Release the Hounds, Part 2

all right welcome back from lunch everyone it is time for the keynote we've got Casey Ellis with us uh founder co-founder of bug crowd and very excited uh for Casey to join us this year if you don't know one of our Traditions is the previous keynote speaker picks the next keynote speaker so Ben sedekapport picked uh Casey and Casey was able to do it and we're thrilled to have him here today [Applause] [Music] [Applause] nice nice thank you hey thanks everyone for coming thank you Adrian excuse the pause there um Adrian was telling me about the uh the walk-on music and the the thought he put into that so I was just trying to clock the track but yeah

good choice man appreciate it so good to be here in Knoxville um I've heard tons about this conference it's actually the first time I've spoken at besides Knoxville and indeed the first time I've actually been to Knoxville so sorry but also thanks for having me it's uh it's been really cool to meet some of y'all and get to know the town so the talk today is uh release the hounds part two 11 years is a long ass time um basically we started I forgive me for the sound Factory as well that's um almost entirely my fault especially when I nearly blew everyone up in this section walking in front of the speakers we'll apologies for that so

we started bug crowd 11 years ago um the industry looked very different then uh basically what this talk is about is is that Journey um and you know some of the things that I think it infers for entrepreneurs I won't get ahead of myself on that there's stuff that's changed in terms of the landscape for hackers there's stuff that's changed for entrepreneurs hackers make really good startup Founders and you know folks that have ideas in this room this is partly for you and then folks that are hacking things or considering soliciting hacker feedback in your organizations for you guys as well um shout out to Ben as Adrian mentioned before I was it was actually a really

nice gesture Ben's been a part of our industry for a really long time now probably eight or nine years um and to get this message from you last year to come and uh chat with you always was you know nice to hear from him and obviously a privilege to be here as I've mentioned um so let's do the things here sorry we've had some some setup stuff you can tell I'm out of practice right it's like covert and you get back into the real world thing you've got to plug the laptop in and make sure it works and all that stuff so here we are um so yeah as I said this is a two-prong

talk it's about what I've seen in the industry and specifically the relationship between hackers and Defenders over the past 11 years um it's also about what it's like to build a startup right I started bug crowd at an industry inflection point um you know when we kicked off people didn't really care about cyber security it was like people like myself and Adrian and others that have been around for a while like screaming from street corners trying to get people to listen we're now at a point where we don't have to do that anymore and this talk is partly about the journey to that point but it's also about what it infers for those of you who are looking to disrupt

who have ideas who have kind of innovation sort of inside of you like if I can do it anyone can right you can hear that I talk funny that's always you know an interesting starting point when you let in America and try to build something as an Aussie we've got a bit as an Aussie we've got a bit of a head start but not that much of one and you know I think sharing our experience we good keep going where is the standby there he is hello um sharing that experience I think you know as an encouragement I mean basically why I started I wanted to change the operating environment for good face hacking I wanted to create a

new market by disrupting the economics of attack versus defense and as a personal thing you know I'm just kind of obsessed with this idea of the prosciutto potential um yeah for myself and and to whatever degree I can expire Inspire in others so that's what I'm going to cover off today um and we're off to a bumpy start that will settle into it so everyone good give me a give me a wave y'all here all right rock and roll very cool so yeah Australian born lives in San Francisco um uh founder chair CTO at bug crowd and co-founder of the scores i o project um basically we pioneered crowdsourcing as a service at bug crowd we didn't

create vulnerability disclosure or bug Betty programs that was prior art but this idea of putting a platform in the middle of all of the creativity that exists in in the good faith security research land of which many of you are apart and all of the creative problems that need to be solved by Defenders before the bad guys solve them we're basically the first to kind of initiate that idea and that idea at this point in time as well and surely out of the garage I'll get to sort of some power we've grown basically you know my job is to see around corners and build things that will be relevant into the future um you know I consider myself

from a career standpoint as a Founder took me about 35 years to reach that conclusion bouncing around between all sorts of different things but that's kind of my job and that's what I do at bug crowd and it's sort of the essence of the talk but the background of that growing up as a hacker kind of tripping over into pen testing um before it was like an established career path and I'm sure there's a lot of you in this room that have that story as well because our generation that's kind of how we got into it moved across onto the Dark Side of solutions architecture and sales and then broke bad and became an entrepreneur and Bug

crowd's the eventual result of that also very involved in policy um I think one of the things you know going back to what I was saying before about creating a more favorable operating environment for hackers that operate in good faith that requires changing the law so you know we started working on basically petitioning the doj to make changes to the Computer Fraud and Abuse acts in 2016 and they just did that at the beginning of last year with some of the charging rule changes we've been involved in dmca some of those other kind of anti-hacking wars that have a purpose like you've got to be able to you know Cloud up and Reign on bad guys from a legal standpoint but if

that chills good face security research then you're doing it wrong so how do we fix that problem so been pretty involved in that election security all sorts of other stuff as well it's a it's a fun ride being a founder so what's the what's the origin like why is this talk called release the hounds when we first started bug crowd we had this kind of tradition of every time we'd launch a new program we tweet release the ounce um because back then it's like well this is scary like hackers are like bad and this is clearly a badass thing that these people are doing and the bug crowd's involved in so we kind of worked

with that a little bit and you know hammed it up and Smithers release the hounds um just a bass line who's it who's a bug hunter or invulnerability research in in this room here at the moment okay some of you who knows what a bug Bounty Euro vulnerability disclosure program is mostly everyone that's helpful um I was going to ask who's about crowd employee but I think that's no one in in this particular part of it also I'll skip that one but it's all good so you know this is 2013 so the part one version of this talk was was a talk that I gave at a ruxmon at Google in Sydney before we came over to San Francisco for

the first time um and at that point in time we'd run it's up here somewhere somewhere around 20 programs and we actually started off doing this as crowdsource pin testing so it wasn't bug bounty in the sense that people think of it today it's like if you can take a pen test budget and apply it to a group of people that have skills instead of just a singular individual and have them actually compete or collaborate to find results you're most likely going to get better quality results because the right people will connect with the problem and that's just kind of a math thing that works right and uh yeah so I gave this talk and you

can see some of the things that um you know we were kind of learning at the time we didn't actually have a platform at that point in time we just kind of yellowed it for about the first four or five months until we came over to SF and and this is kind of what it looks like at the start this was about four months in you know 1500 tests there's 10 bounties there it is I was looking for that before 1500 testers one of the things that was really interesting about starting bug crowd was the appetite that clearly existed amongst the Haka Community to help and that was part of the reason I started the company it's like there's all of

this resource available in the community that's basically been at the table the entire time they've just never been extended the invite and instead they're oftentimes treated like criminals so how do we fix that how do we plug you know this latent you know this latent capability this latent potential and with this unmet demand and actually use that to drive things forward and as you can see you know some of the folks I was asking about VR and didn't get too many hands there but a lot of this stuff's still the same um from from a crowdsourced security standpoint if you launch a program you get a thousand people who are super enthusiastic saying you've got click jacking or you've got

you know some of these kind of really benign vulnerabilities that are actually more product than the fact of building stuff on the web is kind of hard right that comes in but then the more interesting thing comes the more interesting stuff comes in Downstream from that um this particular slide turned out to be pretty accurate keep in mind this is what five months after we'd actually kicked off in in any formal fashion so it's working mostly still a lot to learn I still feel like that most days uh in terms of how to you know plug hackers into cyber security as a problem set as it evolves um I think there's like learning is kind of fundamental to that

because when you think about what we all do we're not really meant to be here in the first place right like no one builds a company intending for it to be vulnerable and no one builds a company with the plan for it to be attacked by someone other than competition so if you sort of extend that out our entire industry is kind of built on unintended consequence which means it's constantly evolving so I think there's always something to learn which is kind of I find that kind of a freeing kind of mental model to view what we do through because you know who gets frustrated sometimes when people aren't listening we're trying to help them do the right

thing they're like yeah I don't get it you know viewing it through that lens I think can actually help so yeah this all turned out to be pretty accurate uh this is actually the first this is where I had the idea um so yeah co-founders I had two co-founders um in the origin of the company I worked on it on my own for about probably four months before I brought those guys in so you know we sort of think about it like that um but that was kind of the room where it happened and just after we came to San Francisco for the first time this is one of my co-founders serge that was in

a big co-working space in in SF so pretty much we went through an accelerator you know we delivered a bunch of proof in the first four months we'd actually done a deal with Google at that point in time which was a total like random thing like how that happens for the folks that are in the room thinking about this type of thing I had a mentor who had done some really cool stuff and he basically said well what's the worst that can happen they say no so just go and ask them and I did and they said yes I'm like oh okay that's a valuable lesson right and then all of a sudden we're here in San

Francisco so yeah this stuff I'm going to frame it up in a way that sounds like a lot of it was by accident it wasn't like it was a product of a lot of very deliberate decision making but kind of what I'm trying to color in here is that like it's not actually that some of these things aren't that hard they're just principles that you pick up along the way you implement them you execute if they don't work you throw them out you move forward lava rinse repeat right so this is the platform in December of 2012. it's actually a wufu form or actually this is a kickoff Labs form um there was a worthy form that we use for

bug intake we ran with that literally until we flew to San Francisco my like other co-founder Chris coded up a prototype at the platform on the flight from Sydney to San Francisco in order to pitch VC because at that point in time what we had was proof of the fact that the crowd was there and they were willing to help and if we plugged them in we could find really badass vulnerabilities and actually deliver you know increased kind of return on investment in terms of how much risk you understand you need to actually reduce at that point in time so we had those things in place we also had it in place that the market thought that pen testing

was kind of a bum deal in terms of the economics like if I'm spending you know two thousand dollars a day on something that I have no guarantee on the output from and I don't really understand what they're talking about anyway that puts me at a disadvantage so how do you kind of level out the economic you know cavity adapter equation there so we had all of that in place but we hadn't actually cut code yet so um Chris rasky my co-founder who's awesome like literally banged out a version a prototype on the flight and when we went off and did the Sandhill Road thing when we landed in San Francisco that's that's what they all saw this is what we're

running on prior to that this is our first program in what is that 30th of November 2012. this is like WordPress I just wrote some words and said hey go hack this thing and here's what we're going to do and it worked right like this is ghetto like this is janky right I agree you see what you see all the stuff that we're doing now and all the stuff are kind of laid out in in my introduction like it didn't always look like that um and that's a part of why I'm trying to take you all through this um yeah 500 bucks uh in total is the first crowdsourced public pen test that we ran and it worked it was it was a

rails app that I built as a out of office auto reply tool for Twitter back in the day um because I was bored I thought that was a good idea or whatever got a bunch of people to hack it and I could code like securely-ish at that point in time um but the kind of creativity that got applied to that that particular program um the the top reward actually went to someone who found figured out a way to do injection through the Twitter shortener that actually popped up on an unlinked page and could trigger an on Mouse over xss uh which is like not the end of the world right like that's not from a

criticality or impact standpoint it's not that big a deal but the amount of creativity that went into that attack chain is the kind that you would expect from you know a more serious kind of pen test or sort of Engagement like that so at that point it's like okay this works in terms of actually identifying risk and finding out things that need to be found this is actually going to do a quite a good job of that so that's what we took across the SF and at the time it was kind of nice like who was in the industry in 2012 in the room right they were good times yeah do you miss them I do

I think the thing that's happened since is that security as an industry has been commercialized I think people know that we're we're actually important um in in all sorts of different ways um there's there's you know economics and there's capitalism that's associated with that and that creates opportunity for us but I do occasionally miss the days of just yellow you know rip Good Times rollerblading and looking stupid uh like the like the movies portrayed us at the time so that was kind of where we came in from right so we landed in the US and you know one of the first things that happened um as a as kind of a first-time immigrant you know getting around like

learning how to use Lyft and Uber and all those different things that were kind of brand new to me at the time I had this really profound conversation with a Sudanese lift driver that's really kind of formed a lot of my thinking around why people tight defensive steps what he was talking about is like all security is the product of something bad happening right so when you think about when people actually go through the cost and inconvenience it's either compliance compliance often has its origins in something bad happening as well if people are doing it because they want to it's because they've had evidence that that's important so you don't put bars on your windows unless you know you're

in a bad neighborhood right like certain people in this room maybe don't lock their front door when they leave because you live in a part of the world where you can do that and it's okay but if you're in parts of the world where that's not okay you've either experienced it yourself or you've seen someone else experience it in a way that you actually understand that you need to go through that cost and that inconvenience to keep yourselves secure so this kind of formed a lot of it's a bit of a pessimistic view on why people do security but from an economic standpoint and from a social behavior standpoint I think it's pretty accurate why I say that is that the the month

that we landed in San Francisco this happened I had nothing to do with it yeah I look at this like looking back through the past 11 years I actually look at this as one of the linchpin moments where the non-technical internet user realized that oh this cyber security stuff maybe matters to me I don't know what the heck anyone's talking about um yeah prior to that it was it was you know rip Good Times hackers and rollerblades and all that kind of stuff but now all of a sudden as a consumer as a part of like the voting population as a part of the buying population I'm now thinking about this as something that impacts me right and I actually you know

not to speak about in any direction about what what Snowden did but I actually think that was a positive consequence of all this it did catalyze the conversation in a way that I think was quite productive then what happens all right 2014 you've got Target and the retail breaches so um Eastern European and Southeast Asian crime games doing kind of a final hurray on track to data in retailers I think 60 of the US population got his credit card popped that year so now hacking happens which is what we learned from Snowden but now it's happening to me it doesn't hurt yet now it does [Laughter] right 2015 you've got that that's pretty hard to insure against if you turn up in

that breach right and I think a lot of people want that the hard way and a lot of people looked on and thought about again cyber security as this extension of personal physical safety humans think about physical safety all the time we're like literally born we're biologically programmed to do that and we're born and we're raised and trained to do that as well now all of a sudden we're starting to think about the Cyber thing as an extension of that that same kind of threat model that we have personally and everyone's doing that all at the same time um OPM happened this year as well Healthcare records there was a lot of stuff that was uninsurable to go hacked

this year and it was not good um then this happens all right cool now they're hacking my country um if I'm not able to defend myself in my personal space I at least rely on my nation to be a proxy for that but now they're hacking that too right so you can sort of see what's happening it's this ascending kind of awareness amongst the people that ultimately hold the checkbook that pays the companies that pay us they're starting to pay attention they're starting to behave they're starting to change their behavior they don't know what they still don't know what the hell's going on but they know there should be concerned and they're starting to you know make that voice

heard I think between 2017 and 2020 we had this whole like that to me was really this kind of explosion of Technology just in general but then the bad guys arose to the occasion so you know there's a there's an expression um in Silicon Valley software's leading the world we kind of adapted that to say yep software's eating the world and the bad guys are eating the software you can see I mean you know many of you would remember at least some of these breaches it was just it was chaos it was actually a really fun time to build a security company because people don't care about risk in the same way when things are

fine when things start to go a little bit wrong then they're like oh okay maybe we need to take this risk stuff seriously at the corporate level and that was what was happening through that period of time and then of course a good friend the pandemic so what have we got we've got software is eating the world and bad guys are eating the software 2020 we've got my employees five-year-old is now responsible for my corporate attack surface that was new right like everyone enjoyed that I we actually bugged out my family were living so I've got a wife and two kids we're living in San Francisco and we actually got some little birdie told us what was about to happen from an

airspace standpoint so we booked a ticket and flew back to Australia the next day same day that Trump declared emergency in the US and two days before Australian airspace shut down so doing that not to get kind of cut off from family but then we probably got stuck there for two years because there was no one flying in or out so that was that was fun that was my kind of very first sport covered problem but it was definitely inconvenient um you know when you think about how that impacted the cyber security environment all of a sudden you've got this expectation that we're still trying to figure out how to untangle today of of the home environment being a

predictable attack surface as an extension of the corporate Network and who else is in that environment you've got your family you've got your kids you've got their friends you've got you know guests all these different things so that was you know one of those things where it all got pretty interesting laughs I was proud of this slide when I came up with it because that's actually the year the I mean I think the thing that happened with the ship that year I forget the name of it that Evergreen yeah I think that's the company there's a specific ship but yeah um we're learning a lot about supply chain in 21 right like log4j solar winds there

was a bunch of things that basically elucidated to the broader Community stuff that we'd all been talking about for quite a long time which is the fact that like the internet is literally built on a big pile of turtles like it's Turtles all the way down so when you're talking about you know software Supply chains when you're talking about vendor risk management all those different things those are risks that we've been thinking about for a long time but all of a sudden they became real and then what happens off the back of that you get presidential EOS you get moves of Congress you get all those different things happening as well so the internet is basically a large pile

of turtles 22 taught us that everything is basically a large pile of turtles that runs on top of the internet uh with with Colonial and 23 is the machines are coming for our pile of turtles so here we are right here we all are in 2023 as people that come out on a on a you know over over the weekends to like be together to network to have a community to build to learn to teach all those different things and this is the environment that we're operating in um you know it sort of brings me back to the start of the talk 2013 was an inflection point for bug crowd we're at another one now

right I think that's a really important thing to keep in mind for those like there's people in this room that that sets your Spidey senses off straight away because chaos is a ladder it's an opportunity to actually disrupt and create better things that's something that I've always believed in but I've kind of learned and demonstrated to some degree proven through bug crowd and I think it's something that applies to everyone especially people in this room so yeah the phenomena that I'm talking about is that if it's repeated enough at the dinner table it ends up at the boardroom right like all of these conversations that I just went through were very public there's this ascending

story around security and all of a sudden you know the whole idea of of um like the SEC for example passing draft regulation or Draft rules about four months ago saying that there's going to be an expectation for publicly traded companies to be accountable to the amount of cyber security awareness or understanding they have within their board so what the SEC is doing is saying hey this is not a nerdy thing that sits off in the corner anymore this is a Core Business risk issue and as you know the kind of the Arbiter of publicly traded companies in the US like you all need to be accountable for that and we need to help you figure out how to do that so

that this is the direction that everything's moving in we're super freaking relevant at this point in time and I know sometimes when you're on the on the coal face it doesn't feel like that but if you zoom out to look at things kind of the way I look at them you can kind of see that's true and hopefully I've painted that story also in Congress so you know I mentioned before about the cfaa that took eight years so to get those charging more changes through like it was not a year it was not fast and there was a lot of pressure from myself and a bunch of others that kind of work in the Cyber policy

trenches to get this stuff done but all of the stuff I was just talking about that was happening environmentally was a catalyst because all of a sudden security is an issue of retail politics so you've got politicians paying attention and those are all things that we've got basically at our disposal at this point in time to try to create better outcomes going forward so yeah I actually moved this slide so it's going to Jank up my thing but um you know pretty much what I saw going into you know I mentioned this before but it's it's that whole idea of leveling out the playing field from a math standpoint I'm not going to actually go too far into this

because it's like I said it's out of order um but you know to me this is the demonstration you know to me this actually applies to entrepreneurship and solutionering in in cyber security as well when I when I did this you know sitting with my iPad um triple screening or whatever it was at the time it was this description of you know this DNA that we all share in security like we think differently we think upside down we take assumptions we invert them and we see what falls out right I think that's the thing that that sums people and you don't need to self-identify as a hacker to do that like I love speaking to hackers but I

recognize that that can be not as inclusive a term as hackers often think it is so I'm talking about like literally everyone in this room has this ability because you're in this space we're all a bit nuts here and that's a good thing right so like we're the ones that are saying hey like we want to pick up the Rope tag Us in um in this case I was talking about good faith hackers versus the black hats on this side but it applies to people it applies to whatever you're working on if it's threat hunting if it's you know blue team if it's purple if you're diving off into Ai and ML and all that

kind of new stuff it's coming over the hill whatever it might be it's the opportunity to really pick up the rope and do all that so what we'll be doing as all of this chaos was unfolding so this is our our second office um yeah I showed the the room where it happened in our first spot this is our second one in San Francisco I just love that photo just makes me feel kind of nice that was a really fun plan the early stages of building a company when it's working um a huge rush like it's a thrill you're getting to do some really important stuff you're getting to do things that you believe and there's people coming

alongside you it's definitely heady and you've got to watch out for that a little bit but it's fun at the same time this is our second space in ministries this is when we're about 30 or 40 people um this was another you know really fun period where it's it's still small enough that we're all kind of working on this together but you know large enough that we're actually making a pretty significant impact um this is the office that we have today in San Francisco which is empty right now we basically you know stopped coming to work after covert and then promptly everyone kind of moved out of SF because it's people do that apparently they'll

move to Knoxville I've heard is that right that's what the Lyft driver told me on the way here so it's all good um but that's something that we definitely experienced you know at this point in time we've got an office in SF New Hampshire London Sydney and Costa Rica so we're kind of gone out and um it's out of out of the uh out of the garage so to speak from a from a startup standpoint 300 employees have raised 90 million bucks we've nuked around about a quarter of a million vulnerabilities and paid out 70 million to the crowd uh 350 000 hackers signed up of which probably about 10 to 15 are active at any given point in time

and about 850 customers what's interesting about that customer list as well is like this started off as an idea in in the Bay Area one of the things that's interesting about doing a startup is that you go to like Innovative you know move fast and break things companies and they think that's a cool idea they're actually easier to sell to as customers but we never thought of this as just a tech solution it's like this is a across the board problem that we're trying to solve here and if we get stuck in San Francisco it's kind of like the lunatics validating the Asylum do you know what I mean you've got like uber saying that what you do is cool but

everyone thinks that Uber's nuts so yeah you've got to at some point pivot out to convincing you know Financial Services or you know military and defense or you know other kind of industrial sectors that are more conservative that you're not just a Tax Solution you're something that's relevant to everyone and that's not to poo poo Tech by the way I think it's it does it plays a really important role but that was our strategy we ended up in a position where we were working with the dod in 2015 we started hacking cars at the end of 2015 moving really heavily into financial services around 2016 medical devices we got involved in election Security in 2018 and it just

goes on and on and on so that's kind of how we've grown and not to get too pitchy on this but this is what we've built it's basically a dating website for people that break computers is how I like to explain it there's two problems the bug crowd solves one is the fact that listening to the internet is hard right and and basically if you've built code and if you've got it in a place where everyone can look at it there's probably something that's broken and someone's going to try to tell you that so how do you let them what disclose IO does is how do you create a legal environment around that where they feel

safe doing that and where you feel safe actually asking them to do that and if you do a bug Bounty that's when you basically add rewards to that and incentivize it the other side of what we do is really getting access to Red Talent so you know a fun example of that is is the work that we've done in vehicles you know Automotive cyber security is a really very bizarre space I actually just came from hack the capital and uh you know ICS and BMS type stuff is similar in its nature because you've got Windows NT you've got you know Lambda running in the CR in in the cloud with apis in front of it and all kind of the

modern um you know cloudy type stuff and then you've got qnx and custom silicon and all of these different things all together operating as an ecosystem and finding people that can actually address all of the potential value modes in all of that is hard right so that's that's the other side of what we do and that's the dating website piece that I mentioned before it's actually a pretty accurate way to describe what we've built because you know the traits of the researchers we collect those and then the traits of the targets we collect those and it's not oh you do web stuff and this is a website so that's a match it's actually going through what's

maximized the probability of discovery of vulnerability or you know romance if you think about it um in the past and how can we actually kind of maximize that so that's that's kind of what we've gone and done so yeah that's the pitch hopefully that wasn't too honors and yeah coming back to the whole idea of Mission Drive and appealing to the entrepreneurs and the folks that actually want to disrupt and change making the room um you get to do some really cool stuff like we've we've you know unlocked uh where are they yeah we've unlocked basically economies or people that were disconnected from from being able to actually service a western economy giving them the ability to do this work

and do that in a meritocratic way that's been amazing so going off and educating a whole bunch of hackers we've been able to promote you know women in stem and diversity and inclusion into the space because I feel like we've come along we've still got a long way to go for sure but I actually do feel like we've come a long way as a sector in the last 10 years um you know the different kind of political things and policy pieces and all that kind of stuff that's always an interesting one for a gringo because um you know I'm getting called on to talk to U.S policy and say I'm not even I don't even vote here but that's okay

it is a system level issue and I think that's that's some of the input that we all get to have right so Switching gears into thought Ops um yeah what does it take to disrupt the status quo and security these slides are going to be online I realized before I got up and all the sort of stuff that I had way too much content to cram into into 45 minutes and I do want to have some time for questions so I'll just blast through this and we can do that okay let's start here this one's always fun um I think through the through the last 10 years uh there was a period you know 2015 or so where it was Peak Insanity

from from the VC side in terms of AI is just going to make all of the people problems go away let's forget about the human element and just bet on technology and automation which was never true um I think even now with stuff like chat EBT and generative AI coming out it's still like the Iron Man suit right like the the suit without the human is not as smart as it needs to be and the human without the suit is weaker than they could be so you put them together and good stuff happens you know from my perspective cyber security is a people problem um you know the technology just makes it go faster like the idea of someone

leaving their front door unlocked and someone else escorting that predates the Internet by a couple of thousand years right we've just sped it up so as a mental model to apply to how we do what we do I think that's useful um Brooke a more perfect security solution is a better security solution so the technologists in the room including myself sometimes they're always guilty of this one it's like that's not right it's going to be right otherwise it's not secure there's no such thing as secure you know like once we figure out what secure looks like it's the bad guy's job to innovate past that and tell us the next thing that we need to work on so

you know when you think about solving security problems to 100 it's a question of whether or not that's actually the right way to think about it when you're thinking about a system level solution or something that you're trying to disrupt or innovate with you know to me a better security solution makes secure easy and insecure obvious and if you're trying to have that as your fundamental design goals then good things happen disclosure is an external virtue signal hey everyone we're running a VDP like look at us we're fine it's all good and then not doing anything with the reports or whatever else broke that is a value proposition of actually launching a VDP but if you stop there then you've missed

out to me the thing that's really important about vulnerability disclosure and actually kind of presuming the fact that like humans write my code humans aren't perfect therefore there's going to be mistakes and sometimes those mistakes will create vulnerabilities that's a tastes it takes humility to admit that as an organization I think the really powerful thing that we see is a downstream consequence of this is that humility actually informs better security decisions going forward so you're actually changing the culture it's not just about going out and saying hey look at us right bug bounties of vulnerability swatting Silver Bullet I always get accused of saying bug bug band is the solution to everything I've actually never once said

that but people think I have for some reason to me the thing that's most powerful about a bug Bounty is that you know it helps Engineers even internalize the fact that the boogeyman's actually real um it hits completely different when you have your code hacked by some kid halfway across the planet to how it hits when your red seamer comes over and touch you on the shoulder because you know the first question you ask is like okay is he friendly or is she friendly seems so but what are their next door neighbor like like what's what's you know what's the actual potential for what's the probability calculus of how I'm thinking about risk in this equation

because I've just had to demonstrate it to me that someone outside the organization can get in changes how you think right if you can make people internalize the fact that this is real then all of a sudden we don't we don't have to do as much of the Chicken Little kind of running around thing which is good I think because they get tired of that pen test is an assurance only model um that's broke I think the idea of going out and saying cool we've done we've followed a methodology we've checked all the boxes in terms of what should have been tested therefore we're fine like absence is proof it's not sorry proof of absence is not absence of

proof and I think we're at a point now where the industry is actually starting to understand that like we've got a lot of stuff to fix here and just having a look at things is not actually a solution to the problem it tells us that we've had a look at things and that's it so combining Assurance with a priority around impact and finding critical issues all of a sudden what you're doing is is ticking that compliance box but also creating those build a breaker feedback loops that I was just talking about in the last slide um broke China wouldn't bother with my stuff nation state I meant to redact that so I gave this talk in Australia

sorry China um but you know Nation States of Whatever variety wouldn't bother with my stuff uh you know again old guy telling the story um you know I think there was a period in the history of bug crowd where there was this idea that like nation states have higher priorities um than most of the organizations that would be represented in this room and most of the places that I've spoken at you know sends the government ones right um solarwinds taught us that that's not true you know they might have only exploited a couple of different agencies but they had shells everywhere you know one of the things that got observed um right off the back of the news of

covert kind of breaking out was certain nation-state actors going out and just hosing everything they possibly could um to get shells for later um and that's that's a thing like supply chain attacks we learned in 22 that's a real thing the internet is built on Turtles right so you know this idea of of being able to constantly protect and like deter an attacker like that and just assume that's going to be okay I'll go off and deal with the low hanging fruit I think that's an unstable assumption at this point in time last one who is so security researchers in the room Groupon show hands anyone all right so as a security researcher prior to you

know doing a company and getting a cell phone and now it's like the older I get the better I was um basically the experience of trying to get a vulnerability to an organization and having to go into a black hole is bad for security it's bad for the community it's intensely frustrating and you know honestly industry can do better bug crowd can help you do that but you don't need our help I think it's just something that everyone should do and this is a soap box I'll stand on for a long time so I'll keep moving on but this is where disquoso comes in it's basically an open source free set of boilerplate templates to help your

lawyers write a vulnerability disclosure policy that makes sense that doesn't freak them out that actually provides Safe Harbor for the hackers and for for the recipient organization as well so that's one that you can just jump in and use by crowd the the links are on the bottom there as well so just real quick because I'm getting wrapped up what comes next I'm just going to buzz through these thread actors will continue to blur together you see that with with cyber crime nation states and stuff with ransomware and the different things happening with sanctions it's all kind of merging into one big blob of Badness so this idea of understanding the motivations of this red actor I think that's another

unstable assumption and an opportunity to innovate and to think about how to do defense buddy if you can't control who's going to rock up how well can you control what they're able to do once they get there right um chaotic thread actors will re-enter the chat and will be totally unprepared thank you Adrian for the conversation last night where this came up um laughs has taught us that you know the last time we dealt with a threat actor that we have no idea what their intent is was well SEC and that was 2012. so in the meantime we've been thinking about this as a symmetric thing where we can actually understand what the threat actor wants and we can behave

appropriately that's in the process of breaking right now cyber security will continue to shift from capability base towards being risk and value based the business cares about what we do they don't understand it it's actually our job to help them know that I really appreciated the metrics talk before because I think those sorts of things that's the language of the business and that actually helps us partner together to do a better job as a whole AI drinks got it in there there we go uh we'll get we'll accelerate the defendant's Dilemma to the point where we'll actually need to reboot our view of the game so the idea of that's um that tug of war thing that I was talking

about before every time the bad guys get tools or every time the good guys get tools the bad guys adapt their tools to overcome what we're doing right um AI has just dumped a whole bunch of tools and a whole bunch of capability on both sides and the adversary is using it they're paying attention they're evolving they're adapting and there's I think a pretty unpredictable kind of growth path of how that's going to play out that we actually need to plan ahead for because at some point in time it just gets too much right so that's a that's an interesting one to think ahead of and again this is not Doom and Gloom to me I look at this stuff and I think

opportunity like if you're thinking about this as an innovator is it disrupter it's like okay how could I solve that problem it seems stupid you know my idea of plugging hackers into banks in 2012 was ridiculous going out and pitching it to most people they're like are you on drugs like this doesn't make any sense at all and there's similar kind of opportunities that exist right now that you all could say gone policy will play a key role a primary problem will continue to be reminding people to wash their hands after they use the restroom I'm sorry security is still boring sometimes as well so some thoughts there so how's that idea coming along hopefully this

has all been educational inspiring useful finishing off with a couple of things here do not follow the path set by others instead make your own path and leave a trail one of my favorite quotes I love this guy I've already said all this stuff so I won't go back over it other than the last bit henceforth and be rad and yeah finals it's by crowd's patron saint those of you who might know the Grace Hopper has a posse t-shirt she's just phenomenal if you know for anyone who actually doesn't know who this is I encourage you to go look her up because she was an innovator she was a disrupter she was a teacher she was a woman in

Tech at a time where that was almost impossible including you know being in the military and rising to the station that she did she's just a true inspiration so I will leave it there thank you [Applause]