Welcome to the blue team! How building a better hacker accidentally built a better defender.

Transcript

1. Welcome to the blue team… 
 (How building a better

   hacker accidentally built a better defender) Casey Ellis - Converge Detroit 2014

2. About me @caseyjohnellis JABAH (Just Another Blonde Aussie Hacker) Recovering

   pentester turned solution architect turned sales guy turned entrepreneur Wife and two kids now living in San Francisco Founder and CEO of Bugcrowd

3. Before we begin… • I’m not here to sell you

   anything. • Let’s be real. • I’m not a developer. I’m a 100% breaker. So I’m speaking to security folks in front of developers. This will hopefully help all of you.

4. Who’s who • Who here builds for a living? •

   Who here breaks for a living? • Who does both? Seriously? You poor bugger.

5. You’re different. Very different actually… 
 and we don’t want

   to change that. Builders Breakers

6. Say what?

7. You’re paid to do completely the opposite things.

8. None

9. Developer Incentive Push this feature by this 
 deadline because

   $REASON.

10. Security Incentive Make sure dev doesn’t do anything " that

    lets the bad guys in.

11. Side note: • Those who think like bad guys *greatly*

    overestimate the ability for everyone else to think like a bad guy. • Doesn’t make security people “better”. Does make us useful (and really, really annoying). • Tip: The next time you feel like calling a developer “dumb”, build and launch a product first.

12. Developer Problem All this security shit 
 slows us down

13. Security Problem Why won’t they take " me seriously?

14. Side note: • Development contributes to products which make money.

    No dev = no product = no money = no job = no beuno. • Security minimizes risk of loss. No security = More risk… but *maybe* nothing will happen. • This driver for prioritization happens all. the. time.

15. The real developer problem I don’t believe in 
 the

    boogeyman

16. The real security problem I don’t have the time/energy/people skills/resources

    " to convince you that the boogeyman is real.

17. Side note: • Thanks to every security vendor ever for

    making this even harder. • FUD works, but FUD fatigue is real.

18. Status quo • Developer checklists • Check-in testing/CI tests •

    Security awareness training • Pentesting/VA/outsourced things BLOCKERS

19. So we do this… (and let’s be honest, we quite

    enjoy it too…)

20. It doesn’t work over the long term.

21. How do we get developers to believe in the boogeyman?

22. Boogeyman awareness > Annoying checklist

23. Pickard Management Tip

24. The McAfee Version The most security aware an organization will

    ever be is straight after a breach. *not a John McAfee quote, but he’s burning benjamin’s in this pic because it’s true.

25. That’s nice, but how do I avoid the whole “getting

    pwned” bit?

26. Bug bounty!!!

27. FOREVER!!! Pics from @alliebrosh http://hyperboleandahalf.blogspot.com/2010/06/this-is-why-ill-never-be-adult.html

28. What’s a bug bounty program?

29. History 0 125 250 375 500 1995 2000 2005 2010

    2015

30. It’s not just about being cheap, or loud…

31. It’s about leveling the playing field…

32. …and about introducing your devs to this guy. Egor Homakov

    (@homakov) aka “that guy who totally owned Github that time” ! Good guy who thinks like a bad guy ! “I wonder what his next-door neighbor can do?”

33. Bug bounties create controlled incidents…

34. … like having your code owned by an 18yo kid.

35. Mozilla Thanks to @mwcoates http://www.slideshare.net/michael_coates/bug-bounty-programs-for-the-web

36. Two other “non-slide” examples

37. An idea: Gamify your SDLC • Create a pot that

    benefits your dev team (team drinks, party, event, whatever) and have bug bounties paid from it. What ever the hackers don’t get, the devs keep. • Level up: Pilot it with internal teams.

38. Ready to start?

39. Bug bounties are awesome…

40. …but hard.

41. The Golden Rule: ! Touch the code == reward the

    bug

42. The mistake *everyone* makes: ! VULNERABILITY DATA PEOPLE

43. Conclusion • Bug bounties are cost effective, and highly marketable…

    but that’s not the full story… • …the psychology of external disclosure is completely different to internal security training, and it’s extremely effective. • Go start one. • More tips and tricks at https://blog.bugcrowd.com

44. Questions?

45. @caseyjohnellis https://bugcrowd.com [email protected] ! Greets to Wolf, @jimmyvo and Converge

    crew, builditsecure.ly, Rapid7, iamthecavalry.com, @treyford, @quine, @markstanislav, @alliebrosh, @mwcoates, @homakov, @codesoda and the @bugcrowd team.