Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Welcome to the blue team… 

(How building a better hacker accidentally
built a better defender)
Casey Ellis - Converge Det...
About me
@caseyjohnellis
JABAH (Just Another Blonde Aussie Hacker)
Recovering pentester turned solution architect turned s...
Before we begin…
• I’m not here to sell you anything.
• Let’s be real.
• I’m not a developer. I’m a 100% breaker/fixer. So
...
Who’s who
• Who here builds for a living?
• Who here breaks/fixes for a living?
• Who does both? Seriously? You poor bugger.
You’re different.
Very different actually… 

and we don’t want to change that.
Builders Breakers
Say what?
You’re paid to do completely
the opposite things.
Developer Incentive
Push this feature by this 

deadline because $REASON.
Security Incentive
Make sure dev doesn’t do anything "
that lets the bad guys in.
Side note:
• Those who think like bad guys *greatly*
overestimate the ability for everyone else to think
like a bad guy.
•...
Developer Problem
All this security stuff 

is slowing us down
Security Problem
Why won’t they take "
me seriously?
Side note:
• Development contributes to products which make
money. No dev = no product = no money = no job
= no beuno.
• S...
The real developer problem
I don’t believe in 

the boogeyman
The real security problem
I don’t have the time/energy/people skills/resources "
to convince you that the boogeyman is rea...
Side note:
• Thanks to every security vendor ever for making
this even harder.
• FUD works as a awareness tool, but FUD fa...
Status quo
• Developer checklists
• Check-in testing/CI tests
• Security awareness training
• Pentesting/VA/SCA/outsourced...
So we do this…
(and let’s be honest, we quite enjoy it too…)
It doesn’t work over the long
term.
How do we get developers
to believe in the
boogeyman?
Boogeyman awareness
>
Annoying checklist
Picard Management Tip
The most efficient way to get something the attention it deserves is to set it on fire.
*not a Picka...
The McAfee Version
The most security aware an organization will ever be is straight after a breach.
*not a John McAfee quo...
That’s nice, but
how do I avoid
the whole
“getting pwned”
bit?
Bug bounty!!!
FOREVER!!!
Pics by @alliebrosh
http://hyperboleandahalf.blogspot.com/2010/06/this-is-why-ill-never-be-adult.html
What’s a bug bounty program?
History
0
125
250
375
500
1995 2000 2005 2010 2015
Uptake of bug bounty and vulnerability disclosure programs.
It’s not just about being
cheap, or loud…
It’s about leveling the
playing field…
…and about introducing your
devs to this guy.
Egor Homakov (@homakov)
!
aka “that guy who totally owned
Github that time”
...
Bug bounties create
controlled incidents…
… like having your code pwned
by an 18yo kid.
Eg 1: Mozilla
Thanks to @mwcoates
http://www.slideshare.net/michael_coates/bug-bounty-programs-for-the-web
Clearing their
...
Great success!
Over 120 programs we’ve seen
this pattern every. single. time.
Eg 2: [REDACTED] financial
services
• Extortion attempt from Eastern Europe
• Resolved by creating a “one man bug bounty” (...
Great success!
Eg 3: [REDACTED] social
media
• Infosec team having a *very* hard time getting buy-
in from management and engineering
• I...
Great success!
Gamify your SDLC
• Create a pot that benefits your dev team (team
drinks, party, event, whatever) and have bug
bounties pai...
Ready to start?
Bug bounties are awesome…
…but hard.
The Golden Rule:
!
Touch the code
==
reward the bug
The mistake *everyone* makes:
!
VULNERABILITY DATA
PEOPLE
Align expectations before
you engage
Conclusion
• Bug bounties are cost effective, and highly
marketable, but that’s not the full story…
• …the psychology of e...
Questions?
@caseyjohnellis
https://bugcrowd.com
casey@bugcrowd.com
!
Greets to Wolf, @jimmyvo and Converge crew, builditsecure.ly,
Ra...
Welcome to the blue team! How building a better hacker accidentally build a better defender.
Nächste SlideShare
Wird geladen in …5
×

Welcome to the blue team! How building a better hacker accidentally build a better defender.

Security practitioners know that the threats that face an organization are always active, and that while defenders need to get everything right, a good attacker only needs to get one thing right. That’s all well and good for security practitioners, but what about the rest of the company? How do you transform security from a rather inconvenient checklist, to a nascent awareness of the threat? How do you get those responsible for providing your attack surface to ‘actually care about whether it’s secure or not?

  • Als Erste(r) kommentieren

Welcome to the blue team! How building a better hacker accidentally build a better defender.

  1. 1. Welcome to the blue team… 
 (How building a better hacker accidentally built a better defender) Casey Ellis - Converge Detroit 2014 W e’re hiring! jobs@ bugcrowd.com
  2. 2. About me @caseyjohnellis JABAH (Just Another Blonde Aussie Hacker) Recovering pentester turned solution architect turned sales guy turned entrepreneur Wife and two kids now living in San Francisco Founder and CEO of Bugcrowd
  3. 3. Before we begin… • I’m not here to sell you anything. • Let’s be real. • I’m not a developer. I’m a 100% breaker/fixer. So I’m speaking to security folks in front of developers. This will hopefully help all of you.
  4. 4. Who’s who • Who here builds for a living? • Who here breaks/fixes for a living? • Who does both? Seriously? You poor bugger.
  5. 5. You’re different. Very different actually… 
 and we don’t want to change that. Builders Breakers
  6. 6. Say what?
  7. 7. You’re paid to do completely the opposite things.
  8. 8. Developer Incentive Push this feature by this 
 deadline because $REASON.
  9. 9. Security Incentive Make sure dev doesn’t do anything " that lets the bad guys in.
  10. 10. Side note: • Those who think like bad guys *greatly* overestimate the ability for everyone else to think like a bad guy. • Doesn’t make security people “better”. Does make us useful (and really, really annoying). • Tip: The next time you feel like calling a developer “dumb”, build and launch a product first.
  11. 11. Developer Problem All this security stuff 
 is slowing us down
  12. 12. Security Problem Why won’t they take " me seriously?
  13. 13. Side note: • Development contributes to products which make money. No dev = no product = no money = no job = no beuno. • Security minimizes risk of loss. No security = More risk… but *maybe* nothing will happen. • This driver for prioritization happens all. the. time.
  14. 14. The real developer problem I don’t believe in 
 the boogeyman
  15. 15. The real security problem I don’t have the time/energy/people skills/resources " to convince you that the boogeyman is real.
  16. 16. Side note: • Thanks to every security vendor ever for making this even harder. • FUD works as a awareness tool, but FUD fatigue is very, very real.
  17. 17. Status quo • Developer checklists • Check-in testing/CI tests • Security awareness training • Pentesting/VA/SCA/outsourced things BLOCKERS
  18. 18. So we do this… (and let’s be honest, we quite enjoy it too…)
  19. 19. It doesn’t work over the long term.
  20. 20. How do we get developers to believe in the boogeyman?
  21. 21. Boogeyman awareness > Annoying checklist
  22. 22. Picard Management Tip The most efficient way to get something the attention it deserves is to set it on fire. *not a Pickard quote, but it totally should be.
  23. 23. The McAfee Version The most security aware an organization will ever be is straight after a breach. *not a John McAfee quote, but he’s burning benjamin’s in this pic because it’s true.
  24. 24. That’s nice, but how do I avoid the whole “getting pwned” bit?
  25. 25. Bug bounty!!!
  26. 26. FOREVER!!! Pics by @alliebrosh http://hyperboleandahalf.blogspot.com/2010/06/this-is-why-ill-never-be-adult.html
  27. 27. What’s a bug bounty program?
  28. 28. History 0 125 250 375 500 1995 2000 2005 2010 2015 Uptake of bug bounty and vulnerability disclosure programs.
  29. 29. It’s not just about being cheap, or loud…
  30. 30. It’s about leveling the playing field…
  31. 31. …and about introducing your devs to this guy. Egor Homakov (@homakov) ! aka “that guy who totally owned Github that time” ! Good guy who thinks like a bad guy ! “I wonder what his next-door neighbor can do?”
  32. 32. Bug bounties create controlled incidents…
  33. 33. … like having your code pwned by an 18yo kid.
  34. 34. Eg 1: Mozilla Thanks to @mwcoates http://www.slideshare.net/michael_coates/bug-bounty-programs-for-the-web Clearing their assurance debt Boogeyman belief
  35. 35. Great success!
  36. 36. Over 120 programs we’ve seen this pattern every. single. time.
  37. 37. Eg 2: [REDACTED] financial services • Extortion attempt from Eastern Europe • Resolved by creating a “one man bug bounty” (we didn’t tell him he was the only one though…) • Bug received in 15 mins
  38. 38. Great success!
  39. 39. Eg 3: [REDACTED] social media • Infosec team having a *very* hard time getting buy- in from management and engineering • Invoke Picard Management Mode • Received budget for another 3 team members
  40. 40. Great success!
  41. 41. Gamify your SDLC • Create a pot that benefits your dev team (team drinks, party, event, whatever) and have bug bounties paid from it. What ever the hackers don’t get, the devs keep. • Level up: Pilot it with internal teams.
  42. 42. Ready to start?
  43. 43. Bug bounties are awesome…
  44. 44. …but hard.
  45. 45. The Golden Rule: ! Touch the code == reward the bug
  46. 46. The mistake *everyone* makes: ! VULNERABILITY DATA PEOPLE
  47. 47. Align expectations before you engage
  48. 48. Conclusion • Bug bounties are cost effective, and highly marketable, but that’s not the full story… • …the psychology of external disclosure is completely different to internal security training, and it’s extremely effective. • Go start one. • More tips and tricks at https://blog.bugcrowd.com
  49. 49. Questions?
  50. 50. @caseyjohnellis https://bugcrowd.com casey@bugcrowd.com ! Greets to Wolf, @jimmyvo and Converge crew, builditsecure.ly, Rapid7, iamthecavalry.com, @treyford, @quine, @markstanislav, @alliebrosh, @mwcoates, @homakov, @codesoda and the @bugcrowd team. W e’re hiring! jobs@ bugcrowd.com

    Als Erste(r) kommentieren

    Loggen Sie sich ein, um Kommentare anzuzeigen.

  • eleybourn

    Jul. 19, 2014
  • balamir97

    Feb. 20, 2015
  • pas256

    Oct. 1, 2015

Security practitioners know that the threats that face an organization are always active, and that while defenders need to get everything right, a good attacker only needs to get one thing right. That’s all well and good for security practitioners, but what about the rest of the company? How do you transform security from a rather inconvenient checklist, to a nascent awareness of the threat? How do you get those responsible for providing your attack surface to ‘actually care about whether it’s secure or not?

Aufrufe

Aufrufe insgesamt

3.013

Auf Slideshare

0

Aus Einbettungen

0

Anzahl der Einbettungen

222

Befehle

Downloads

29

Geteilt

0

Kommentare

0

Likes

3

×