KEYNOTE: Nullcon 2021 - Security Research and Disclosure - The Unauthorized Biography How did we get here? What is my opportunity? How can I seize it?

1. https://bugcrowd.com/try-bugcrowd
Security Research and Disclosure:
The Unauthorized Biography
Casey Ellis - Nullcon 2021

2. https://bugcrowd.com/try-bugcrowd
whoami
Founder/Chairman/CTO of Bugcrowd and
Founder of disclose.io
20 years in infosec (Pentester > Solution
Architect/Sales > Entrepreneur)
Pioneered Crowdsourced Security as-a-Service
Proud Australian, husband, and father of two
Lives in San Francisco, California (Normally)
$ sudo hack.sh $ sudo hustle.sh
@caseyjohnellis
https://cje.io

3. https://bugcrowd.com/try-bugcrowd
Agenda
How did we get here?
What is my opportunity?
How can I seize it?

4. https://bugcrowd.com/try-bugcrowd
but
fi
rst...

5. https://bugcrowd.com/try-bugcrowd
Thank you India!!!
34% of payouts
83% growth in participation
Greetz to farah, streeak, cyberboy, and the bc-india
crew <3

6. https://bugcrowd.com/try-bugcrowd
How did we get here?

7. https://bugcrowd.com/try-bugcrowd
“All security is the product of
something bad happening”
…random but awesome Lyft driver

8. https://bugcrowd.com/try-bugcrowd
“Breakers drive innovation,
which creates opportunity”

9. https://bugcrowd.com/try-bugcrowd
“Unbreakable locks” (1851)

10. https://bugcrowd.com/try-bugcrowd
C (1996)

11. https://bugcrowd.com/try-bugcrowd
Web 2.0 (2005)

12. https://bugcrowd.com/try-bugcrowd
Machine Learning (2010)

13. https://bugcrowd.com/try-bugcrowd
Recon (2013)

14. https://bugcrowd.com/try-bugcrowd
Connected Auto (2015)

15. https://bugcrowd.com/try-bugcrowd
IoT (2016)

16. https://bugcrowd.com/try-bugcrowd
So what do they think of us?
(aka meanwhile, in business-
land…)

17. https://bugcrowd.com/try-bugcrowd
Pre-2012
RIP GOOD TIMES

18. https://bugcrowd.com/try-bugcrowd
…and then

19. https://bugcrowd.com/try-bugcrowd
2013
“Hacking happens”

20. https://bugcrowd.com/try-bugcrowd
…followed by

21. https://bugcrowd.com/try-bugcrowd
2014 The year of the retail breach “Hacking happens to me”
2015 Ashley Madison, OPM, Healthcare “Hacking happens to me, and it hurts”
2016 DNC hacks, election interference “Hacking happens to my country”
2017 - 2019
Breaches Breaches Breaches Breaches
Breaches Breaches Breaches Breaches
Breaches Breaches Breaches Breaches
“Software is eating the world, and bad guys are
eating the software”
2020 COVID
“My employee’s 5 year old is part of my threat
model now”

22. https://bugcrowd.com/try-bugcrowd
If it’s repeated enough at the dinner table,
it’ll end up in the board room.

23. https://bugcrowd.com/try-bugcrowd

24. https://bugcrowd.com/try-bugcrowd
…2021?

25. https://bugcrowd.com/try-bugcrowd

26. https://bugcrowd.com/try-bugcrowd
If speed is the natural enemy
of security, then the rate at
which a new technology
category comes to market is
predictive of how quickly and
how badly it’s “oh s***
moment” will be
Casey’s “Oh S*** Theorem"

27. https://bugcrowd.com/try-bugcrowd

28. https://bugcrowd.com/try-bugcrowd
“Do not follow the path set by
others, instead make your own
path and leave a trail.”
Ralph Waldo Emerson

29. https://bugcrowd.com/try-bugcrowd
What is going to catch fire next
skills should I start building?

30. https://bugcrowd.com/try-bugcrowd
Hardware / IoT
• Not slowing down
• Convergence is increasing criticality (cars, medical, OT,
smart cities, etc)
• COVID / WFH means the bad guys actually care now
• “Hardware Hacking for the Masses (and you) v2” by
@BusesCanFly

31. https://bugcrowd.com/try-bugcrowd
Blockchain and
Cryptocurrency
• Yeh, seriously.
• Smart contracts, cryptocurrency exchange security, actual
cryptography
• “Back to Basics: Application Security Practices in Smart
Contract Auditing” by @jonathanhaas

32. https://bugcrowd.com/try-bugcrowd
Machine Learning
• ML IS EVERYWHERE…
• …and most folks don’t know what it’s actually doing
• “Introduction to AI & Machine Learning” by InsiderPhd
• DEF CON AI Village and Slack/Discord

33. https://bugcrowd.com/try-bugcrowd
APIs
• APIs were already going crazy… COVID has 10x increased
that
• The interdependencies are almost always weaker than the
host itself
• LOTs of people needing security input here at the moment
• “Bad API, hAPI Hackers!” by @jr0ch17

34. https://bugcrowd.com/try-bugcrowd
Bonus round: Old Code
• Java - 23.6% of the Top 1,000 domains
• ASP.net - 21.6% of the Top 1,000 domains
• COBOL - The population who can support it are aging out
and it’ll probably outlive the earth itself…

35. https://bugcrowd.com/try-bugcrowd
“I need security to be useful to
my business”
…most CISOs in 2021

36. https://bugcrowd.com/try-bugcrowd
Business/Finance
Risk
Technical
Political
CISO

37. https://bugcrowd.com/try-bugcrowd
Humility
Skill
Empathy
h4xors

38. https://bugcrowd.com/try-bugcrowd
Breakers drive innovation, which creates opportunity
The market for that opportunity is ripe and expanding rapidly
The scarcer your knowledge, the more valuable it becomes
Don’t just be valuable, work to understand the business and
create value
Join us on our Discord!
https://discord.com/invite/TWr3Brs
To summarize…

39. https://bugcrowd.com/try-bugcrowd
Questions?
@caseyjohnellis
casey@bugcrowd.com
https://cje.io
Greetz to antriksh, asheem, hardwear.io, and the null crew,
farah and the bugcrowd india crew, hakluke, codingo, samy,
duke and katie