Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Episode 8: The Bounty Mindset: Understanding the Psychology of Bug Bounty Hunters with Casey Ellis, Founder and Chief Strategy Officer of Bugcrowd
59 Plays1 year ago
In this episode, Dr. Stacy Thayer talks with Casey Ellis about the motivations behind bug bounties, what makes a good bug bounty hunter, and why someone would choose to participate in a bug bounty program.
Recommended
Transcript
Introduction to Cyber Psych and Casey Ellis
00:00:26
Speaker
Hello and welcome to Cyber Psych, an Autography podcast where we talk with industry professionals about the human side of technology, how it relates to the field of security, and how it impacts the overall business. I'm your host, Dr. Stacey Thayer, and I'm a Cyber Psychologist and Senior Manager of Research and Engagement at Autography.
00:00:43
Speaker
I'm very excited to welcome our guest today, Casey Ellis. Casey is the founder and chief strategy officer of Bugcrowd, which had the first bug bounty platform launched in 2012. He's also the co-founder of Disclose.io project and is a 20-year veteran of information security who started it in the space as a penetration tester and security researcher.
00:01:04
Speaker
before then wearing a variety of hats ranging from solutions architect to sales to CSO and then finally landing in his career as a cyber security entrepreneur.
Casey's Background and Early Hacking
00:01:13
Speaker
So Casey, it's so great to have you welcome. Thanks for having me. It's great to chat. So I was wondering if you could just start off with a little bit more about your background. And I had been looking on your website and said that the idea of bug crowds started on a napkin.
00:01:31
Speaker
And so it was actually a moleskine. We took a little bit of poetic license with that because it's meant to always be a napkin. But yeah. Yes. Yeah. But started off just kind of coming out and love to hear about how the idea came from. So kind of going back in time and starting from, I guess, what would be 2012 timeframe?
From Pen Testing to Bugcrowd
00:01:50
Speaker
Yeah, for sure. Coming into that, I grew up... My father was a science teacher and a technologist. My mom is actually now a clinical psychologist, so she went off and did that. I had this combination of the human side and the tech side already kind of playing out at home.
00:02:09
Speaker
And, you know, I think my own kind of proclivities from like a learning and a hacking standpoint, I just always enjoyed tearing things apart and putting them back together to see how they worked. I think in the background somewhere, there's this idea of like, I really enjoy thinking like a criminal, but I don't want to be one. So, you know, I spent the front half of frankly, like I spent the front half of my career trying to work out how to reconcile that, right?
00:02:32
Speaker
Yeah, I worked in Pentest for a chunk of time through a really fun season in offensive security. I think that was when the internet, trustworthy computing memo, wireless first hitting, there was a whole bunch of stuff that was just a complete trash fire for the first time, which made what we were doing really fun. Getting into reversing, malware, all that kind of stuff.
00:02:52
Speaker
And a point in time came, it was actually when I got married, sat down with my wife and she basically said, hey, you computer good, but you people good too. I don't think you realize that everyone can not necessarily do both. You should go try your hand out on the business and the solution side of the house and see what you think. And I listened. I'm very grateful for that conversation because what she was doing was calling out
00:03:18
Speaker
potential that I had that I hadn't necessarily recognized at that point. That's something that I've actually really tried to carry forward into a lot of what I do with Bugcrowd and a lot of what the team does at this point in time.
Bugcrowd's Mission and Hacker Connection
00:03:30
Speaker
Sales for a chunk of time broke bad eventually and started a pen testing firm.
00:03:36
Speaker
And that was kind of the precursor to bug crowd. The two problems that I wanted to solve, aside from this idea of how do you extract potential and just help people do awesome stuff, I've always been kind of motivated to do that. But from a practical standpoint, how do we change the operating environment for folk to hack in good faith?
00:03:55
Speaker
Because when you think about the legislative change and even the change in perception around what a hacker is that we've seen play out over the past 10 years, it was very different when we first kicked bug crowd off. If you're able to do a bad thing to a computer, you're automatically a bad person. You had to prove that you weren't. I wanted to fix that because that felt like a dumb and unfair problem for us to all have.
00:04:22
Speaker
Um, and then the commercial part of it really was this idea that, you know, as cyber defenders, our job is to, is to outsmart this crowd of adversaries. They've got all sorts of different skillsets, like lots of different motivations. Their incentive is to be successful and not constrained by how many hours in a day they're being paid for, you know, in a, in a way like a traditional worker would, um,
00:04:46
Speaker
And the math's wrong. Basically, we're going to ultimately fail because it's not about how smart or dumb we are as defenders. It's one versus infinity. So how do you resolve that? How do you give defenders a better chance at being able to answer questions that they need to with respect to risk and just staying unhacked on their own behalf and on behalf of their users before the bad guys come along and figure out things that allow them to do
00:05:15
Speaker
bad things.
Evolution of Hacking Culture
00:05:17
Speaker
So yeah, it was that was kind of what was percolating in the mix. And around about the same time, Google and Facebook were starting to talk pretty openly about the success that they were having with their bug bounty programs. So bug crowd didn't invent bug bounty or VDP, but we were the first to come out and basically build out a platform to connect all of the latent potential that exists in the hacker community with all the problems that might need to be solved into the future on the on the demand side.
00:05:45
Speaker
Um, and yeah, they, you know, customers I was dealing with in a, in a pentest capacity, they wanted to, they wanted to talk about it. They wanted to ask, you know, what I thought. Um, I think the overall idea on this side was like, if you're up against an army of our adversaries, an army of allies makes sense. So I started asking the question, why aren't you doing it? And pretty much took the answers from those conversations and,
00:06:10
Speaker
on a flight home from Melbourne, which is when the napkin thing happened, the light bulb went off. This is actually a solvable problem. If we can find ways to deal with the logistical issues of payment,
00:06:23
Speaker
you know, cross-cultural communication, like translation issues, like being able to apply people and set expectations so they're working on the right things, as well as, you know, dealing with the overall kind of fear of hackers that existed in the market at that point in time. Like this is actually, it's not about bug bounty or VDP, it's actually about the future of work and the future of how we outsmart, you know, all of the bad things that might come over the hill. So yeah, that's when it all kind of went down. It's interesting, like I kind of
00:06:52
Speaker
getting my time machine here. And when I was a kid and going to 2,600 meetings and, you know, the movie hackers come out and, you know, I mean, going back to that genre, the 90s and early 2000s, like hacking was sort of glamorized, but not in a Hallmark movie kind of way, if you will, like in that, like being bad was almost the dare. That was what was like, get away with it.
Motivations for Ethical Hacking
00:07:17
Speaker
You kind of fun and edgy things.
00:07:20
Speaker
It's grown into this. I think that's real. What's funny about that is I watched, I was in Australia, so I'm based out of San Francisco. We started the company. It got rolling. We moved out here 10 years ago. I haven't lost the accent yet, but I have to clarify that pretty frequently still, so I'm doing it now. But I was back in Australia with some hacker mates from back in the day. And I forget which anniversary it was of hackers, but it was one of them, 25th maybe.
00:07:48
Speaker
And we all got together to watch it. And I'm sitting in a room full of grown dudes and a couple of them are starting to tear up because their reflection on that point in time is like this movie actually understood who I was trying to be and what I was trying to do at a point in time that no one else really did, which was impactful. I didn't have necessarily that same reaction in that moment, but watching them have it, it's like, okay, to your point, there was this idea of there being
00:08:17
Speaker
a very clear identity forming around what a hacker is. But at that point in time, it was so counter-cultural and so kind of any establishment that it sort of stayed unplugged from, from, from a lot of different things, you know, with the exceptions of, you know, loft and, and, and, you know, different things that kind of popped out in that, in that particular era, like those were the precursors, I think, to what we work with today. Um, but that was like the very, very early stage of the whole thing. Yeah. And so now when, when you're,
00:08:47
Speaker
When say like you said, OK, I want to do these things, but I don't want to be a criminal and say to a young I mean, good, good, good options that right. You know, because it is it. It's such a path of like, I can use this my powers this way. And when I when I look at I think of bug bounties, it's like, right. You get to kind of do the same thing. You're solving the problems you're hacking. Like you're literally hacking into things. You're just doing it on a more powerful like for good. You said using your powers for good.
00:09:17
Speaker
Why would, what do you think of the motivators behind that? Just besides not getting arrested. I mean, that's a really big one. But you know, when somebody is there and they're at a hacker conference and you can, or just trying to decide like, do I take the risk? Or also being groomed, because I know it's not uncommon for older hackers to use the younger generation who are under 18 and won't have long-term
00:09:42
Speaker
effects. There's all sorts of things that are going on out there. How do you get them and move them towards this motivation? A more legal kind. Yeah, no, for sure. I think there's two answers to that. One is just tapping into what's already there. Dan Kaminski had a great quote that I use a lot still, may you rest in peace, that not everyone wants to be a drug dealer.
00:10:08
Speaker
And, and, and I thought that was a really, like it's, it's crass, but I think it's deliberately illustrative of, of what's going on. Like everyone could be a drug dealer. Like that is, that is a, you know, from a practical standpoint, like that is a viable career path, um, for basically anyone. Um, but you've got people that look at that and think, no, yuck. I don't want to do that. Like they've got their own moral or ethical reaction to that. You've got other people that,
00:10:36
Speaker
don't like maybe they're more comfortable with it, but they don't like the idea of having to sleep with one eye open. All these different reasons for people to kind of not do crime.
00:10:47
Speaker
I think the fundamental essence of a hacker in general to me is more about the fact that you take what you're given and you tip it upside down to see what falls out. It's got nothing to do with criminal outcomes or anything else. It's just the default mindset of curiosity and that drive
00:11:07
Speaker
to understand the why that we are either born with or that we pick up along the way. There comes a point, I think, in the journey of most hackers where they realize that this is actually pretty powerful. Anything that's powerful is inherently dual use, at which point you've got to make the choice.
00:11:25
Speaker
It's like, am I going to become a bad guy or am I going to try to find ways to help with this stuff or just stop doing it? Like that's probably the third option, but I don't see many people take that one. So I think that's the raw material in terms of how we did it. Cause like literally one of the most rewarding things about bug crowd it's been making
00:11:47
Speaker
Frankly, making white hat hacking cool in a lot of ways. It sounds really antiquated to frame it like that, but it's probably the best way I could sum it up. The idea of how do you attract
00:12:00
Speaker
people that would otherwise not even realize this is a thing, let alone be interested in it. How do you market to them and have them want to become a part of this community or whatever sub community they best connect with? And then put all of that to work for the purpose of making the internet a safer place.
Building a Supportive Hacker Community
00:12:21
Speaker
There's a lot of marketing involved in that. There's a lot of communication involved in that. There's a lot of
00:12:26
Speaker
community management, just listening to people and getting it wrong, like 80% of the time, and then iterating constantly. The Grace Hopper has a Posse t-shirt. That's a bug crowd shirt, right? The reason we do stuff like that is that we recognize the fact that hackers wanted cultural rally points.
00:12:47
Speaker
Like they wanted to find things that they could all sort of identify with. And it's like this little hat tip, like you recognize someone else who's wearing that. And then, you know, when you go back over time, that's been true this entire time. It's just kind of scaled out now. We were pretty early on, I think, in becoming quite deliberate in how we worked with that. And that was always the goal, this idea of like, yep, we don't want to, you know, tweak the wrong things.
00:13:13
Speaker
We want to encourage the right things and we want to create moments that are as inclusive as possible within this community in a way that actually draws people in from outside that community. Not in a way that remains exclusive. I know another motivator for a lot of hackers, and especially ones that looked up and to say, oh, there's the loft, we know these names, or call to the decal, or all of these old school people.
00:13:41
Speaker
this notion of kind of fame and fortune, right? And with something like, say, you know, Pwn to Own, with Dragos and Kenseth, when Pwn to Own comes in, and if you win Pwn to Own, everybody, you know, you get the notoriety and the fame that goes with it. How does Bug Crowd and Bug Bounty programs, like, does that allow hackers that fame and that name value that they may crave or want?
Characteristics of Successful Bug Hunters
00:14:07
Speaker
Uh, we, we make it available as, as best we can. Like there's, there's an interesting, that one's a double-edged sword. Um, I've kind of learned, right? Like if you, um, you know, I think it's, it's really good and positive to be proud of things that you've achieved and you've become successful at, but if that becomes the motivation and, and, and the other things behind it start to fade into the background, then you can end up with folk that do stuff. That's not great. Um,
00:14:37
Speaker
I think that's the history of hacking is littered with that. It's been one of those things where we've always tried to be mindful when it comes to that, but the way that we approach it is basically to say, hey, if you're using this as a way to build out a resume, if you're using it as a way to basically shortcut an on-ramp into a career in cybersecurity, either as someone who's young and just getting into career stuff in the first place, or oftentimes we see
00:15:06
Speaker
from a technological standpoint, older folk who have been working as CIS ops or IT admins their entire career, but they've got the golden eye. They've got this curiosity and the streak and then they've just never put it to work in a career. So it creates this sort of
00:15:23
Speaker
adjacency that they can hop into. As much of that as we can create for them, we try to do that. That's mostly through education on the intake side and then letting people basically celebrate their success. We've got gamification, point systems, you connect your different profiles up and build out.
00:15:44
Speaker
I don't want to call it LinkedIn for hackers, but it's sort of in that direction in terms of, here's the proof of the fact that I can actually do the things that I say that I can. What that does as well is it activates competition and collaboration as well. So there's a whole bunch of different kinds of elements to that come out from it. But yeah, to your point of like, how do you make it cool and bring people in and create that pipeline? That's a lot of how we thought about it.
00:16:07
Speaker
Yeah. So that was just one of my questions. Is there a lot of competition? Uh, do multiple people kind of go searching for the same bug? Is it better to collaborate? Does it get competitive? How do you navigate those? Yeah. I mean, like, like any good, you know, former consultant, my answer is going to be, it depends. Um, but that is actually true. Yeah. Some, some bugs like hackers in, in the vulnerability discovery,
00:16:36
Speaker
and particularly bug bounty context, and I distinguish that from the vulnerability research context, because I think there's a different approach oftentimes being applied. They're good at different things, so you get some folk that end up
00:16:53
Speaker
really being drawn to a particular class of bug, then they think about where might this bug exist out there in the wild that other people might have missed, or that might be creating risk that engineers have put in by accident. They'll think through the probability part of the equation, not just the impact part, and then they'll go out and just find it wherever they can. So there's a group of hunters that operate like that,
00:17:20
Speaker
There's others that are just graph thinkers. They don't necessarily think about it in a methodical way. They're just looking at the outcome that they want and the technology, depending on how competent they are, just becomes transparent as a part of that process. Those are my favorite because I just like watching them do their thing. But ultimately, I think it takes all kinds. To your question of what does it look like, it really does depend on
00:17:49
Speaker
I think even just going down to neurodivergence and those sorts of things that come into this, I think that actually plays a pretty big part outside of just personality and natural inclinations. If you were to say, what are some of the traits in this setting?
00:18:06
Speaker
two-sided question of what are some of the traits of good bug hunters? And are the traits that make somebody a good bug hunter similar to what would make somebody a good hacker? I mean, not saying they're different, but on the dark side. I'm kind of dividing it into dark side and light side, right? Like, you know, in a way. On that, I feel like bug hunter is probably a subset of hacker. Like hacker is a default kind of mindset and bug hunter is a particular application of that. So maybe we roll with that as a...
00:18:33
Speaker
Yeah, they are hackers. What would make some of the traits of somebody who is a good bug hunter? I'd go back to curiosity and tenacity just as the fundamentals of a hacker that I think apply most here. I think there's an element of
00:18:56
Speaker
actually understanding business or at least wanting to, right? Because when you think about it, if you're doing like pure, you know, bug crowd does a lot of different things with the platform that we've built out in the community. Bug bounty is one very noisy version of it. There's a lot of others, but in that example, if it's purely competitive, it's like the first person to find an issue gets paid, the more severe the issue is, the more you get
00:19:21
Speaker
paid for it. Those are kind of the core rules. It's really understanding like why that's important. And actually, you know, the second part, you've actually got to think about what does impact actually mean to my customer? It's not just, you know, do I get shell on this thing? Or do I pop XSS or, you know, whatever kind of technical, like proof of a vulnerability, like what that might look like? It's like, why do I care? Like, why does that matter? If I'm on the receiving side of this, like,
00:19:51
Speaker
I don't know what alert one means. You've got 30 seconds to convince me, go. That is a part of it. I think that actually applies more broadly to security just in general. We're very good at talking about what's broken, but not as good at talking about why that matters.
00:20:09
Speaker
I think bug hunters that are successful recognize that pretty quickly and they start to at least lean into trying to find ways to get better at it. Not all of them become experts at that, but that whole idea of, oh, this is important too. I should apply myself to that side of it, not just the tech. I think that's been a consistent theme amongst folks that have become standouts from an earning standpoint in particular.
Interacting with Bug Hunters: Business Impact
00:20:34
Speaker
Then to flip to the company side of things, so somebody who is a CISO or an executive, what are some of the advantages for them? Do they ever interact directly with the people that are hunting the bugs or are you the mediator between the two and never the two shall meet?
00:20:56
Speaker
Yeah. The way that we set things up, this became obvious pretty early on. Two problems. One is that engineers and people that are building a thing don't build it intending for it to be broken. If you get
00:21:12
Speaker
it's broken feedback from the outside world. They're just inherently not prepared for that. There's this aspect of language translation and getting everyone on the same page that feeds up into that. That is a big thing. The other part is that bug hunters are from all over the world. You've got folks that have different levels of business literacy like we just talked about. You've got people that are ESL.
00:21:37
Speaker
You've got people that don't necessarily understand the law and think that what they found is the most important thing on the planet and you've got to find a way to talk them down but still get that information to the right place. There's a lot of different things. We're basically kind of unintended consequences as a service. All the variability that comes into that, that's a lot of
00:21:57
Speaker
what we recognized pretty early on would be a significant part of the build. That's frankly one of the things that I pride myself on as the founder of the company. We've maintained a commitment to doing that part well. To me, it's good for us as a business, but it supports the growth of the overall idea and the category at the same time.
00:22:18
Speaker
Those are some of the things that are hard. I think on the CSO end, knowing that is a good thing. Going back to the founding story, one of the answers that I got when I asked the question, why don't you just stand up a web page and open up an email inbox? How the hell am I going to manage all of that?
00:22:37
Speaker
I'm not ready as an organisation to have an incentivised conversation with the entire internet about stuff that might be broken. I'm going to need help with that, which is a real answer on their side. Recognising the fact that this is kind of hard.
00:22:54
Speaker
Some companies have got the ability to start it out and do it themselves but that's one of the reasons why we popped up. It's like this is going to be a specialty kind of contextual capability that will apply to organizations that want to do this but can't do it in-house and that's a lot of what's driven.
00:23:11
Speaker
the category to where it is today. Outside of that, it's really what you need to get done.
Mindset Shifts in Vulnerability Management
00:23:18
Speaker
I think there's the proactive version of that and the reactive version. The reactive version goes to stuff like vulnerability disclosure and just the fact that there are broken things on the internet and people find them. They might be someone who self-identifies as a security researcher or a hacker, or it might be. One of my favorite examples of this was the kid that found the face smash vulnerability in iOS. He was playing Minecraft.
00:23:42
Speaker
He wasn't doing security research. He just noticed his phone was doing something weird and showed his mom. His mom realized that's bad. We should try to find a way to talk to Apple about it. That's sort of how this works and you can't plan ahead for that as an organization. You just need to assume that
00:23:59
Speaker
If there's a thunderstorm overhead, lightning is going to hit a bunch of places, it might hit the house. You don't get to control that. What do you do instead? You put up a lightning rod and just anticipate it and get that information to the right place. That's the reactive version. The proactive version is I need answers to a hard security question that I can't get from
00:24:23
Speaker
my consultants, from my automation, from my tools, from my team. There's a variety of reasons for that. We do a lot of work with really bizarre tech. Some of the stuff that we've done with defense and with older, longer in the tooth organizations here in the US, you've got COBOL still kicking around in there. There's not a lot of people that
00:24:47
Speaker
get that from a security standpoint as one example. Rare skills like AI is driving. Obviously, there's a lot of interest in that right now. Part of what we're doing is trying to build out, identify the folk already in the crowd that can do security stuff in that domain, but then cultivate this next wave of folk that will answer those questions into the future. That's the kind of thing I'm talking about. That's a hard thing. I don't know where to get the answer from.
00:25:14
Speaker
Let's go. The other reason is they might need to start a pen test tomorrow and they're not prepared to wait 12 weeks for the bench to clear. So there's a speed and access to talent from a scale and delivery standpoint as well. So pretty much what we've done is built it out so that we can cater to that full spectrum, if that makes sense.
00:25:34
Speaker
Yeah, it does. And to talk anything, a couple podcasts back, I've been talking about vulnerability, both in terms of vulnerability management from like your own personal vulnerability and then but also vulnerability management within an organization and how we ostrich both with our kind of personal problems sometimes and okay, we don't want to acknowledge that, but that security programs and will sometimes ostrich and so to be able to
00:26:03
Speaker
put yourself out there and say, yes, okay, I'm going to put this out there and see what happens. Like, even though we're not prepared, even though, and we always say like, the only way through anything is to go through it, right? Like you can't pretend it's not happening. You can't not try to expose yourself because it's not going to go away just because you don't try to address it. And so they may be opening themselves up in ways they don't want to, but that's part of being vulnerable.
00:26:31
Speaker
and vulnerability management. It's funny hearing you because I literally refer to that as ostrich risk management, like the idea of like, I'm just going to pretend this doesn't exist. And that means it won't be a problem, which is a way that I think, you know, especially larger organizations have approached the code and the systems being broken for a long time. And I think really up until, you know, 2015, 2016, it kind of worked. You know what I mean? Like there wasn't enough bad stuff going on.
00:26:59
Speaker
for it to be obvious that that's not a good way to do that. Right. Um, but then all of a sudden you've got, you know, just this kind of increasingly dystopic series of hacks, kind of educating the general public, um, at which point they, you know, called to for, for a response. Um, and I ultimately think that, um, you know, vulnerability is, is anti-fragile. Like it actually goes to like Kirchhoff's principle in cryptography, like the idea that,
00:27:27
Speaker
You shouldn't build a cryptographic system assuming that the workings of that system won't become fully public at some point in the future. You need to build anti-fragility into that approach assuming that secrets are fragile and they will eventually break. If you can do that, your system will be more resilient into the future. I think the same thing applies to AppSec, to business, to life in general, but that's a whole other thing.
00:27:52
Speaker
So yeah, this idea of organizations basically coming out and saying, to me, the biggest transition that happens when an organization launches a public vulnerable disclosure program or a bounty program is inside that organization, there's this mindset shift between we're perfect and we've got this all covered. We do our best, but we're going to screw it up sometimes and we need some help.
00:28:17
Speaker
And I think the maturity that comes with that to me is almost an indicator of the fact that there's a healthy approach to the actual nature of the problem that we're trying to solve here. Yeah, this is a subject that I can go on about for a long time because that is a fundamental truth, I think, in software development and a lot of different things that we've sort of accidentally tripped over in the process. And you can see how that's being reflected.
00:28:43
Speaker
you know, the, the national cybersecurity strategy out of the White House, which I was, you know, me and a bunch of others were a part of helping, right? Like this heavy emphasis on, on transparency, on liability, on, you know, accountability, really, it's, it's not just keep everything that's, you know, not quite what you'd like a secret and hope no one ever finds out. It's like, let's just assume that the internet's going to break that at some point. Cause that's what the internet does. Right. Yeah.
Cybersecurity Challenges and Risk Management
00:29:11
Speaker
Yeah. Cause I think.
00:29:13
Speaker
There's so much with CSO turnover and what happens when a CSO or security leader or I think anybody being hired into security, you are inheriting legacy software, legacy problems, and is it even possible to get your brain fully around, get all the vulnerabilities, all of the different problems, and at what point do you just say,
00:29:35
Speaker
All right, I'm going to let the big stuff, I'm going to take care of the big stuff, but we're not going to be able to take care of the little stuff. But that's where the hackers know that. They say, ah, that's all something. We're going to look at the little stuff. We know that the big stuff you got covered, what you're not paying attention to is so-and-so's password or the person at the cafe, whatever trope it is.
00:30:00
Speaker
How do you think we can avoid that? I think that was always true. I think the fact that that is true has just become a lot more obvious over the past period of time. Like we can't, you know, in, in, in my experience, like pre-bug crowd, you know, running with hackers, doing VR, doing pen tests, doing that kind of stuff of my own accord with my peers, and then like doubled down by what I've seen go through bug crowd over the past 10 years. Like there's always another bug.
00:30:28
Speaker
Like if you're a motivated adversary, you've got the right people and you've got the right resource either in the form of time, money or both, like you will get in full stop because it's a probability issue. Like you think about the number of lines of code that exist within a business, like the likelihood of a mistake that creates an exploitable condition is a function of that probability. And it's just, it's a, it's a math thing. Cause like we've built a really complex internet at this point.
00:30:57
Speaker
So this idea that we'll always be vulnerable, let's just learn to live with that and then try to figure out how to prioritize and deal with the most important stuff first. What that begs the question of is how do you define important and how do you make sure you're trying to do a good job? An increasingly better job of answering that question is YOLA.
00:31:20
Speaker
Yeah, because even if you've done everything right, and it's your code, your program, your software, somewhere there's usually third-party software code written that's been integrated from somewhere that's, again, unknown that you don't know, and what's that look like? Forgive the buzzword, Hacks, but Log4j was a crash course in the fact that the internet's basically a giant pile of turtles, right? Yeah.
00:31:43
Speaker
Because people in security have known that for a really long time, but it took Log4Shell to demonstrate it to everyone else how true that actually is. And SolarWinds is another pretty good example from a supply chain standpoint. It's like the companies that ultimately got, or the organizations that got owned by that didn't write that code. They just bought that product and installed it. So yeah, that's the kind of thing that's possible. And this is what it looks like when it goes wrong. Yeah.
00:32:14
Speaker
I'm still optimistic though, I will say that. Good, well good, that's good to know. I do think there's a lot to be said about just being able to stare at the nature of the actual problem that we're solving in the face, because if you don't do that, then you end up coming up with things that just don't really matter.
00:32:31
Speaker
Um, at the, at the end of the day, like to me, you know, as a, as a entrepreneur and a solution here, it's like, that feels like a waste of time. Um, I do feel like we're prone to that in, in the security, we can be prone to that in security vendor space. So that's why I think the idea of just being able to unpack, like, what is the nature of what we're trying to actually solve here? And, you know, how do we rationally burn that down? I think it's a really important starting point. Yeah. Yeah. Well, and it's a, it's.
00:32:59
Speaker
I think any kind of program, I mean, it's holistic. I mean, everything from, okay, here, you're sitting in the knock, there's like the notification comes up, or you're watching the traffic and something's going wrong, you know, kind of speaking to the photography world, but then, okay, then what do you mean? Okay, now, what does that mean? And then you have the analyst and then, you know, it's just kind of this whole, it's why you have whole teams, it's why you have whole projects and to make sure that there's kind of a guard at every door.
00:33:25
Speaker
Yeah, and that you're able to... I think the part... I fully agree with that, but I think as well the part that is becoming more and more obvious is the hard part is actually working out what to ignore.
00:33:37
Speaker
Yeah. Because like so many of the, particularly from a technology standpoint, like the solutions we come up with just give us better insight. You look at S-bomb, like that's important. We should know what's in our code, right? But now we're left with this situation where everyone's got this giant phone book of
00:33:57
Speaker
S-bomb stuff on their desk on top of everything else they've been looking at that day, and they're not quite sure how to digest that and integrate that and actually operationalize it. Nothing against S-bomb. I think it's important, as I said before, but the data in and of itself is not the solution. It's how you
00:34:14
Speaker
how you analyze, how you prioritize, how you make decisions as a leader on what you need to focus on next.
Advice for Aspiring Bug Hunters
00:34:21
Speaker
As vendors and as hackers, frankly, this is something that we talk about with the crowd a lot. It's going back to what I was saying before. Folks that understand the business do tend to be more effective because they're thinking more in this way than just
00:34:34
Speaker
find that next volume, right? Yeah. So for somebody who's starting off their career in security and they might start off thinking like, okay, I want to hack this. I want to find vulnerabilities, but it said you can grow them into business.
00:34:51
Speaker
to where today's new bug bounty might be tomorrow's CISO as they grow and see how the vulnerabilities are made and learn the business side. What advice do you have for somebody who is interested in getting into bug bounties and say versus the small ones versus the big ones and where would someone start?
00:35:11
Speaker
That's a really good question. I think, um, at this point in time, like my, my answer, the reason I'm pausing on that is that, you know, my answer to that question has kind of evolved over the past 10 years. And it's, it's partly because the internet's different now. Um, and because, you know, what's available, I think has changed quite a bit. Um, I still go back to my default answer of like find community, like find, find people that are,
00:35:37
Speaker
that are interested at least directionally in the stuff that you think switches you on and get uncomfortable if you have to, if you're not naturally a social person. There's plenty of hacker communities that are full of people like that, so it's okay. Just go trying through whatever means you can to connect with those and get with folks that you can start the test ideas with, learn from, jam on stuff, do all those different things.
00:36:04
Speaker
To me, that never ends. That's advice I give to everyone regardless, but I do think it's super relevant to baseline with that early in the journey because it makes all the difference, I think. Even with what you were saying before about competition versus collaboration, the most effective hunters are the ones that know what they're not good at and know how to find people who are
00:36:28
Speaker
so they can actually work together to get an outcome, right? Which when you think about it, that's how the bad guys operate. Like most of the malicious crews end up, that's how they've been doing it for 20 or 30 years. So the white hats are just kind of collecting around that same way of solving the problem. And it's a thing that works because it works, right? Um, so there's that. And then yeah, like I think sampling as much as you possibly can, like not letting people, um,
00:36:58
Speaker
Like when someone gets asked a question like that, there's almost always an element of religion in the answer. It's like, Oh, you should totally do red team or like, no, red team's bad. Cause you won't learn how to defend or like there's all these kind of very dogmatic guardrails that people can kind of throw out based on their own experience. And I'm not saying they're not true, but I don't think they're very useful at the outset. I think, you know, as someone getting into it for the first time, this is just such an incredibly like,
00:37:27
Speaker
massive, diverse, complicated space where the only computer science discipline that deals with the entire stack from the silicon all the way up to the user. All of that is playground to go off and explore.
00:37:43
Speaker
To me, not narrowing yourself down too soon and actually understanding what the playground is, I think that's obviously biased towards my own learning style in some ways, but I think that's a fairly safe piece of advice for someone who's brand new. Great. There's lots of different conferences that run the Capture the Flag teams that people are looking to bond together to build and create community and get into to identify the people who think like you do.
Community and Generational Dynamics in Hacking
00:38:12
Speaker
Those are very generic answers. So, practically, looking for conferences in your local area, like B-Sides, is something that's very regional. I think what I've noticed post-COVID is that
00:38:26
Speaker
There's a bit of a move away from these big mega conferences where everyone gets together and they've been backfilled by more regional stuff. The good news is that makes it more accessible. It makes it less threatening for someone who's new at the same time.
00:38:42
Speaker
Looking for that kind of thing. That's a really like easy to find touchpoint if you don't have any idea what to start Looking for CTFs looking for the different, you know villages and different things that people are working on that You can start to actually participate with in those events I think is really good and then straight up, you know sign up for bug crowd. We've got we've got a community we've got We've got a forum where people collaborate on techniques. We've got bug crowd University where I
00:39:08
Speaker
people on the platform, create content to teach each other how to get better at things they're interested in. So there's all these different opportunities to learn and grow there. I should get the hack stuff. So, you know, I'm obviously biased in that recommendation. Find your people and hack stuff. That's how it goes. Yeah, I'm fascinated to watch how that plays out as well. Because like, I've got
00:39:36
Speaker
I think we've got different generations of Hacker really starting to show their obvious differences. I think we've all got something really meaningful to bring. It's not that any one of us is kind of wrong about a thing. We've just got a different bias in what we bring to the mix.
00:39:55
Speaker
So as a parent, I've got a 15-year-old daughter who looks at the digital world in a completely different way to how I ever will. I try to understand it, but I know that I'll never be in her shoes. So thinking about how this stuff evolves over time, I spend a bit of time thinking about that. That's going to be really fun to watch.
Podcast Conclusion with Stacey Thayer
00:40:15
Speaker
And grab some old people and tell them what you're working on as a rookie. And I think the same thing goes for folk in our generation. Actually actively seek out
00:40:24
Speaker
you know, the younger folk that look kind of lost and confused and see what we can do to help. Yeah. Yeah. Love it. Well, thank you so much for joining me today and talking. This has been really great and informative. I appreciate your time. Likewise. Appreciate it. All right. So thank you, Casey. And to my viewers, I will see you next time. Have a good one.