Security Research and Disclosure: The Unauthorized Biography - Nullcon March 2021

Antriksh Shah:
Hey everyone. Welcome to the first edition of Nullcon online conference, 2021. We are super excited with talks and activities through out the month of March. With various CTAs, workshops, trainings and resume clinics for all of you in the InfoSec community. I'm super proud to host this event this year with more than 53 countries participation from. Last year on the same day we organized Nullcon physically in Goa. Seen that we have been engaging with the InfoSec community and industry through out COVID-19, by organizing various sessions like webinars, CTAs, workshops and a lot more.

Antriksh Shah:
We have also successfully completed trainings online. In the last for days, we had more than 300 participations spread across 13 different trainings and a lot of happy faces at the end of the training. So let's get started now. The schedule for today is going to be, we have one keynote, four technical talks and one panel session. I hope you all enjoy the enormous amount of knowledge that our speakers have to share with you all.

Antriksh Shah:
Our first keynote for the day is none other that Casey Ellis. India dominates  when the world when it comes to the number of Bug Bounty hunters and payouts. None other than Casey, who's the founder and chairman of Bugcrowd, would know more. He is a dear friend who I know since 2014,  when we did the first Bug Bounty, actually call it the bug bash, in [inaudible 00:01:58]. He would be sharing his insights on views related to Security Research and Disclosures, the Unauthorized Biography.

Antriksh Shah:
Some house rules, please keep your mics on mute, if you have any questions that you would like to ask our speakers, please send them across via the Zoom chat. I will be moderating them and we will take them after the speaker's presentation is complete. Now let me hand it over to Casey to deliver his keynote.

Casey Ellis:
Thank you so much. Good morning, India. Good morning Nullcon. Thank you so much for.... And firstly, before we get going, I just wanted to say that I was incredibly honored  to get the invitation to speak. Yeah, it's been just a phenomenal relationship that we've had within the here in the hacking community. There over the years with Bugcrowd and personally for a lot of the team, including myself prior to that as well. You all have this incredible capacity and potential and you're seeing it. There's incredible success happening out of the Bug hunter community across the board. I speak for myself and Ashish Gupta, the CEO at Bugcrowd, Hackloop, Kodinga, all the other usual suspects, when we say that we're really honored to be a part of connecting you all to the opportunity and a small part of that because you all come in and do the work and make it awesome. So thank you very much. It's a pleasure to be here today.

Casey Ellis:
And without further ado, let's do the awkward part where I start sharing and I have to remember how to do that. COVID-19 man, I'll tell you what, so yeah, here we go. So the talk is and that as well. This is actually my first Nullcon presenting with background support on Nullcon for many years. I have not been there physically for the conference yet it is still very much on the to do list. I figured doing it virtually, I mean, it's not as good as being there on the ground with all your folk, but we'll take it anyway. So let's get started.

Casey Ellis:
So the talk today is Security Research and Disclosure, I'm saying that thumbs up. The Unauthorized Biography. Really what we're going to talk through is kind of a bit of a history of how we got to where we are today, what the market is doing and what that means in terms of being able to spot opportunity coming over the horizon, some of the things that the bug hunters and people involved in security research can think about to really, maximize their potential, maximize their opportunity going forward. Just a place to think about how they direct their effort. Because there's a lot of stuff, right? And I think being able to choose and find the things that are most powerful and exciting for you, but also that are going to be most valuable on the market is a really interesting thing to start thinking about.

Casey Ellis:
So who am I? I could just got a glowing set up there so I won't get too much further into it. I do have the hack hustle kind of persona split. So my background is actually as a, I moved into solutions architecture, became an entrepreneur and eventually started Bugcrowd which was about nine years ago now. So there's the Casey in the suit and then Casey kind of blurry, saying mean things to people on Twitter about security. It's an interesting duality to carry, but it's a part of what I enjoy most about my job. So yeah, founder, Chairman and CTO of Bugcrowd, also the founder of discloser.io project.

Casey Ellis:
Yeah, I've just been through my background, so about 20 years in InfoSec. I got into this straight out of high school. I mean, I was hacking the whole time as a kid, but pretty much started getting into it as a job as soon as I finished high school. Quite by accident to be honest, but it's turned out pretty well. So I'm not regretting that. So yeah, pioneered the Crowdsourced Security as a service model. We're not the inventors of vulnerability, disclosure of Bug Bounty programs, but there wasn't anyone else doing it when we started.

Casey Ellis:
So, as far as our role in basically taking this to something that's, I think, considered quite normal now, incredibly proud of that. I think one of the big things that I have is just removing the demonization of hackers in the minds of people. I think folks just in general, they're very familiar with the concept of burglars and locksmiths. I think the digital equivalent that we have online is a bit more new people. So yeah, we've put a lot of effort into trying to get people to understand that and I feel like it's been a pretty good success over the past period of time. I'm a husband, father and... So I'm still on a call. Thank you.

Speaker 3:
No?

Casey Ellis:
No. It's okay. So I'm literally in Brisbane for [Cracky Cone 00:06:32] as well right now, so I'm doing this from a hotel. We told housekeeping not to come and they've just come. So there we go. Doing it live, COVID style. Australian husband, father of two. I'm normally in San Francisco, we actually bugged out to come back to Australia to be close to family ahead of COVID and we're still here. I'm looking forward to getting back there once things kind of clear up and get a bit safer.

Casey Ellis:
So agenda, all right. How do we get here? What is my opportunity? How can I seize it? I've already laid that up, but really, that sort of lays out what we're going to be talking about today. But first, thank you all. I preempted this a little bit as well in the intro, and thanks for the invite to the keynote. But, yeah, India has been an absolute powerhouse right from the get go. In 2019. These stats from the Inside the Mind of a Hacker report the Bugcrowd published last year, 34% of all of our payouts went to India, and we saw a 83% growth in participation on the platform. That was like, all of a sudden a whole bunch of folk thought, "Oh, keep the Nullcon increasing. Cool. Let's join in with those guys, get involved in security and stop participating in programs."

Casey Ellis:
And yeah, as I said before, we're honored to play the role that we play in being able to connect you all to opportunity and help you be a part of this broader mission of making the internet a safer place. Yeah, the fact that we get to do that, think like bug guys, not be bad guys, actually do good things and make money in the process, I think is a pretty cool feature of what we get to do here. So, thank you and greets the Ferris, Drake Cyberboy, who was one of the original hunters on the platform from way back in the day, and the rest of the Bugcrowd and you occur over there as well.

Casey Ellis:
All right. A couple of years back, I was riding in a lift in San Francisco and the driver was Sudanese, he'd immigrated to the US and we're talking about security and just risk and different things like that, because yeah, it's just idle chat with me invariably turns into a conversation about that type of thing. And he just trotted out this incredible phrase, which I've probably stolen from him. I'd love to try to find that guy so I can go back and actually giving proper credit. But, this is literally how that went down. It's like, all security is the product of something bad happening. Which is kind of a dark way to think about it, right? But honestly, it's also sort of true.

Casey Ellis:
When you think about people building a business, they're not building it to not get hacked. They're building it to do the thing that the business wants to do. The fact that they're introducing vulnerability and weakness and risk in the process is not necessarily something they're doing on purpose, it's just not the thing that they're most focused on, right? So it takes bad things oftentimes, so people will realize that there's an issue, so that they can start to reduce that risk. And the thing is that, there's really two versions of bad things that can happen. There's the actual bad things, which I'm going to go through a list of. But then there's also the version of bad things that can happen when people with a breaker mindset, like the folk listening to this talk, come in and actually show in good faith, what can be done, what's possible, what needs to be fixed.

Casey Ellis:
Ultimately, I think breakers and that breaker mindset is really a principal driver of innovation right across the board. Like builders build stuff, they have ideas, they take things forward, but then this breaker mindset comes in and tests all the assumptions that have been created, provides that feedback, and then you just grow and improve and amazing things happen as a part of that and that creates opportunity. So let's talk about some examples of that. Yeah, the technology here, the innovation was unbreakable locks. This is what we credit as the first security Bug Bounty that we can find ever.

Casey Ellis:
What happened was a company basically put out, I think it was a 50,000 US dollar equivalent in today's currency reward in the 1850s, at the World Fair to see if anyone could break this unbreakable lock. And it was a marketing stunt, they actually didn't think it was possible. But then this guy named Charles Hobbs, came in and showed them that it was. The result of that was, basically there was a bunch of papers that were created out of that and it became like this really seminal moment in physical security, where there was a lot of improvement that was actually catalyzed by someone who came in and thought differently, right?

Casey Ellis:
Another example, C, Aleph 1 smashing the stack for fun and profit buffer overflows. They didn't magically go away after this paper. Far from it, to be honest. But it was really this seminal moment of thinking about how to abuse the stack in context of a binary and that sort of construct. Yeah, the impact of that was obviously the creation, the exploitation of buffer overflows, later on, you had things like, slammer, blaster worm, nimbda, some of the major internet wide worms. I mean, even WannaCry, more recently, they've all taken advantage of this type of thing. The result of that has been like ISOI, DEP and X, all of these kind of memory protection implementations that continue to improve and as a result, have actually made some of the software that he was talking about back then, some of the most secure software that exists today.

Casey Ellis:
So another example of break is making things better. This one's fun. Samy, the guy. The man, the myth, the legend. And also, he's my hero. He's one, and this was an interesting one, because I think when he tells the story of how this whole went down, for him it was more of a proof of concept. It wasn't necessarily good faith or bad faith, he was just kind of noodling on a thing. And he went away, came back to his computer a couple of hours later, and the internet had basically melted at that point. This really was one of the seminal moments in the creation of application security as a discipline across the board. Because prior to that, "Oh, what can go wrong?" Like web 2.0, user generated content, everything's going to be fine, Samy comes in and actually demonstrates some of the risks that can happen around that, and all of a sudden, we've got this incredible industry today. It's a big part of what we see our customers and the hackers on our platform engage with is web stuff, right. And this is one of the areas that really precipitated that and drove a board.

Casey Ellis:
This one's Weka. This is actually machine learning. And I'll come back to this later, but machine learning as a thing that is, just this incredible innovation that came out, then all of a sudden someone abused it. This was a great Flash Crash of 2010. If you're interested in machine learning, I really encourage looking it up because it's fascinating as a story. Basically, that dip there that you can say is a trillion dollars. And that happened over the course of 30 minutes. There was an abuse case that was sped into a whole set of ML constructs and it causes stock market to completely, basically explode at that point in time. The innovation or the improvement out of that, not a whole lot  really, because the market likes to make money. So it didn't do too much about changing traders in their ability to facilitate that. But what it did do, was basically trigger the creation of policy, and other things to make the market more resilient to that type of deal.

Casey Ellis:
Here's another one that's a favorite. Recon, right? So yeah, I think the research that really got this going, the fact that people don't know where their stuff is, is not a new concept. That's been, I think, something that people in the scene have been aware of for a very long time. And it's been this kind of unsolved problem. We solved it internally for networks that we know the boundaries of, but as we started to move to Cloud, and the whole idea of the computer being out there over the public internet somewhere, all of a sudden we lost track of where our stuff was.

Casey Ellis:
Naffy and Shobs came in and did a whole bunch of research actually driven by Bug Bounty hunting, to figure out how to identify assets that have been lost effectively by the user. And really the impact of that was this, I think, kind of simultaneous awareness across defenders and builders that, "Yeah, I actually don't know where my stuff is." That was always true, but they didn't really know that. So this demonstrated that since then your perimeter asset inventory is now a category attack surface management as a category this sort of set of techniques instead of things that hunters can do is driven a lot of success in the bug hunter community and things are improving as a result.

Casey Ellis:
I've got two more and then we'll get into the other side of this. Like how I think the business builders have been doing all this. Connected Auto. I know this is near and dear to the [inaudible 00:14:59]. Really the innovation was putting the internet in cars. We want features, we want things to be cool as we're using the vehicle, we actually want this fancy internet connected stuff as a part of our driving experience, because it makes it better. Charlie and Chris rock up and basically say, "Hey, you forgot security."

Casey Ellis:
What that did, was basically precipitated, we're actually, Bugcrowd was quite close to the coalface on this one, because what that did was trigger the entire automotive industry to realize, "We need help. Where can we find hackers and hunters and people with a breaker mindset to come in and tell us how to better secure our products because this is going to become a safety issue. If we get to autonomous vehicles before we figured out how to secure the connected car, that's a bad time. So we need to get on top of this right now." And Fiat Chrysler, Tesla, a bunch of the other automotive manufacturers have run bounty programs and vulnerability disclosure programs, it became a partnership. So what they did is they changed the way they thought from hackers being something out there, to something that they're actually very closely engaged with, to make their products safer. And cars are harder to hack today, as a result of that.

Casey Ellis:
The last one, which is fun is good old IoT. Yeah, this is just been an incredible space to watch, because I think for a good chunk of time that people didn't really know what IoT was, and then all of a sudden, it was everywhere and then all of a sudden, we realized that we hadn't really secured it very well in the process. So, this is not so much research, this was actually a bad thing that happened. The Mirai botnet, which went out and took out a whole bunch of DVRs and webcams that had default credentials on them, and then that was used by someone to perform a DoS. Actually, I think it was a gaming spat, the backstory that one's kind of funny, but it basically accidentally took down the internet for most of North America in the process.

Casey Ellis:
So what happened off the back of that, there was policy around baseline security controls for IoT devices that was rolled out in California first, and then a bunch of other places in North America, that's followed suit into other areas of the world, and what we're seeing now is a whole lot of innovation around secure by design, IoT development platforms, and hardware and so forth, that's making all of that area more resilient. Because this is a particular space that, now I'll come back to this one as well, it's going to continue to accelerate.

Casey Ellis:
So, all right. What do they think of us? As we've got people coming in, and creating the bad things that happen, whether they're in good faith or whether it's something like Mirai, and it was actually someone doing the wrong thing, what has the market though of us this whole time? So, this is aka meanwhile, in business land, right? This is actually a parody of the hack hustle thing that I've kind of introduced with now. So I'm going to put my suit on now and talk about the view of the world.

Casey Ellis:
Pre-2012, and Rip Good Times is a part of this because I do miss these days when everything was a little bit simpler. Occasionally, there's a whole bunch of really good things that have happened too. I think this is really the view that most of the internet including the people that build it, had of hackers. It's like they spoke, they talk funny, they dress funny, they do these weird things with computers, like there's some movies about it that I don't really understand. They look cool, they rollerblade a lot apparently, I'm not sure how that works. But it's kind of this abstract, irrelevant thing that's happening over in a corner with a group of people that I don't really understand. So, okay, on you go, it's all good.

Casey Ellis:
But then, and this actually happens, the joke is that I had absolutely no involvement in this, which is true. But it happened the same month the Bugcrowd first landed in the United States back in 2013, to fundraise. This guy did his thing. So, what the Snowden disclosures did, or created as an impact, and this is by the way, not me advocating in any direction what Snowden did. What I'm talking about is the effect that it had, was that it made everyone realize at that point in time that hacking is something that is actually relevant to me. And I'm talking about my mother, my sister, my grandparents, my aunt, my uncle, my uncle, folks that aren't necessarily security fargo technologists, just lay people that use computers every now and then. They realized, this is something that actually is relevant to me.

Casey Ellis:
Then it got worse. So basically, 2014 was the year of the retail breach. So now hacking, Snowden told me that hacking happens, now I know that it happens to me. 2015, was healthcare records getting pillaged right across the board. Okay, hacking happens to me and hurts. Because I can't ensure that the credit card is not going to reimburse my identity card or my healthcare records. 2016, is hacking happens to my country. In the North American example with the DNC hacks and all the stuff around election interference. 2017 to 2019 was just a raft of just random stuff, like Mirai was in there is, something to happen that caught everyone by surprise. It was basically this ascending narrative of like, "Yeah, this is actually a really important thing for everyone to consider and its impact is universal. It's not just another thing."

Casey Ellis:
So, software is eating the world, and the bad guys seem to be eating the software, right? 2020 was COVID. And yeah, I think the interesting thing about COVID is that it introduces this idea that, my employee is five-year old is now part of my threat model. That's a new thing. So, if a home network is a predictable extension of the corporate network, then all of a sudden, you've got televisions and toasters and home routers, and whatever else included in a corporate threat model, and that really hasn't been an issue and it very suddenly became an issue in 2020. And, of course, at the end of the year we had the whole issue with solo wins and kind of the introduction of this conversation around supply chain attacks, which is a whole other talk, I won't go into that too far now.

Casey Ellis:
But you see the point. There's all of these things that are just kind of ascending in their narrative to basically explain to the market, why we do what we do, right? So given the fact that it's such a common conversation, really what happens and what I've seen, it's part of the reason I started Bugcrowd in the first place. If things get repeated enough at the dinner table, they end up making their way into the boardroom. And what that does, is it drives basically focus from the organization. It drives the deployment of money into being able to do security better, it drives security as a higher priority, which is awesome, right?The folks that have been in security for longer than then the time period that I just just laid out, that's a huge win, because really, we've been sort of standing on the street corner, screaming at people, trying to get them to care for quite a long time and all of a sudden we've got this help of what people are already thinking about.

Casey Ellis:
In 2021, I think the question that we all need to be asking ourselves, and this goes to really the core of the talk and the recommendations I'm going to drop at the end here, Now What. For those of you who've seen this movie, for finding this group of fish stuck in a fish tank through basically the entire movie, and at the end of it they break out, they kind of roll across the street in these bags, and they land in the oceans. It's a great, awesome success. We've made it, we've done the thing that we wanted to do. Which I think is kind of similar to how security feels at this point in the market. We've actually gotten people to pay attention. Now what? They're still in these plastic bags, they've still got some more work to do.

Casey Ellis:
So what I'm going to go through is really from a skills development standpoint, and how to think about that, or how to identify opportunity and think about it as someone who's contributing into that. Some of the things that you can do to answer, "Now what?" This is a theory that I throw out there a lot. I blurred out the swear words. I'm Australian, so we swear a lot. But I wanted to be respectful in that, but it's called the, oh crap theory, for a better way of putting it. If speed is the natural enemy of security, then the rate at which in the technology category comes to market, predicts how quickly and badly it's oh crap moment is going to be. So basically, the faster something lands, the faster something gets adopted, generally, the more severe, it's like, "Oops! We forgot to secure that moment," is and generally the sooner it comes as well.

Casey Ellis:
So when you're thinking about skills development, and when you're thinking about how to differentiate yourself, when you're thinking about, what are the things that are going to be valuable that I can add to what I'm doing now, to actually firm up the things that I'm going to be able to do going forward, it begs a pretty interesting question like are you pondering what I'm pondering? Is there an area of technology that is of incredible interest to you, that's just kind of popped up, that you expect to see cause a lot of problems down the track that you can actually start to get ahead of in terms of how you're directing security research? This is why I started off with all these sort of bad things and research pieces, because this is where I do believe we get to not only build careers out and make money and feed the family and all those great things, but actually have a tremendous impact on progress.

Casey Ellis:
Yeah, Ralph Waldo Emerson said, "Do not follow the path set by others, instead make your own path and leave a trap." And I think this is a really interesting way to think about it with respect to, just this opportunity that's come up over the past eight or nine years with crowdsourcing, with kind of distributed connection of talents, opportunity, don't necessarily jump straight into being someone who does the same thing that everyone else is doing. That's a good thing if there's a lot of that opportunity there, but then starting to think about what your own things are, and developing those, I think is a really smart way to do it. Honestly, that's how I built my career. It was really getting in behind people and folks that would help me along, mentors, my community, all of that kind of thing. But then working out what that little bit there was just special to me in terms of my own interest and what I was able to pursue, that's a lot of how I've done what I've done in the past. So, clearly, I'm a fan of the idea.

Casey Ellis:
And really, what it nets out to was what is, crossed out going to catch fire next, what skills should I start building? And we'll finish up here and we can go to q&a as well. So coming back to it, hardware & IoT. It's not slowing down. Yeah, I think the thing that's happening with hardware & IoT is this property of convergence that's kicking into place. It used to be Inux and BusyBox sitting on ARM chipsets at some radio, and if you knew that, then you could do IoT. Now, you've got a car that talks to a smart city over an API with a Cloud back end, and there's this whole kind of ecosystem component that's very strongly being overlaid on top of IoT, that the more of that you understand, the more you'll be able to speak to it effectively and actually be productive and in doing security research, and all those things around it.

Casey Ellis:
And also, I think, forming a crew. What we've seen with car hacking, as a prime example, is there's often one person who really understands cars, one person who really understands embedded security, then another person who gets radio and another person who gets web and infrastructure and they work together as a team, depending on which piece of of the kill chain they're trying to get sorted out at a given point in time. So, just thinking like that, in terms of how you work with your peers.

Casey Ellis:
COVID, as I mentioned before, COVID has really triggered a shift in bad guy thinking around how to attack a corporate environment. One of the things that's happened is that, zero day for IoT, zero day for home routers, that stuff's been around forever, but no one was buying it, because it wasn't super interesting. And all of a sudden, people started buying it about halfway through last year. Which to me suggests that we're seeing some active exploitation in the world, which will actually drive more investment and more interest into this space. Here's a suggestion for a really good primer, if this is something that interests you, if you're already in this space, go nuts. If it's intriguing to you, start try to find the places where you can actually insert yourself in one simple stuff.

Casey Ellis:
Alright, next one cryptocurrency to the moon. Yeah, seriously. I trashed blockchain and cryptocurrency a fair bit, because I think, yeah, I was around for the very early beginnings of it when it was super heady and not actually generating value in the way it is today. And I still feel like there's elements of it that are a bit absurd, but we're starting to figure out how to use it. And that's the thing, is that it's not going to go away. So smart contracts as an area that's really an extension of AppSec, but it's thinking about how immutability gets written into stuff that's ultimately the product of the application. Cryptocurrency exchange security, actual cryptography, I think there's not a lot of people really getting into trying to study that right now, and it's an area that's going to become pretty relevant, especially as quantum starts to kick in and we start to have to think about cryptography differently. There's a gap there, I think, if that's something that interests you.

Casey Ellis:
Machine learning. It's everywhere, man. Ml is one of those things that really frightens me and this is why I was trying to create an example of where that's gone wrong, that goes so far back. Because if you talk about machine learning is this potential security threat, people just sort of throw it out to terminator thinking or whatever else you can see him in the background there. But the reality is that the exploitability of machine learning models is not a discipline that really exists right now. It's very small, but when you think about how much machine learning we're actually relying on, even like the selection of which panel is at the top of my screen right now, that's driven by an ml model in some ways. There's all these different things that come into it and the question becomes, if these systems are relying on untrusted user input, thinking gain, we've seen that before with AppSec right? Doesn't tend to go all that great. How can you reliably manipulate that to create an outcome that you want, but the actual user doesn't? That's what a bad guy might want to do with ml and that was the example from the Flash Crash of 2010.

Casey Ellis:
Most people don't really know what it's actually doing. I think a lot of the time when I've seen ml get implemented, it's kind of goes back to that builder, breaker priority piece that I was talking about earlier on, where the builders are just trying to get the thing to work, right? They're not as focused on trying to get it to do all of the stuff that it shouldn't. And that's where we come in. InsiderPhD is done a great talk on this, the DEF CON AI village, and this slack and discord is kind of a diaspora of people that are really digging into this type of thing. The other piece with ml is, I think, COVID has had a pretty strong impact on what privacy means. And this is where facial recognition, and all those sorts of aspects start to come into play. And we did a whole bunch of that stuff really quickly. So, I think looking back on that over time, to figure out where was that fragile? What do we need to be thinking about from a cybersecurity standpoint to make sure that privacy is preserved? That's going to be a pretty interesting space as well. The privacy zealots in the group.

Casey Ellis:
API's, they're already going crazy. COVID's 10X that I think, mostly because organization's just drove a lot of work for Bugcrowd in the past year, you've got your banking customers who have relied on a branch historically, and all of a sudden branches don't really exist because everyone's locked down. So what that did, was force digital transformation projects that they were maybe going to do over three years, all of a sudden, they're doing them over the next couple of months. API's play a really key role in that. And that's happened everywhere, right across the internet at this point in time.

Casey Ellis:
The relationships between the different systems are almost always weaker than the host themselves. With people doing API testing, often they approach it like it's a web target and the attack surface is a lot smaller. So it's actually harder to kind of hit up from that angle, if you think about it as part of an ecosystem that's often where the really bad stuff falls out. So, that's just a little tip there. And a lot of people are really needing security input here at the moment. So the J Rok talk on the level upstreams a good one for that.

Casey Ellis:
Bonus round, old code. Seriously, there is stuff that's hanging around that's not cool to learn. Necessarily, it's not Go or Ruby, or I mean, rubies. I'm dating myself, but calling Ruby out in that list. But you get what I mean, it's not one of the code does your languages that everyone's learning. The fact of it is the Java still runs like 24% of the internet. Isp.net is 21%, I think there's a really interesting gap in terms of in some of COBOL, and some of these lower level kind of mainframe languages, because the reality is that the people that wrote that stuff are actually aging out. They're retiring, they're going off and doing other things, the population that's actually available to even understand COBOL in the first place, let alone who can approach it from a breaker mindset, is thinning out at the moment. And the reality is that COBOL is going to probably outlive the heat death of planet Earth, it'll just be like a mainframe running COBOL floating around in space.

Casey Ellis:
So, this stuff continue to exist, and need security input and need people to help with it for a really, really long time and there aren't a lot of people that can do it anymore. So I think there's a really interesting gap there. And it's an interesting language to learn and so I'll just leave it at that. Otherwise, I'll get ranting about COBOL, we don't want to do that.

Casey Ellis:
Yeah, bringing it back to, how to think about it, and potentially how to double down. And again, this is like, you all have been crushing this over the past eight years, as I mentioned before,  what I'm talking about right now is how to take some of that stuff to the next level. It's the same kind of input that I'm giving a lot of different places at the moment, just around the acceleration of security and how the hacker community can actually step up into that and being a meaningful part of it. Really, what the CISO is, is asking, going back to the NEEMO, kind of now what slide is it. How do I make security useful to my business? I don't want to just hear about bugs. Yeah, no, I don't want to just spend money on blinky, light things, and tools and whatnot, I actually need to figure out how to integrate this into my business and make it a part of the overall structure of what we're doing for our customers, not just doing to prevent the bad guys from getting in.

Casey Ellis:
So from their perspective, really, their world is this, they've got to balance out between management of business and finance risk, management of the political risk, which is like communicating security internally and externally out to the market as a part of that, and then like that one piece is the technical side, which is most of what we've talked about. But I wanted to just touch on this at the end here to frame up a mental model that might be useful in terms of how you think about pursuing opportunity, going forward. So what that means is for us as a community, we need humility, we need to actually understand that as we're going to these folk, we've got things that we know that they don't, but the opposite is also true.

Casey Ellis:
So as we do that, what I see happen, and this is something that, I honestly, I had to learn midway through my career, once I started to activate this, everything accelerated because all of a sudden we were working on the same goals. It wasn't adversarial anymore, it was principal. I think humility is a key part of that. Empathy for what's going into not just securing the system going forward, but how it got there in the first place, because that again, comes into this sort of spirit and attitude of partnership, where you get to just be more valuable, you literally just get invited to give more input be more valuable, be more an integrated part of what's going on. I think that's really powerful. And of course, skill, which is what we've just been talking about.

Casey Ellis:
I think finding clearer and working out where you can continue to pursue the things that are coming over the next hill, I think it's a pretty good investment of time. So, to summarize, breakers drive innovation, which creates opportunity. The market for that opportunity is ripe, and it's expanding globally. You all in this group know that already, but what I'm telling you is that we're only just getting started. This is just the beginning of the markets, understanding of how to consume security and how to actually partner with that community to make the internet a better place. The scarcer your knowledge, the more valuable it becomes, which is why I was kind of pointing off towards these weed areas that are about to blow up,  I think that's part of the reason for doing that is that. Those are the things that are going to be incredibly valuable as you go forward.

Casey Ellis:
And as you're doing this, don't just be valuable, work to understand the business and actually create value. Because the more you can be doing that, the more you're escalating yourself from just having the technical conversations, now starting to interface with the overall company, or companies or the entire internet itself. The internet is a product of it being a business. So the more you can work with that idea, and not just the technical ones, I think the more effective and the more rewarding, frankly, it is in the future.

Casey Ellis:
So, that's me coming to an end here, the shout out is to join us on our discord. Not now because you got a conference to attend, but we'd love to see you in there once you get around to that, Luke's in there, Michael and myself, all the Bugcrowd crew and a bunch of hunters from around the place. So really appreciate, again, the opportunity to come and chat, and hopefully I've encouraged you all and communicated by gratitude for all of the incredible input in years given to not just Bugcrowd but the state of the internet itself over the past eight years. So, thank you very much.

Antriksh Shah:
Thank you, Casey, so much for this amazing presentation. I have received a few questions. I like to read them out to you.

Casey Ellis:
All right.

Antriksh Shah:
You've mentioned about the lock, the first Bug Bounty was I think some lock in the ancient history is I do not now any bunch of people who are asked to come and break the lock. So, I'm just rephrasing that, paraphrasing that question, Who was your first client? And how did you convince them when you started Bugcrowd?

Casey Ellis:
Wow. Yeah, so the first client was a company called Packetloop. One of the founders of that company is actually now the CSO of Canva, but he's a security guy. I was bouncing the idea for Bugcrowd off him at a conference in Australia, about six months before starting the business and going for the accelerator. He was like, "Yeah, that's a great idea you should totally do that." And I basically said, "Okay, if we do, you're going to be our first customer. We got a deal?' And we shook on it and he was. So, that was our first. Our second two were actually charities. So they came and said, "We need security help." That was when we're trying out the whole charity bounty thing, which was interesting. After a little while, we actually got to deal with Google early on, which was, I think, our kind of early sign that yes, this is definitely going to be a thing.

Antriksh Shah:
Alright. The second question is, it's regards to, do you also think there is a possibility of having more patch reward programs other than people who just find bugs?

Casey Ellis:
Yeah, yeah, I think so. There's been kind of recent trend of people trying to do that with code QL and same on the Discovery side, but then given that's mostly involved in open source projects, having that feed out into incentivizing people for fix. What makes that difficult in corporate land is that, folks are generally fairly cautious about giving people outside of their organization access to their code to do the fix and the challenge with fixing vulnerabilities is that you can make the issue that you've discovered go away, but you don't know what else you're breaking in the process.

Casey Ellis:
So, there's some technical hitches that are making that something that everyone does universally, but I do see more people basically trying on stuff like that. And things like the Windows Defender, I forget the exact name of it, but the mitigations bounty that Katie started up a number of years ago at Microsoft, it doesn't necessarily need to be hands on code, is something that you can just go deploy to production. It's like, here's an approach that you can take to mitigating this that you might not have thought of before, starting to see more of that sort of stuff. Really, that's an awesome question. Because I think that whole idea around, it's not just thinking about how to break things, but how to improve them as well. That's the seconds order impacted all of the stuff that we were just talking about and I think that's a really powerful thing to be thinking about as well.

Antriksh Shah:
All right. There are a few questions with regard to suggestions and guide to how to get into Bug Bounty, I would recommend to answer those questions just join the discord channel of Bugcrowd and talk to the team over there.

Casey Ellis:
Yeah. Sign up to Bugcrowd, you've got the link at the bottom, bugcrowd.com/try-bugcrowd, which is where you can sign up as researcher on the platform, and then from there, there is also two different resources. The discord is a great place to come and chat. So, I think if there is engagement around some of that stuff we can do that there as well.

Antriksh Shah:
All right. We'll take the last question, Casey.

Casey Ellis:
Sure.

Antriksh Shah:
Is Bug Bounty reaching a saturation point, especially with the application, bug hunting?

Casey Ellis:
Wow. What is bug hunting? Is usually my flip of that question. I think my personal opinion and one that's very strong is that, vulnerability disclosure programs in terms of [inaudible 00:42:13] being able to hear when something is broken on the internet, is something that is just going to become normal. It's a normal part of being in the internet. It's something that everyone should do. I also believe that's not the same as a Bug Bounty program, I think when that gets confused is been like a Bug Bounty program without cash. People are kind of doing it wrong when they position it like that, so just calling that up.

Casey Ellis:
I think Bug Bounty in terms of going out to the open internet and saying come hack my stuff I'll pay you, it's not necessarily appropriate for every organization because they don't have the ability to do anything with that information, right? So, from my perspective, [inaudible 00:42:50] you pick with this thing, then you go all this things like private programs and programs where there is more control over how you're learning about your stuff, getting better at fixing it, getting better at not been vulnerable in the first place, I think there is a huge, very wide open scope for work there. And that looks more like Crowdsourcing. That's less of a Bug Hunting thing and more of a crowd[inaudible 00:43:13]. So, that's why I always get tripped up on the use of terms, so that's was probably out of the top as an answer.

Casey Ellis:
I think there is a lot of web stuff and there always will be. I think the web either in full form or via API, is here to stay as a way technology talks to itself and the way we talk to technology, which suggests there is always going to be more opportunity to give input into that space. That said, there are a lot of people doing it, and it's more difficult to find a way to compete and pop out as someone who is an expert in that particular domain. So, yeah and on saturated I think it's strong. It's definitely the most populated aspect of security that we see from the offensive testing. So, I'd say maybe that's a better answer.

Antriksh Shah:
All right, Casey. Thank you so much for this amazing keynote.