Exploring the dynamics and relationship between the hacker community and the engineering coalface. Today’s cybersecurity battle is not a fair fight. The attackers — growing in numbers and sophistication — have overwhelmed the comparatively small pool of defenders. Add an engineering team that’s economically incentivized to ignore security, and you’re off to a bad start. This talk is story of what happens to engineers the first time some random kid 8,000 miles away hacks their stuff as a part of their bug bounty. It’s about its outsourcing the creation of the “oh shit” moment, and seeing your engineering team become a blue team. Why is this about pairing engineering teams with hackers specifically? Because it addresses a marked gap: people who build things for a living paired with people who break things for a living.

1. Welcome to the blue team…
(How building a better hacker accidentally
built a better defender)
Casey Ellis - NodeSummit 2016
Casey Ellis - CEO
Bugcrowd Inc
W
e’re
hiring!
jobs@
bugcrowd.com

2. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
About me
@caseyjohnellis
JABAH (Just Another Blonde Aussie Hacker)
Recovering pentester turned solution architect turned sales guy turned
entrepreneur
Wife and two kids now living in San Francisco
Founder and CEO of Bugcrowd
2

3. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
• I want to change the way you might already think
about connecting companies to researchers.
• Let’s be real.
• I’m not a developer. I’m a 100% breaker/fixer.
Before we begin…
3

4. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
#buildabetterhacker
4

5. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
• Who here builds for a living?
• Who here breaks/fixes for a living?
• Who does both?
Who’s who
5

6. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
We’re different…
6
Builders Breakers
…and that’s good.

7. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
Say what?
We do completely opposite
things.
7

8. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
#bettersecurityfeedback
8

9. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS 9

10. Developer incentive
Push this feature by this deadline because $REASON.

11. Security incentive
Make sure dev doesn’t do anything that lets the bad guys in.

12. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
• Those who think like bad guys *greatly*
overestimate the ability for everyone else to think
like a bad guy.
• This makes them useful and valuable (but doesn’t
make them “better” or “worse)
• Tip: The next time you feel like calling a developer
“dumb”, build and launch a product first.
Side note:
12

13. The developer problem
All this security stuff is slowing us down

14. The security problem
Why won’t they take me seriously?

15. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
• Development contributes to products which make
money.
• Security minimizes risk of loss. No security = More
risk… but *maybe* nothing will happen.
• No dev = no product = no money = no job = no
beuno… So the feature wins.
Side note:
15

16. The real developer
problem
I don’t believe in the boogeyman

17. The real security problem
I don’t have the time/energy/people skills/resources
to convince you that the boogeyman is real.

18. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
• Thanks to every security vendor ever for making this
even harder.
• FUD works as a awareness tool, but FUD fatigue is
very, very real.
Side note:
18

19. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
#wereinthistogether
19

20. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
• Developer checklists
• Check-in testing/CI tests
• Security awareness training
• Pentesting/VA/SCA
• Outsourced things
Status quo
20
BLOCKERS

21. So we do this…
(and let’s be honest, we quite enjoy it too…)

22. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
It doesn’t work over the
long term.
22

23. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
The question:
How do we get the
business to believe in the
boogeyman?
23

24. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
A better question:
How do we create
better security feedback
for the business?
24

25. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
Picard Management Tip
25
The most efficient way to get something the attention it deserves is to set it on fire.
*not a Pickard quote, but it totally should be.

26. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
The McAfee Version
26
The most security aware an organization will ever be is straight after a breach.
*not a John McAfee quote, but he’s burning benjamin’s in this pic because it’s true.

27. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
• Heartland, the leaders in end to end encryption!!!
• Target, with their shiny new CISO!!!
• JP Morgan Chase, with their massive new security
budget!!!
• Etc, etc, et al, QED
Examples?
27

28. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
That’s nice, but
how do I avoid
the whole
“getting pwned”
bit?
28

29. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
Bug bounty!!!
29

30. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
FOREVER!!!
30
Pics by @alliebrosh
http://hyperboleandahalf.blogspot.com/2010/06/this-is-why-ill-never-be-adult.html

31. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
What’s a bug bounty
program?
31

32. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS 32

33. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
It’s not just about being
cheap, or loud…
33

34. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
…it’s about introducing you
to this guy.
34
Egor Homakov (@homakov)
aka “that guy who totally owned
Github that time”
Good guy who thinks like a bad guy
“I wonder what his next-door
neighbor can do?”

35. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
#bettersecurityfeedback
35

36. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
Bug bounties create
controlled incidents…
36

37. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
… like having your code pwned
by an 18yo kid.
37

38. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
#storytime
38

39. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
Eg 1: Mozilla
39
Thanks to @mwcoates
http://www.slideshare.net/michael_coates/bug-bounty-programs-for-the-web
Clearing their
assurance debt
Boogeyman
belief

40. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
Great success!
40

41. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
We see this pattern every.
single. time.
41

42. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
• Extortion attempt from Eastern Europe
• Resolved by creating a “one man bug bounty” (we
didn’t tell him he was the only one though…)
• Bug received in 15 mins
• #welcometotheblueteam
Eg 2: Western Union
42

43. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
• Infosec team having a *very* hard time getting buy-
in from management and engineering
• Invoke Picard Management Mode
• Received budget for another 3 team members
• #welcometotheblueteam
Eg 3: [REDACTED] social
media
43

44. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
• Long time customer of [EXPENSIVE WEB APP
SCANNER] getting “clean results”
• Admin of admin’s through a chained attack within 24
hours of launch
• They thought they were doing a great job at writing
secure code…
• #welcometotheblueteam
Eg 4: [REDACTED]
eCommerce provider
44

45. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
• Loss prevention company, works with BIG NAME
retailers
• Success of software dependent on not being
hacked - they said it couldn’t be
• Took less than 48 hours
• #welcometotheblueteam
Eg 5: Digital Safety (DISA)
45

46. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
Great success!
46

47. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
1. Create a pot that benefits your engineering team
(team drinks, party, event, whatever)
2. Bug bounties paid from it.
3. What ever the hackers don’t get, you keep for your
party.
Idea:
Gamified SDLC
47

48. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
Ready to start?
48

49. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
Bug bounties are
awesome…
49

50. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
…but hard.
50

51. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
Plan ahead
51

52. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
The Golden Rule:
Touch the code
==
Pay the bug
52

53. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
The mistake *everyone* makes:
Vulnerability data
People
53

54. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
Understand the risk.
54

55. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
Align expectations before
you engage.
55

56. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
So, do you think the
boogeyman is real?
Let Egor prove it to you.
56

57. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
• Bug bounties are cost effective, and highly
marketable, but that’s not the full story…
• …they create controlled incidents that powerfully
impact the security awareness of your builders.
• Go start one.
• More tips and tricks at https://blog.bugcrowd.com
Conclusion
57

58. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
#questions
58

59. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS 59
@caseyjohnellis
https://bugcrowd.com
casey@bugcrowd.com
Greets to the Bugcrowd, the #scotcherati, @alliebrosh, @rallyvc,
@nodesummit, and the herd.
W
e’re
hiring!
jobs@
bugcrowd.com