Exploring the dynamics and relationship between the hacker community and the engineering coalface. Today’s cybersecurity battle is not a fair fight. The attackers — growing in numbers and sophistication — have overwhelmed the comparatively small pool of defenders. Add an engineering team that’s economically incentivized to ignore security, and you’re off to a bad start. This talk is story of what happens to engineers the first time some random kid 8,000 miles away hacks their stuff as a part of their bug bounty. It’s about its outsourcing the creation of the “oh shit” moment, and seeing your engineering team become a blue team. Why is this about pairing engineering teams with hackers specifically? Because it addresses a marked gap: people who build things for a living paired with people who break things for a living.
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
Node Summit 2016 Presentation by Casey Ellis: Welcome to the blue team...
1. Welcome to the blue team…
(How building a better hacker accidentally
built a better defender)
Casey Ellis - NodeSummit 2016
Casey Ellis - CEO
Bugcrowd Inc
W
e’re
hiring!
jobs@
bugcrowd.com
2. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
About me
@caseyjohnellis
JABAH (Just Another Blonde Aussie Hacker)
Recovering pentester turned solution architect turned sales guy turned
entrepreneur
Wife and two kids now living in San Francisco
Founder and CEO of Bugcrowd
2
3. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
• I want to change the way you might already think
about connecting companies to researchers.
• Let’s be real.
• I’m not a developer. I’m a 100% breaker/fixer.
Before we begin…
3
12. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
• Those who think like bad guys *greatly*
overestimate the ability for everyone else to think
like a bad guy.
• This makes them useful and valuable (but doesn’t
make them “better” or “worse)
• Tip: The next time you feel like calling a developer
“dumb”, build and launch a product first.
Side note:
12
15. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
• Development contributes to products which make
money.
• Security minimizes risk of loss. No security = More
risk… but *maybe* nothing will happen.
• No dev = no product = no money = no job = no
beuno… So the feature wins.
Side note:
15
17. The real security problem
I don’t have the time/energy/people skills/resources
to convince you that the boogeyman is real.
18. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
• Thanks to every security vendor ever for making this
even harder.
• FUD works as a awareness tool, but FUD fatigue is
very, very real.
Side note:
18
25. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
Picard Management Tip
25
The most efficient way to get something the attention it deserves is to set it on fire.
*not a Pickard quote, but it totally should be.
26. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
The McAfee Version
26
The most security aware an organization will ever be is straight after a breach.
*not a John McAfee quote, but he’s burning benjamin’s in this pic because it’s true.
27. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
• Heartland, the leaders in end to end encryption!!!
• Target, with their shiny new CISO!!!
• JP Morgan Chase, with their massive new security
budget!!!
• Etc, etc, et al, QED
Examples?
27
34. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
…it’s about introducing you
to this guy.
34
Egor Homakov (@homakov)
aka “that guy who totally owned
Github that time”
Good guy who thinks like a bad guy
“I wonder what his next-door
neighbor can do?”
42. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
• Extortion attempt from Eastern Europe
• Resolved by creating a “one man bug bounty” (we
didn’t tell him he was the only one though…)
• Bug received in 15 mins
• #welcometotheblueteam
Eg 2: Western Union
42
43. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
• Infosec team having a *very* hard time getting buy-
in from management and engineering
• Invoke Picard Management Mode
• Received budget for another 3 team members
• #welcometotheblueteam
Eg 3: [REDACTED] social
media
43
44. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
• Long time customer of [EXPENSIVE WEB APP
SCANNER] getting “clean results”
• Admin of admin’s through a chained attack within 24
hours of launch
• They thought they were doing a great job at writing
secure code…
• #welcometotheblueteam
Eg 4: [REDACTED]
eCommerce provider
44
45. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
• Loss prevention company, works with BIG NAME
retailers
• Success of software dependent on not being
hacked - they said it couldn’t be
• Took less than 48 hours
• #welcometotheblueteam
Eg 5: Digital Safety (DISA)
45
47. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
1. Create a pot that benefits your engineering team
(team drinks, party, event, whatever)
2. Bug bounties paid from it.
3. What ever the hackers don’t get, you keep for your
party.
Idea:
Gamified SDLC
47
57. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS
• Bug bounties are cost effective, and highly
marketable, but that’s not the full story…
• …they create controlled incidents that powerfully
impact the security awareness of your builders.
• Go start one.
• More tips and tricks at https://blog.bugcrowd.com
Conclusion
57
59. @CASEYJOHNELLISBUGCROWD.COM NODE SUMMIT 2016 - CASEY ELLIS 59
@caseyjohnellis
https://bugcrowd.com
casey@bugcrowd.com
Greets to the Bugcrowd, the #scotcherati, @alliebrosh, @rallyvc,
@nodesummit, and the herd.
W
e’re
hiring!
jobs@
bugcrowd.com