How Building a Better Hacker Accidentally Built a Better Defender presented at AppSecCalifornia 2015

by Casey Ellis,

Summary : In the world of cybersecurity, there are two very important players. There are the builders. The folks who spend their time developing, writing source code for and launching products. And there are the breakers. The folks who spend their time testing for, identifying and fixing vulnerabilities in said code.
For the builder, development deadlines are constantly evolving and security measures tend to be seen as a hindrance, often slowing down the development process. And developers, by nature of their job descriptions, are responsible for contributing to products which make money. Without developers, there are no products, and thus no revenue stream.
For the builder/fixer, the challenge lies in making the builders take their concerns seriously. From the security team’s perspective, security efforts help minimize risk. Without security measures, there are increased chances of security flaws and breaches.
Where the problem lies is in the inability for the builders to not only speak the language of the breakers, but also to accurately understand their motivations; thereby creating a chasm in the way security is managed and executed.
But the real developer problem is that builders don’t believe in “The Bogeyman.” And the real security problem is that the breakers/fixers don’t have the time or resources to spend convincing developers that “The Bogeyman” is real. The Bogeyman, in this case, represents the very real possibility that your company will be hacked. After all, the most security aware a company will ever be is immediately after a breach.
In this presentation, Bugcrowd’s co-founder and CEO, Casey Ellis, will deep-dive into the hacker mentality, and how acknowledging the existence of The Bogeyman gets developers and security folks one step closer to implementing an effective security program. He’ll also discuss several security measures, outside the traditional penetration testing model, that can aid developers and security teams in leveling the playing field against potential threats.
The Bogeyman is real. But through acknowledgement, understanding and proactivity, you can be the hero in this cybersecurity story, not the victim.