Welcome to the blue team… (How building a better hacker accidentally

built a better defender)

Casey Ellis - Converge Detroit 2014

We’re hiring!

jobs@bugcrowd.com

About me@caseyjohnellis

JABAH (Just Another Blonde Aussie Hacker)

Recovering pentester turned solution architect turned sales guy turned entrepreneur

Wife and two kids now living in San Francisco

Founder and CEO of Bugcrowd

Before we begin…

• I’m not here to sell you anything.

• Let’s be real.

• I’m not a developer. I’m a 100% breaker/fixer. So I’m speaking to security folks in front of developers. This will hopefully help all of you.

Who’s who

• Who here builds for a living?

• Who here breaks/fixes for a living?

• Who does both? Seriously? You poor bugger.

You’re different.

Very different actually… and we don’t want to change that.

Builders Breakers

Say what?

You’re paid to do completely the opposite things.

Developer Incentive

Push this feature by this deadline because $REASON.

Security Incentive

Make sure dev doesn’t do anything "that lets the bad guys in.

Side note:• Those who think like bad guys *greatly*

overestimate the ability for everyone else to think like a bad guy.

• Doesn’t make security people “better”. Does make us useful (and really, really annoying).

• Tip: The next time you feel like calling a developer “dumb”, build and launch a product first.

Developer Problem

All this security stuff is slowing us down

Security Problem

Why won’t they take "me seriously?

Side note:

• Development contributes to products which make money. No dev = no product = no money = no job = no beuno.

• Security minimizes risk of loss. No security = More risk… but *maybe* nothing will happen.

• This driver for prioritization happens all. the. time.

The real developer problem

I don’t believe in the boogeyman

The real security problem

I don’t have the time/energy/people skills/resources "to convince you that the boogeyman is real.

Side note:

• Thanks to every security vendor ever for making this even harder.

• FUD works as a awareness tool, but FUD fatigue is very, very real.

Status quo

• Developer checklists

• Check-in testing/CI tests

• Security awareness training

• Pentesting/VA/SCA/outsourced things

BLOCKERS

So we do this…

(and let’s be honest, we quite enjoy it too…)

It doesn’t work over the long term.

How do we get developers to believe in the

boogeyman?

Boogeyman awareness >

Annoying checklist

Picard Management Tip

The most efficient way to get something the attention it deserves is to set it on fire. *not a Pickard quote, but it totally should be.

The McAfee Version

The most security aware an organization will ever be is straight after a breach. *not a John McAfee quote, but he’s burning benjamin’s in this pic because it’s true.

That’s nice, but how do I avoid the whole “getting pwned” bit?

Bug bounty!!!

FOREVER!!!

Pics by @alliebrosh http://hyperboleandahalf.blogspot.com/2010/06/this-is-why-ill-never-be-adult.html

What’s a bug bounty program?

History

0

125

250

375

500

1995 2000 2005 2010 2015

Uptake of bug bounty and vulnerability disclosure programs.

It’s not just about being cheap, or loud…

It’s about leveling the playing field…

…and about introducing your devs to this guy.

Egor Homakov (@homakov) !aka “that guy who totally owned Github that time” !Good guy who thinks like a bad guy !“I wonder what his next-door neighbor can do?”

Bug bounties create controlled incidents…

… like having your code pwned by an 18yo kid.

Eg 1: Mozilla

Thanks to @mwcoates http://www.slideshare.net/michael_coates/bug-bounty-programs-for-the-web

Clearing their assurance debt

Boogeyman belief

Great success!

Over 120 programs we’ve seen this pattern every. single. time.

Eg 2: [REDACTED] financial services

• Extortion attempt from Eastern Europe

• Resolved by creating a “one man bug bounty” (we didn’t tell him he was the only one though…)

• Bug received in 15 mins

Great success!

Eg 3: [REDACTED] social media

• Infosec team having a *very* hard time getting buy-in from management and engineering

• Invoke Picard Management Mode

• Received budget for another 3 team members

Great success!

Gamify your SDLC

• Create a pot that benefits your dev team (team drinks, party, event, whatever) and have bug bounties paid from it. What ever the hackers don’t get, the devs keep.

• Level up: Pilot it with internal teams.

Ready to start?

Bug bounties are awesome…

…but hard.

The Golden Rule:

!

Touch the code ==

reward the bug

The mistake *everyone* makes:

!

VULNERABILITY DATA PEOPLE

Align expectations before you engage

Conclusion• Bug bounties are cost effective, and highly

marketable, but that’s not the full story…

• …the psychology of external disclosure is completely different to internal security training, and it’s extremely effective.

• Go start one.

• More tips and tricks at https://blog.bugcrowd.com

Questions?

@caseyjohnellis

https://bugcrowd.com

casey@bugcrowd.com

!

Greets to Wolf, @jimmyvo and Converge crew, builditsecure.ly, Rapid7, iamthecavalry.com, @treyford, @quine, @markstanislav,

@alliebrosh, @mwcoates, @homakov, @codesoda and the @bugcrowd team.

We’re hiring!

jobs@bugcrowd.com