

First off is the “Security in the World-Sized Web” by Bruce Schneier. He came to raise the awareness to the information security experts in the industry about the uprising of IoT (Internet of Things) world-wide robots. These IoT devices are collecting information for a purpose, just like what robots are doing. These increased usage and coverage of IoT devices will not only give power to defenders, but also the attackers. He is suggesting for smart government involvement in this area, as he believe that regardless of whether we desire for it, government are going to be part of this. Therefore, the better way of involvement is to be involved “smartly”. And lastly, policy makers need to know about the technology, which is probably, not necessarily the case in today’s industry, and this have to be changed.

Next up is the “Business Defence – Managing the Insider Threat with Security Analytics” by Alex Taverner. He talks about how insider threat has always been an issue with companies, but it is remained largely neglected in the defensive security industry. He proposed a solution from his company (or any other company, if any) which could allow an enterprise to make use of various data sources to identify insider threats, such as the social media and the behavior of the employees. I feel that while this is something interesting and definitely helpful to a large company, the collection of data is something very difficult to be implemented. Even if it is implemented forcefully, it may not be enforced and thus, practical. Without accurate data, given the best formula and analytic tools, the results would not be beneficial, do you not agree?

RSA Conference 2016 Asia Pacific & Japan

Moving on to “Maximize the Value of Your Threat Intelligence” by Jason Rolleston. He discussed about the topic of effective protection, which is something I strongly agreed. A large company can definitely invest in all the newest technologies and software, but how well do they truly integrates? Check out the image above, this is a very true situation in many companies which I have come across either personally or understood through my contacts. Allow me to put them into text,

Emerging challenge will lead to an isolated tactical mode, where the challenge overwhelm the security teams of a large corporation. The management team will then invest in the procurement of a new technology or products without proper evaluation on how well they could integrate with the existing systems. After much struggling and a long time taken, they finally managed to complete the integration with various implementation design flaws here and there, which lead to a short-lived efficiency. After a number of such scenarios have taken place in the company, it will lead to technology sprawl where once again, the vicious cycle of security team being overwhelmed will take place again. Management need to have the far sight and try to understand the technology instead of blindly follow the trend and keep investing without planning.

RSA Conference 2016 Asia Pacific & Japan

Lastly, we have the “How to Build a World-Class Network Defence Organization” by Chris Coryea. This man gives an aura of confidence, the entire speech really leaves a strong impression to me. He shared a lot of real life examples on how a corporation can build a strong network defense through various key areas. The only complaint that I have is that he focuses too strongly on his company’s product, other than that, I really like his session. In fact, allow me to share one of the statements which he shared during his session, which I like the most, and fully agreed upon (with both hands),

Technology can be taught, the framework can be integrated – but focusing on the analytical mindset is the common thread for building an effective team.

In short, to build the best security defense team, you don’t necessarily need people who have “computer science” background or “master in forensics” in their CV or resume, what you need is people with a strong passion and hunger to solve tough problems.