Release The Hounds: Part 2 “11 Years Is A Long Ass Time”

https://bugcrowd.com/try-bugcrowd
Release The Hounds: Part 2
“11 Years Is A Long Ass Time”
Casey Ellis - BSides Knoxville 2023

change the operating
environment for hacking in
good-faith
create a new market by
disrupting the economics
of defense vs attack
encourage the pursuit
of potential
(time)
2012 2023

whoami
• Founder/Chairman/CTO of Bugcrowd and Cofounder of The
disclose.io Project
• Pioneered Crowdsourced Security as-a-Service
• 20+ years in infosec… Hacker > Pentest > Solutions/Sales >
Entrepreneur
• Hacking Policy Council, Election Security Advisory Committee,
Cyber Policy Working Group, etc
• Aussie, Husband, Dad x 2, Drummer, System Thinker
• Lives in San Francisco, California
$ sudo hack.sh $ sudo hustle.sh
@caseyjohnellis
https://cje.io

1 March 2013
https://www.slideshare.net/bugcrowd/release-the-hounds-a-look-inside-bugcrowd-ruxmon-1-march-2013

O
ffi
ce 0.1
(2012)
O
ffi
ce 1.0
(2013)

8 December 2012
The original Bugcrowd “platform”

30 November 2012
The
fi
rst Bugcrowd program

2012
#ripgoodtimes

nekkminnit…

“all security is the product of
something bad happening”
…Sudanese Lyft driver in San Francisco

2013
“Hacking happens”

…followed by

2014
“Hacking happens to me”

2015
“Hacking happens to me and it hurts”

2016
“Hacking happens to my country”

2017
to
2020
“Software is eating
the world and bad
guys are eating the
software”

2020
“My employee’s 5 year old responsible for my corporate attack surface”

2021
“The Internet is basically a large pile of turtles”

2022
“Everything is basically a large pile of turtles”

2023
“The machines are coming for our pile of turtles”

if it’s repeated enough at the dinner table,
it ends up in the board room…

…also, in Congress.

what was Bugcrowd doing?

O
ffi
ce 2.0
(2013)

O
ffi
ce 3.0
(2015)

O
ffi
ce 4.0
(2017)

300 employees
$90M USD raised
~250,000 vulns nuked
~350k hackers signed up
850 customers

#thoughtops

Business/Finance
Risk
Technical
Political
CISO
core
competancies

Humility
Skill
Empathy
Hackers
core
competancies

broke vs woke

“do not follow the path set by
others, instead make your own
path and leave a trail.”
Ralph Waldo Emerson

Broke:
“Rub some blockchain/
automation/ML/AI on it and will go
away”
Woke:
Cybersecurity is a people
problem, the technology just
makes it go faster

Broke:
A more “perfect” security solution is a
better security solution
Woke:
A better security solution makes secure
easier, and insecure more obvious

Broke:
VDP as an external virtue signal
Woke:
VDP as a way to teach the
business that “to err is human, to
learn from error divine”

Broke:
“Bug bounty’s are a vulnerability
swatting silver-bullet”
Woke:
“Bug bounty help more
organization internalize that the
boogeyman is, in fact, a real thing”

Broke:
Bug bounty payouts as a vanity metric
Woke:
Required payout as a proxy metric for cost
of successful attack

Broke:
“The assurance we get from pentesting is
sufficient”
Woke:
“We need assurance AND impact to
understand risk and create builder/
breaker feedback loops”

Broke:
“$NATIONSTATE wouldn’t bother with my
stuff”
Woke:
“How do I route, detect, contain, and eject
a nation-state assuming they are
successful”

Broke:
security@domain.com > /dev/null
Woke:
disclose.io

disclose.io - Fixing the Internet’s Auto-Immune Problem
- Open Source Disclosure Policy
Framework
- Safe Harbor logo recognition
- Public directory of adopters and
search tools for hunters
- Legal standardization of
vulnerability disclosure language
- Safe Harbor for good-faith
hackers
- Rewarding proactive behavior on
the company

what comes next?

• Threat actors will continue to blur together.
• Chaotic threat actors will re-emerge and we will be totally unprepared.
• Wholesale access to AI/GAI/ML will accelerate the defenders dilemma to the
point where we’ll need to reboot our view of “the game”.
• The business will force cybersecurity to continue shifting from capability-
based value towards risk-based value.
• Policy and regulation will play a key role in defining the future operating
landscape.
• Basic hygiene is still hard - Our primary problem will continue to be reminding
people to “wash their hands after they use the restroom”.

so, how’s that idea coming
along?

in summary
hackers have a seat at almost any table now
good things happen when you step out
hackers kick ass at this stuff
there’s urgency and a window of opportunity
…so hence forth and be rad.

“a ship in
port is
safe…
…but
that’s not
what ships
are for”

Questions?
@caseyjohnellis
casey@bugcrowd.com
https://cje.io
Greetz to sawaba, joe, and the bsidesknox crew,
codesoda, serge, all the bugcrowders, and all you
crazy hackers, hacker listeners, and hacker
advocates out there

Release The Hounds: Part 2 “11 Years Is A Long Ass Time”

More Related Content

Similar to Release The Hounds: Part 2 “11 Years Is A Long Ass Time”

More from Casey Ellis

Recently uploaded

Release The Hounds: Part 2 “11 Years Is A Long Ass Time”