Release The Hounds: Part 2 “11 Years Is A Long Ass Time”
•
0 likes•181 views
Bugcrowd was founded at an inflection point in the history of the Internet and awareness of cybersecurity. A lot has changed since 2012 - to the cybersecurity industry, to the technology landscape, to the view of hackers as helpful and not just harmful, and - importantly - to the awareness of cybersecurity as "everyone's problem". In 2023, we find ourselves at a similar inflection point for our space. This keynote unpacks the last 11 years as a predictor of what is next, and as an encouragement and roadmap for budding cybersecurity entrepreneurs and solutioneers.
Recommended
More Related Content
Similar to Release The Hounds: Part 2 “11 Years Is A Long Ass Time”
Similar to Release The Hounds: Part 2 “11 Years Is A Long Ass Time” (20)
More from Casey Ellis
More from Casey Ellis (15)
Recently uploaded
Recently uploaded (20)
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”
- 1. https://bugcrowd.com/try-bugcrowd Release The Hounds: Part 2 “11 Years Is A Long Ass Time” Casey Ellis - BSides Knoxville 2023
- 3. https://bugcrowd.com/try-bugcrowd change the operating environment for hacking in good-faith create a new market by disrupting the economics of defense vs attack encourage the pursuit of potential (time) 2012 2023
- 4. https://bugcrowd.com/try-bugcrowd whoami • Founder/Chairman/CTO of Bugcrowd and Cofounder of The disclose.io Project • Pioneered Crowdsourced Security as-a-Service • 20+ years in infosec… Hacker > Pentest > Solutions/Sales > Entrepreneur • Hacking Policy Council, Election Security Advisory Committee, Cyber Policy Working Group, etc • Aussie, Husband, Dad x 2, Drummer, System Thinker • Lives in San Francisco, California $ sudo hack.sh $ sudo hustle.sh @caseyjohnellis https://cje.io
- 9. https://bugcrowd.com/try-bugcrowd 8 December 2012 The original Bugcrowd “platform”
- 10. https://bugcrowd.com/try-bugcrowd 30 November 2012 The fi rst Bugcrowd program
- 13. https://bugcrowd.com/try-bugcrowd “all security is the product of something bad happening” …Sudanese Lyft driver in San Francisco
- 17. https://bugcrowd.com/try-bugcrowd 2015 “Hacking happens to me and it hurts”
- 18. https://bugcrowd.com/try-bugcrowd 2016 “Hacking happens to my country”
- 19. https://bugcrowd.com/try-bugcrowd 2017 to 2020 “Software is eating the world and bad guys are eating the software”
- 20. https://bugcrowd.com/try-bugcrowd 2020 “My employee’s 5 year old responsible for my corporate attack surface”
- 21. https://bugcrowd.com/try-bugcrowd 2021 “The Internet is basically a large pile of turtles”
- 22. https://bugcrowd.com/try-bugcrowd 2022 “Everything is basically a large pile of turtles”
- 23. https://bugcrowd.com/try-bugcrowd 2023 “The machines are coming for our pile of turtles”
- 24. https://bugcrowd.com/try-bugcrowd if it’s repeated enough at the dinner table, it ends up in the board room…
- 31. https://bugcrowd.com/try-bugcrowd 300 employees $90M USD raised ~250,000 vulns nuked ~350k hackers signed up 850 customers
- 35. https://bugcrowd.com/try-bugcrowd Business/Finance Risk Technical Political CISO core competancies
- 38. https://bugcrowd.com/try-bugcrowd “do not follow the path set by others, instead make your own path and leave a trail.” Ralph Waldo Emerson
- 39. Broke: “Rub some blockchain/ automation/ML/AI on it and will go away” Woke: Cybersecurity is a people problem, the technology just makes it go faster
- 40. Broke: A more “perfect” security solution is a better security solution Woke: A better security solution makes secure easier, and insecure more obvious
- 41. Broke: VDP as an external virtue signal Woke: VDP as a way to teach the business that “to err is human, to learn from error divine”
- 42. Broke: “Bug bounty’s are a vulnerability swatting silver-bullet” Woke: “Bug bounty help more organization internalize that the boogeyman is, in fact, a real thing”
- 43. Broke: Bug bounty payouts as a vanity metric Woke: Required payout as a proxy metric for cost of successful attack
- 44. Broke: “The assurance we get from pentesting is sufficient” Woke: “We need assurance AND impact to understand risk and create builder/ breaker feedback loops”
- 45. Broke: “$NATIONSTATE wouldn’t bother with my stuff” Woke: “How do I route, detect, contain, and eject a nation-state assuming they are successful”
- 47. disclose.io - Fixing the Internet’s Auto-Immune Problem - Open Source Disclosure Policy Framework - Safe Harbor logo recognition - Public directory of adopters and search tools for hunters - Legal standardization of vulnerability disclosure language - Safe Harbor for good-faith hackers - Rewarding proactive behavior on the company
- 49. • Threat actors will continue to blur together. • Chaotic threat actors will re-emerge and we will be totally unprepared. • Wholesale access to AI/GAI/ML will accelerate the defenders dilemma to the point where we’ll need to reboot our view of “the game”. • The business will force cybersecurity to continue shifting from capability- based value towards risk-based value. • Policy and regulation will play a key role in defining the future operating landscape. • Basic hygiene is still hard - Our primary problem will continue to be reminding people to “wash their hands after they use the restroom”.
- 50. so, how’s that idea coming along?
- 51. https://bugcrowd.com/try-bugcrowd in summary hackers have a seat at almost any table now good things happen when you step out hackers kick ass at this stuff there’s urgency and a window of opportunity …so hence forth and be rad.
- 52. “a ship in port is safe… …but that’s not what ships are for”
- 53. https://bugcrowd.com/try-bugcrowd Questions? @caseyjohnellis casey@bugcrowd.com https://cje.io Greetz to sawaba, joe, and the bsidesknox crew, codesoda, serge, all the bugcrowders, and all you crazy hackers, hacker listeners, and hacker advocates out there