SlideShare uma empresa Scribd logo

KEYNOTE: The Unlikely Romance: Part 2 - What Now?

Casey Ellis
Casey Ellis

Over the past 7 years Bugcrowd has had a front-row seat to watch hackers (and cybersecurity itself) go from scary, to relevant, to cool, to normal... So, what now?

Tecnologia
1 de 41
The Unlikely Romance: Part 2 - What Now? Casey Ellis - Hacker Halted 2019
whoami Founder/Chairman/CTO of Bugcrowd 20 years in infosec (Pentester > Solution Architect/Sales > Entrepreneur) Pioneered Crowdsourced Security as-a-Service Proud Australian, husband, and father of two Lives in San Francisco, California $ sudo hack.sh $ sudo hustle.sh
tl;dr: Some Pirates are OK.
A few of my favorites…
Samy Kamkar The guy who hacked Myspace. “but most of all, samy is my hero”
Dr Charlie Miller and Chris Valasek The guys who hacked the cars, twice.
Barnaby Jack 1977 - 2013 The guy who hacked the pacemakers (RIP) “Sometimes you have to demo a threat to spark a solution.” “We’re not here to f**k spiders.”
Rear Admiral Grace Hopper 1906 - 1992 The woman who wrote the first compiler, found the first bug, and broke most of the molds of computer science. “If it’s a good idea, go ahead and do it. It’s much easier to apologize than it is to get permission.” “You don’t manage people; you manage things. You lead people.”
Messy? Yes.
Disruptive? Yes.
Effective? Yes.
Connected vehicle security is top of mind for almost all automotive companies. Automotive adoption of VDP and crowdsourcing outpaced all other verticals. Autonomous vehicle security is on the same track. Swatting XSS is considered table-steaks for ANY company. A new generation of hardware hackers are tooling up. Hacking is kinda cool now… Dick Cheney fixed his pacemaker Vulnerability disclosure added to FDA docs (Greetz to Suzanne Schwartz) His methods were reused to reignite the medical security conversation in 2016 If you code in 2019, you can probably thank Grace for that.
A bit about Bugcrowd… We take the latent potential of the white-hat community and create a safe, effective, and continuous feedback loops with people who build and deploy technology.
We’ve spent the last 7 years connecting Pirates to the problems only they can solve. Here’s what we’ve seen.
Joe/Jane Internet’s view of cybersecurity
Pre-2012 (I miss the good old days sometimes…)
…and then
2013 “Hacking happens”
…followed by
2014 The year of the retail breach “Hacking happens to me” 2015 Ashley Madison, OPM, Healthcare “Hacking happens to me, and it hurts” 2016 DNC hacks, election interference “Hacking happens to my country” 2017 - 2018 Breaches Breaches Breaches Breaches Breaches Breaches Breaches Breaches Breaches Breaches Breaches Breaches Breaches Breaches Breaches Breaches “Software is eating the world, and bad guys are eating the software”
If it’s repeated enough times at the dinner table, it’ll make its way to the Board Room.
…2019?
The businesses view of cybersecurity …bug bounty edition.
2012 Bugcrowd launches Hackers are scary “Can I meet everyone who participates in my program?” 2016 DOD Hack The Pentagon program Hackers are relevant “It’s not a question of if, but when and how we engage the community” 2018 Peak cybersecurity hype Hackers are cool “I’d like to pay $1M for a missing cookie header to get in Techcrunch please” *s/hackers/infosec/g **s/infosec/cybersecurity/g
…2019?
“I need hackers/infosec/ cybersecurity
 to be useful to my business”
Financial (Risk) Technical
 (Red, Blue, Purple) Political (Sales, Marketing, Education)
Some ideas on how…
Broke: “Rub some blockchain/ automation/ML on it and it’ll go away” Woke: “Cybersecurity is a people problem, the technology just makes it go faster.”
Broke: VDP as a marketing stunt Woke: VDP to show that failure is a part of being human, and to jump-start vulnerability remediation processes
Broke: Bug bounty as a vulnerability swatting silver-bullet Woke: Bug bounty as a way for the business to internalize that the boogeyman is real
Broke: (literally) Total payouts as a vanity metric Woke: Required payout as a business metric for cost of attack
Broke: security@domain.com > /dev/null Woke: disclose.io
disclose.io - Fixing the Internet’s Auto-Immune Problem Started by Bugcrowd in 2016 Re-launched in 2018 - Open Source Disclosure Policy Framework - Safe Harbor logo recognition - Public directory of adopters - Legal standardization of vulnerability disclosure language - Safe Harbor for good-faith hackers - Rewarding proactive behavior on the company
In conclusion…
How much better off would we be today if they’d been invited, and we’d been ready?
but that’s not what ships are built for.” “A ship in port is safe,
Thank you! @caseyjohnellis casey@bugcrowd.com @bugcrowd www.bugcrowd.com Greetz to @C_3PJoe @eccouncil and the @hackerhalted crew, @securityweekly, @seccodewarrior, @mdowd, and the ISS diaspora

Recomendados

MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
Casey Ellis
 
ACRNA Webinar #5: Cyber Security – The Unlikely Romance
ACRNA Webinar #5: Cyber Security – The Unlikely RomanceACRNA Webinar #5: Cyber Security – The Unlikely Romance
ACRNA Webinar #5: Cyber Security – The Unlikely Romance
Casey Ellis
 
KEYNOTE: Nullcon 2021 - Security Research and Disclosure - The Unauthorized B...
KEYNOTE: Nullcon 2021 - Security Research and Disclosure - The Unauthorized B...KEYNOTE: Nullcon 2021 - Security Research and Disclosure - The Unauthorized B...
KEYNOTE: Nullcon 2021 - Security Research and Disclosure - The Unauthorized B...
Casey Ellis
 
Bug bounty or beg bounty?
Bug bounty or beg bounty?Bug bounty or beg bounty?
Bug bounty or beg bounty?
Casey Ellis
 
#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...
#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...
#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...
Casey Ellis
 
Corncon 2021 - Inside the Unlikely Romance
Corncon 2021 - Inside the Unlikely RomanceCorncon 2021 - Inside the Unlikely Romance
Corncon 2021 - Inside the Unlikely Romance
Casey Ellis
 
RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME
RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIMERELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME
RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME
Casey Ellis
 
TechCrunch Early Stage 2020 - How to prioritize security at your startup
TechCrunch Early Stage 2020 - How to prioritize security at your startupTechCrunch Early Stage 2020 - How to prioritize security at your startup
TechCrunch Early Stage 2020 - How to prioritize security at your startup
Casey Ellis
 

Recomendados

MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
Casey Ellis
 
ACRNA Webinar #5: Cyber Security – The Unlikely Romance
ACRNA Webinar #5: Cyber Security – The Unlikely RomanceACRNA Webinar #5: Cyber Security – The Unlikely Romance
ACRNA Webinar #5: Cyber Security – The Unlikely Romance
Casey Ellis
 
KEYNOTE: Nullcon 2021 - Security Research and Disclosure - The Unauthorized B...
KEYNOTE: Nullcon 2021 - Security Research and Disclosure - The Unauthorized B...KEYNOTE: Nullcon 2021 - Security Research and Disclosure - The Unauthorized B...
KEYNOTE: Nullcon 2021 - Security Research and Disclosure - The Unauthorized B...
Casey Ellis
 
Bug bounty or beg bounty?
Bug bounty or beg bounty?Bug bounty or beg bounty?
Bug bounty or beg bounty?
Casey Ellis
 
#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...
#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...
#AusCERT2021 - Inside The Unlikely Romance Crowdsourced Security from a Finan...
Casey Ellis
 
Corncon 2021 - Inside the Unlikely Romance
Corncon 2021 - Inside the Unlikely RomanceCorncon 2021 - Inside the Unlikely Romance
Corncon 2021 - Inside the Unlikely Romance
Casey Ellis
 
RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME
RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIMERELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME
RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME
Casey Ellis
 
TechCrunch Early Stage 2020 - How to prioritize security at your startup
TechCrunch Early Stage 2020 - How to prioritize security at your startupTechCrunch Early Stage 2020 - How to prioritize security at your startup
TechCrunch Early Stage 2020 - How to prioritize security at your startup
Casey Ellis
 
KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...
KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...
KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...
Casey Ellis
 
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverCloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
EC-Council
 
Hacking back in self defense
Hacking back in self defenseHacking back in self defense
Hacking back in self defense
David Willson, Attorney, CISSP, Security +
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
EC-Council
 
Take Down
Take DownTake Down
Take Down
Prof John Walker FRSA Purveyor Dark Intelligence
 
T2 - SIFMA IAS Ed Gibson 25Oct11
T2 - SIFMA IAS Ed Gibson 25Oct11T2 - SIFMA IAS Ed Gibson 25Oct11
T2 - SIFMA IAS Ed Gibson 25Oct11
Edward Gibson, Esq. Solicitor-U.K., CISSP, FBCS
 
Unit+two+ +cyber+ethics+and+online+safety
Unit+two+ +cyber+ethics+and+online+safetyUnit+two+ +cyber+ethics+and+online+safety
Unit+two+ +cyber+ethics+and+online+safety
Erdo Deshiant Garnaby
 
The future risks of banking
The future risks of bankingThe future risks of banking
The future risks of banking
Anupam Saraph
 
LinkedIn to Your Network - The Social Engineering Threat
LinkedIn to Your Network - The Social Engineering ThreatLinkedIn to Your Network - The Social Engineering Threat
LinkedIn to Your Network - The Social Engineering Threat
Lancope, Inc.
 
What Diaspora can learn from Microsoft
What Diaspora can learn from MicrosoftWhat Diaspora can learn from Microsoft
What Diaspora can learn from Microsoft
Jon Pincus
 
Social Media Policy
Social Media PolicySocial Media Policy
Social Media Policy
Elizabeth Engel
 
20160317 ARMA Wyoming Social Media Security Threats
20160317 ARMA Wyoming Social Media Security Threats20160317 ARMA Wyoming Social Media Security Threats
20160317 ARMA Wyoming Social Media Security Threats
Jesse Wilkins
 
2012 Jiveworld: Building Successful Apps and Platforms
2012 Jiveworld: Building Successful Apps and Platforms2012 Jiveworld: Building Successful Apps and Platforms
2012 Jiveworld: Building Successful Apps and Platforms
Jonathan LeBlanc
 
High Level Overview of RPKI & DNSSEC
High Level Overview of RPKI & DNSSECHigh Level Overview of RPKI & DNSSEC
High Level Overview of RPKI & DNSSEC
Mukom Akong Tamon
 
SXSWi 2012: Programming Social Applications
SXSWi 2012: Programming Social ApplicationsSXSWi 2012: Programming Social Applications
SXSWi 2012: Programming Social Applications
Jonathan LeBlanc
 
article cybersecurity must B2B metaverse
article cybersecurity must B2B metaversearticle cybersecurity must B2B metaverse
article cybersecurity must B2B metaverse
Mext Metaverse
 
Cyber Security: A Common Problem 2018
Cyber Security: A Common Problem 2018Cyber Security: A Common Problem 2018
Cyber Security: A Common Problem 2018
joshquarrie
 
Ethical Hacking Essay
Ethical Hacking EssayEthical Hacking Essay
Ethical Hacking Essay
What Are The Best Paper Writing Services
 
Presentation 'a web application security' challenge
Presentation 'a web application security' challengePresentation 'a web application security' challenge
Presentation 'a web application security' challenge
Dinis Cruz
 
2600 v16 n1 (spring 1999)
2600 v16 n1 (spring 1999)2600 v16 n1 (spring 1999)
2600 v16 n1 (spring 1999)
Felipe Prado
 
Social Engineering Basics
Social Engineering BasicsSocial Engineering Basics
Social Engineering Basics
Sanjeev Kumar Jaiswal
 
Security
SecuritySecurity
Security
Bob Cherry
 

Mais conteúdo relacionado

Mais procurados

LinkedIn to Your Network - The Social Engineering Threat
LinkedIn to Your Network - The Social Engineering ThreatLinkedIn to Your Network - The Social Engineering Threat
LinkedIn to Your Network - The Social Engineering Threat
Lancope, Inc.
 

Mais procurados (15)

KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...
KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...
KEYNOTE ComfyconAU 2020: disclose.io Vulnerability disclosure and Safe Harbor...
 
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverCloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
 
Hacking back in self defense
Hacking back in self defenseHacking back in self defense
Hacking back in self defense
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
 
Take Down
Take DownTake Down
Take Down
 
T2 - SIFMA IAS Ed Gibson 25Oct11
T2 - SIFMA IAS Ed Gibson 25Oct11T2 - SIFMA IAS Ed Gibson 25Oct11
T2 - SIFMA IAS Ed Gibson 25Oct11
 
Unit+two+ +cyber+ethics+and+online+safety
Unit+two+ +cyber+ethics+and+online+safetyUnit+two+ +cyber+ethics+and+online+safety
Unit+two+ +cyber+ethics+and+online+safety
 
The future risks of banking
The future risks of bankingThe future risks of banking
The future risks of banking
 
LinkedIn to Your Network - The Social Engineering Threat
LinkedIn to Your Network - The Social Engineering ThreatLinkedIn to Your Network - The Social Engineering Threat
LinkedIn to Your Network - The Social Engineering Threat
 
What Diaspora can learn from Microsoft
What Diaspora can learn from MicrosoftWhat Diaspora can learn from Microsoft
What Diaspora can learn from Microsoft
 
Social Media Policy
Social Media PolicySocial Media Policy
Social Media Policy
 
20160317 ARMA Wyoming Social Media Security Threats
20160317 ARMA Wyoming Social Media Security Threats20160317 ARMA Wyoming Social Media Security Threats
20160317 ARMA Wyoming Social Media Security Threats
 
2012 Jiveworld: Building Successful Apps and Platforms
2012 Jiveworld: Building Successful Apps and Platforms2012 Jiveworld: Building Successful Apps and Platforms
2012 Jiveworld: Building Successful Apps and Platforms
 
High Level Overview of RPKI & DNSSEC
High Level Overview of RPKI & DNSSECHigh Level Overview of RPKI & DNSSEC
High Level Overview of RPKI & DNSSEC
 
SXSWi 2012: Programming Social Applications
SXSWi 2012: Programming Social ApplicationsSXSWi 2012: Programming Social Applications
SXSWi 2012: Programming Social Applications
 

Semelhante a KEYNOTE: The Unlikely Romance: Part 2 - What Now?

ImageQuest_Newsletter_July_Milton copy
ImageQuest_Newsletter_July_Milton copyImageQuest_Newsletter_July_Milton copy
ImageQuest_Newsletter_July_Milton copy
Alisa Alvich
 
Information Technology Security for Small Business (.docx
Information Technology Security for Small Business (.docx Information Technology Security for Small Business (.docx
Information Technology Security for Small Business (.docx
MARRY7
 
Stalking a City for Fun and Frivolity" Defcon Talk
Stalking a City for Fun and Frivolity" Defcon TalkStalking a City for Fun and Frivolity" Defcon Talk
Stalking a City for Fun and Frivolity" Defcon Talk
E Hacking
 

Semelhante a KEYNOTE: The Unlikely Romance: Part 2 - What Now? (15)

article cybersecurity must B2B metaverse
article cybersecurity must B2B metaversearticle cybersecurity must B2B metaverse
article cybersecurity must B2B metaverse
 
Cyber Security: A Common Problem 2018
Cyber Security: A Common Problem 2018Cyber Security: A Common Problem 2018
Cyber Security: A Common Problem 2018
 
Ethical Hacking Essay
Ethical Hacking EssayEthical Hacking Essay
Ethical Hacking Essay
 
Presentation 'a web application security' challenge
Presentation 'a web application security' challengePresentation 'a web application security' challenge
Presentation 'a web application security' challenge
 
2600 v16 n1 (spring 1999)
2600 v16 n1 (spring 1999)2600 v16 n1 (spring 1999)
2600 v16 n1 (spring 1999)
 
Social Engineering Basics
Social Engineering BasicsSocial Engineering Basics
Social Engineering Basics
 
Security
SecuritySecurity
Security
 
Final Presentation.pptx
Final Presentation.pptxFinal Presentation.pptx
Final Presentation.pptx
 
ImageQuest_Newsletter_July_Milton copy
ImageQuest_Newsletter_July_Milton copyImageQuest_Newsletter_July_Milton copy
ImageQuest_Newsletter_July_Milton copy
 
Information Technology Security for Small Business (.docx
Information Technology Security for Small Business (.docx Information Technology Security for Small Business (.docx
Information Technology Security for Small Business (.docx
 
How spam change the world
How spam change the world How spam change the world
How spam change the world
 
Deepfakes – The Good, The Bad, And The Ugly
Deepfakes – The Good, The Bad, And The UglyDeepfakes – The Good, The Bad, And The Ugly
Deepfakes – The Good, The Bad, And The Ugly
 
Joanna Drake, Global SVP, Technology Services Group - Wood Mackenzie
Joanna Drake, Global SVP, Technology Services Group - Wood MackenzieJoanna Drake, Global SVP, Technology Services Group - Wood Mackenzie
Joanna Drake, Global SVP, Technology Services Group - Wood Mackenzie
 
Jason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 PredictionsJason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 Predictions
 
Stalking a City for Fun and Frivolity" Defcon Talk
Stalking a City for Fun and Frivolity" Defcon TalkStalking a City for Fun and Frivolity" Defcon Talk
Stalking a City for Fun and Frivolity" Defcon Talk
 

Mais de Casey Ellis

NodeSummit 2016 - WELCOME TO THE BLUE TEAM! CREATING “OH SHIT” MOMENTS FOR FU...
NodeSummit 2016 - WELCOME TO THE BLUE TEAM! CREATING “OH SHIT” MOMENTS FOR FU...NodeSummit 2016 - WELCOME TO THE BLUE TEAM! CREATING “OH SHIT” MOMENTS FOR FU...
NodeSummit 2016 - WELCOME TO THE BLUE TEAM! CREATING “OH SHIT” MOMENTS FOR FU...
Casey Ellis
 
AppSecUSA - Your License for Bug Hunting Season
AppSecUSA - Your License for Bug Hunting SeasonAppSecUSA - Your License for Bug Hunting Season
AppSecUSA - Your License for Bug Hunting Season
Casey Ellis
 
AusCERT 2016 - An Unlikely Romance: The Current State of Bug Bounties
AusCERT 2016 - An Unlikely Romance: The Current State of Bug BountiesAusCERT 2016 - An Unlikely Romance: The Current State of Bug Bounties
AusCERT 2016 - An Unlikely Romance: The Current State of Bug Bounties
Casey Ellis
 
Enigma 2018 - Combining the Power of Builders and Breakers
Enigma 2018 - Combining the Power of Builders and BreakersEnigma 2018 - Combining the Power of Builders and Breakers
Enigma 2018 - Combining the Power of Builders and Breakers
Casey Ellis
 

Mais de Casey Ellis (14)

Hack The Capitol - The Unlikely Romance - Critical Infrastructure Edition
Hack The Capitol - The Unlikely Romance - Critical Infrastructure EditionHack The Capitol - The Unlikely Romance - Critical Infrastructure Edition
Hack The Capitol - The Unlikely Romance - Critical Infrastructure Edition
 
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”Release The Hounds: Part 2 “11 Years Is A Long Ass Time”
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”
 
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowdCVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
 
GRIMMCon: disclose.io - Taking the Internet's Immune System to the Next Level
GRIMMCon: disclose.io - Taking the Internet's Immune System to the Next LevelGRIMMCon: disclose.io - Taking the Internet's Immune System to the Next Level
GRIMMCon: disclose.io - Taking the Internet's Immune System to the Next Level
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
Full Disclosure Debate - NBT 5
Full Disclosure Debate - NBT 5Full Disclosure Debate - NBT 5
Full Disclosure Debate - NBT 5
 
Webinar kym-casey-bug bounty tipping point webcast - po edits
Webinar kym-casey-bug bounty tipping point webcast - po editsWebinar kym-casey-bug bounty tipping point webcast - po edits
Webinar kym-casey-bug bounty tipping point webcast - po edits
 
NodeSummit 2016 - WELCOME TO THE BLUE TEAM! CREATING “OH SHIT” MOMENTS FOR FU...
NodeSummit 2016 - WELCOME TO THE BLUE TEAM! CREATING “OH SHIT” MOMENTS FOR FU...NodeSummit 2016 - WELCOME TO THE BLUE TEAM! CREATING “OH SHIT” MOMENTS FOR FU...
NodeSummit 2016 - WELCOME TO THE BLUE TEAM! CREATING “OH SHIT” MOMENTS FOR FU...
 
AppSecUSA - Your License for Bug Hunting Season
AppSecUSA - Your License for Bug Hunting SeasonAppSecUSA - Your License for Bug Hunting Season
AppSecUSA - Your License for Bug Hunting Season
 
ISSA CISO Summit 2017 - AN UNLIKELY ROMANCE THE CURRENT STATE OF BUG BOUNTIES
ISSA CISO Summit 2017 - AN UNLIKELY ROMANCE THE CURRENT STATE OF BUG BOUNTIESISSA CISO Summit 2017 - AN UNLIKELY ROMANCE THE CURRENT STATE OF BUG BOUNTIES
ISSA CISO Summit 2017 - AN UNLIKELY ROMANCE THE CURRENT STATE OF BUG BOUNTIES
 
Introducing Bugcrowd
Introducing BugcrowdIntroducing Bugcrowd
Introducing Bugcrowd
 
AusCERT 2016 - An Unlikely Romance: The Current State of Bug Bounties
AusCERT 2016 - An Unlikely Romance: The Current State of Bug BountiesAusCERT 2016 - An Unlikely Romance: The Current State of Bug Bounties
AusCERT 2016 - An Unlikely Romance: The Current State of Bug Bounties
 
Enigma 2018 - Combining the Power of Builders and Breakers
Enigma 2018 - Combining the Power of Builders and BreakersEnigma 2018 - Combining the Power of Builders and Breakers
Enigma 2018 - Combining the Power of Builders and Breakers
 
Welcome to the blue team! How building a better hacker accidentally built a b...
Welcome to the blue team! How building a better hacker accidentally built a b...Welcome to the blue team! How building a better hacker accidentally built a b...
Welcome to the blue team! How building a better hacker accidentally built a b...
 

Último

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 

Último (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 

KEYNOTE: The Unlikely Romance: Part 2 - What Now?

  • 1. The Unlikely Romance: Part 2 - What Now? Casey Ellis - Hacker Halted 2019
  • 2. whoami Founder/Chairman/CTO of Bugcrowd 20 years in infosec (Pentester > Solution Architect/Sales > Entrepreneur) Pioneered Crowdsourced Security as-a-Service Proud Australian, husband, and father of two Lives in San Francisco, California $ sudo hack.sh $ sudo hustle.sh
  • 4. A few of my favorites…
  • 5. Samy Kamkar The guy who hacked Myspace. “but most of all, samy is my hero”
  • 6. Dr Charlie Miller and Chris Valasek The guys who hacked the cars, twice.
  • 7. Barnaby Jack 1977 - 2013 The guy who hacked the pacemakers (RIP) “Sometimes you have to demo a threat to spark a solution.” “We’re not here to f**k spiders.”
  • 8. Rear Admiral Grace Hopper 1906 - 1992 The woman who wrote the first compiler, found the first bug, and broke most of the molds of computer science. “If it’s a good idea, go ahead and do it. It’s much easier to apologize than it is to get permission.” “You don’t manage people; you manage things. You lead people.”
  • 12. Connected vehicle security is top of mind for almost all automotive companies. Automotive adoption of VDP and crowdsourcing outpaced all other verticals. Autonomous vehicle security is on the same track. Swatting XSS is considered table-steaks for ANY company. A new generation of hardware hackers are tooling up. Hacking is kinda cool now… Dick Cheney fixed his pacemaker Vulnerability disclosure added to FDA docs (Greetz to Suzanne Schwartz) His methods were reused to reignite the medical security conversation in 2016 If you code in 2019, you can probably thank Grace for that.
  • 13. A bit about Bugcrowd… We take the latent potential of the white-hat community and create a safe, effective, and continuous feedback loops with people who build and deploy technology.
  • 14. We’ve spent the last 7 years connecting Pirates to the problems only they can solve. Here’s what we’ve seen.
  • 15. Joe/Jane Internet’s view of cybersecurity
  • 16. Pre-2012 (I miss the good old days sometimes…)
  • 20. 2014 The year of the retail breach “Hacking happens to me” 2015 Ashley Madison, OPM, Healthcare “Hacking happens to me, and it hurts” 2016 DNC hacks, election interference “Hacking happens to my country” 2017 - 2018 Breaches Breaches Breaches Breaches Breaches Breaches Breaches Breaches Breaches Breaches Breaches Breaches Breaches Breaches Breaches Breaches “Software is eating the world, and bad guys are eating the software”
  • 21. If it’s repeated enough times at the dinner table, it’ll make its way to the Board Room.
  • 22.
  • 24.
  • 25. The businesses view of cybersecurity …bug bounty edition.
  • 26. 2012 Bugcrowd launches Hackers are scary “Can I meet everyone who participates in my program?” 2016 DOD Hack The Pentagon program Hackers are relevant “It’s not a question of if, but when and how we engage the community” 2018 Peak cybersecurity hype Hackers are cool “I’d like to pay $1M for a missing cookie header to get in Techcrunch please” *s/hackers/infosec/g **s/infosec/cybersecurity/g
  • 28.
  • 29. “I need hackers/infosec/ cybersecurity
 to be useful to my business”
  • 31. Some ideas on how…
  • 32. Broke: “Rub some blockchain/ automation/ML on it and it’ll go away” Woke: “Cybersecurity is a people problem, the technology just makes it go faster.”
  • 33. Broke: VDP as a marketing stunt Woke: VDP to show that failure is a part of being human, and to jump-start vulnerability remediation processes
  • 34. Broke: Bug bounty as a vulnerability swatting silver-bullet Woke: Bug bounty as a way for the business to internalize that the boogeyman is real
  • 35. Broke: (literally) Total payouts as a vanity metric Woke: Required payout as a business metric for cost of attack
  • 37. disclose.io - Fixing the Internet’s Auto-Immune Problem Started by Bugcrowd in 2016 Re-launched in 2018 - Open Source Disclosure Policy Framework - Safe Harbor logo recognition - Public directory of adopters - Legal standardization of vulnerability disclosure language - Safe Harbor for good-faith hackers - Rewarding proactive behavior on the company
  • 39. How much better off would we be today if they’d been invited, and we’d been ready?
  • 40. but that’s not what ships are built for.” “A ship in port is safe,
  • 41. Thank you! @caseyjohnellis casey@bugcrowd.com @bugcrowd www.bugcrowd.com Greetz to @C_3PJoe @eccouncil and the @hackerhalted crew, @securityweekly, @seccodewarrior, @mdowd, and the ISS diaspora