

Casey Ellis
CTO and Founderfeature_status*/ ?>
Bugcrowd
Comments Dotted :
19
December 18, 2020
Governments around the world will continue to adopt vulnerability disclosure as a default.
Governments are collectively realizing the scale and distributed nature of the threats they face in the cyber domain, as well as the league of good-faith hackers available to help them balance forces. When you're faced with an army of adversaries, an army of allies makes a lot of sense.
Judging by the language used in the policies released in 2020, governments around the world (including the UK) are also leaning in to the benefit of transparency inherent to a well-run VDP to create confidence.....Read More

December 15, 2020
The Solarwinds incident also highlights the complexity of supply chains and the "no look" dependency on upstream security programs.
Well funded, talented, motivated nation-states exist as a crowd of potential adversaries with diverse skill sets, a variety of motivations and goals, and incentive to get results. The "Mossad/Not-Mossad" threat model introduced by James Mickens suggests that while a sufficiently motivated and resourced adversary will ultimately always achieve their goals, an army of allies stands ready to help raise the bar, increase the cost of an attack, and route the adversary into places where they can be.....Read More

September 23, 2020
As cybersecurity leaders, we have an obligation to support the ethical hacker community as they defend the safety of the Internet.
By enacting The Defending the Integrity of Voting Systems Act, the U.S. government might seek to deter adversaries from meddling with the voting process, but instead the biggest impact they will have is chilling and potentially criminalizing the actions of good-faith hackers conducting security research to help secure the election process. If security researchers are legally unable to discover vulnerabilities in voting systems, then malicious hackers - who are ignoring these laws to being with.....Read More

September 04, 2020
Congress originally passed the CFAA in response to growing threats from malicious actors.
Voatz’s corporate disclosure in the introduction of this brief is the exact reason why they should not qualify for Amicus Curiae, as it benefits them to uphold the Computer Fraud and Abuse Act (CFAA). Additionally, Voatz’s main argument to the researcher’s amicus brief fails to address the fact that the organizations that establish authorized access will not know about all possibilities for exploitation by an adversary.
To elaborate, if there’s a method of exploiting the system that.....Read More

August 24, 2020
I highly advise other industry leaders to consider the value of the ethical security researcher community.
Today's rather escalates the ethical considerations around how Uber responded to its 2016 breach into very real legal ones. What took place in 2016 was clearly extortion, not a bug bounty payment. In a bug bounty program, the terms of engagement - including payment - are set before any sort of hacking takes place. This alignment on all sides facilitates interactions between businesses and the researcher community for safe and effective security testing, and minimizes potential for.....Read More

August 12, 2020
Organizations across all industries can benefit from having a vulnerability disclosure program (VDP) in place.
This researcher’s discovery of Adit’s unsecured database and disclosure to the company is a textbook practice that ethical security researchers will do to help organizations proactively identify and close vulnerabilities before they can be exploited by bad actors. Unfortunately, Adit’s failure to respond to the researcher in the time allowed a bot to delete and possibly steal the critical information belonging to millions of patients that were in the database.
This highlights the overall .....Read More

July 23, 2020
Speed is the natural enemy of security in software development.
The iOS Security Research Device program is a step in the right direction for Apple, as they are a high-priority target for nation-state-backed attackers. By looping in more researchers to perform a greater volume of testing, Apple should achieve better security as a result.
To proactively identify and close vulnerabilities in their products before they can be exploited by bad actors, both before and after products are brought to market, organizations should take a page out of Apple’s.....Read More

July 15, 2020
The challenge of critical bugs is that traditional approaches may take days or even weeks to discover all exploitable instances of vulnerability.
This is the second major Java-based 0-day in the wild in as many weeks targeting widely deployed, Internet-facing critical software. The challenge of critical bugs is that traditional approaches may take days or even weeks to discover all exploitable instances of vulnerability. Even when a patch is issued, successfully ensuring every application is patched becomes a race against malicious actors that know exactly what software they should be targeting. In the case of the SAP bug, the.....Read More

May 20, 2020
Whitehat hacking can be an advantageous way to mitigate exploits and improve organizations' cyber postures.
The 2020 Verizon Data Breach Investigations Report (DBIR) is a yearly staple for the security industry, and this year's report is no exception. According to the report, 43% of breaches were attacks on web applications, more than doubling the results from last year. Organizations need to understand the importance of knowing their infrastructure because web applications provide easy entry points for cybercriminals. Web applications are what we interact with as users, but it's more than that: The.....Read More

April 01, 2020
The FBI’s investigation into the 2018 Marriott Breach concluded that the attackers were working on behalf of the Chinese Ministry of State Security.
Like the OPM, Anthem, Dulles and the 2018 Marriott breach, this breach is just another in a long string of attacks targeting US officials. Think about it, officials from the NSA, CIA, FBI, DoD stay at Marriott hotels, including possibly diplomats, business people or intelligence officials as they travel around the globe. The FBI’s investigation into the 2018 Marriott Breach concluded that the attackers were working on behalf of the Chinese Ministry of State Security--alarm bells should be.....Read More
