Welcome to the blue team! How building a better hacker accidentally built a better defender.
-
Upload
casey-ellis -
Category
Technology
-
view
313 -
download
1
description
Transcript of Welcome to the blue team! How building a better hacker accidentally built a better defender.
![Page 1: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/1.jpg)
Welcome to the blue team… (How building a better hacker accidentally
built a better defender)
Casey Ellis - Converge Detroit 2014
![Page 2: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/2.jpg)
About me@caseyjohnellis
JABAH (Just Another Blonde Aussie Hacker)
Recovering pentester turned solution architect turned sales guy turned entrepreneur
Wife and two kids now living in San Francisco
Founder and CEO of Bugcrowd
![Page 3: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/3.jpg)
Before we begin…
• I’m not here to sell you anything.
• Let’s be real.
• I’m not a developer. I’m a 100% breaker. So I’m speaking to security folks in front of developers. This will hopefully help all of you.
![Page 4: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/4.jpg)
Who’s who
• Who here builds for a living?
• Who here breaks for a living?
• Who does both? Seriously? You poor bugger.
![Page 5: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/5.jpg)
You’re different.
Very different actually… and we don’t want to change that.
Builders Breakers
![Page 6: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/6.jpg)
Say what?
![Page 7: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/7.jpg)
You’re paid to do completely the opposite things.
![Page 8: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/8.jpg)
![Page 9: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/9.jpg)
Developer Incentive
Push this feature by this deadline because $REASON.
![Page 10: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/10.jpg)
Security Incentive
Make sure dev doesn’t do anything "that lets the bad guys in.
![Page 11: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/11.jpg)
Side note:• Those who think like bad guys *greatly*
overestimate the ability for everyone else to think like a bad guy.
• Doesn’t make security people “better”. Does make us useful (and really, really annoying).
• Tip: The next time you feel like calling a developer “dumb”, build and launch a product first.
![Page 12: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/12.jpg)
Developer Problem
All this security shit slows us down
![Page 13: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/13.jpg)
Security Problem
Why won’t they take "me seriously?
![Page 14: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/14.jpg)
Side note:
• Development contributes to products which make money. No dev = no product = no money = no job = no beuno.
• Security minimizes risk of loss. No security = More risk… but *maybe* nothing will happen.
• This driver for prioritization happens all. the. time.
![Page 15: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/15.jpg)
The real developer problem
I don’t believe in the boogeyman
![Page 16: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/16.jpg)
The real security problem
I don’t have the time/energy/people skills/resources "to convince you that the boogeyman is real.
![Page 17: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/17.jpg)
Side note:
• Thanks to every security vendor ever for making this even harder.
• FUD works, but FUD fatigue is real.
![Page 18: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/18.jpg)
Status quo
• Developer checklists
• Check-in testing/CI tests
• Security awareness training
• Pentesting/VA/outsourced things
BLOCKERS
![Page 19: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/19.jpg)
So we do this…
(and let’s be honest, we quite enjoy it too…)
![Page 20: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/20.jpg)
It doesn’t work over the long term.
![Page 21: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/21.jpg)
How do we get developers to believe in the
boogeyman?
![Page 22: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/22.jpg)
Boogeyman awareness >
Annoying checklist
![Page 23: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/23.jpg)
Pickard Management Tip
![Page 24: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/24.jpg)
The McAfee Version
The most security aware an organization will ever be is straight after a breach. *not a John McAfee quote, but he’s burning benjamin’s in this pic because it’s true.
![Page 25: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/25.jpg)
That’s nice, but how do I avoid the whole “getting pwned” bit?
![Page 26: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/26.jpg)
Bug bounty!!!
![Page 27: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/27.jpg)
FOREVER!!!
Pics from @alliebrosh http://hyperboleandahalf.blogspot.com/2010/06/this-is-why-ill-never-be-adult.html
![Page 28: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/28.jpg)
What’s a bug bounty program?
![Page 29: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/29.jpg)
History
0
125
250
375
500
1995 2000 2005 2010 2015
![Page 30: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/30.jpg)
It’s not just about being cheap, or loud…
![Page 31: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/31.jpg)
It’s about leveling the playing field…
![Page 32: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/32.jpg)
…and about introducing your devs to this guy.
Egor Homakov (@homakov) aka “that guy who totally owned Github that time” !Good guy who thinks like a bad guy !“I wonder what his next-door neighbor can do?”
![Page 33: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/33.jpg)
Bug bounties create controlled incidents…
![Page 34: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/34.jpg)
… like having your code owned by an 18yo kid.
![Page 35: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/35.jpg)
Mozilla
Thanks to @mwcoates http://www.slideshare.net/michael_coates/bug-bounty-programs-for-the-web
![Page 36: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/36.jpg)
Two other “non-slide” examples
![Page 37: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/37.jpg)
An idea: Gamify your SDLC
• Create a pot that benefits your dev team (team drinks, party, event, whatever) and have bug bounties paid from it. What ever the hackers don’t get, the devs keep.
• Level up: Pilot it with internal teams.
![Page 38: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/38.jpg)
Ready to start?
![Page 39: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/39.jpg)
Bug bounties are awesome…
![Page 40: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/40.jpg)
…but hard.
![Page 41: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/41.jpg)
The Golden Rule:
!
Touch the code ==
reward the bug
![Page 42: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/42.jpg)
The mistake *everyone* makes:
!
VULNERABILITY DATA PEOPLE
![Page 43: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/43.jpg)
Conclusion• Bug bounties are cost effective, and highly
marketable… but that’s not the full story…
• …the psychology of external disclosure is completely different to internal security training, and it’s extremely effective.
• Go start one.
• More tips and tricks at https://blog.bugcrowd.com
![Page 44: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/44.jpg)
Questions?
![Page 45: Welcome to the blue team! How building a better hacker accidentally built a better defender.](https://reader034.fdocuments.in/reader034/viewer/2022052618/55495a89b4c905fc4e8b55cb/html5/thumbnails/45.jpg)
@caseyjohnellis
https://bugcrowd.com
!
Greets to Wolf, @jimmyvo and Converge crew, builditsecure.ly, Rapid7, iamthecavalry.com, @treyford, @quine, @markstanislav,
@alliebrosh, @mwcoates, @homakov, @codesoda and the @bugcrowd team.