Bugcrowd was founded at an inflection point in the history of the Internet and awareness of cybersecurity. A lot has changed since 2012 - to the cybersecurity industry, to the technology landscape, to the view of hackers as helpful and not just harmful, and - importantly - to the awareness of cybersecurity as "everyone's problem".
In 2023, we find ourselves at a similar inflection point for our space. This keynote unpacks the last 11 years as a predictor of what is next, and as an encouragement and roadmap for budding cybersecurity entrepreneurs and solutioneers.
40. Broke:
A more “perfect” security solution is a
better security solution
Woke:
A better security solution makes secure
easier, and insecure more obvious
41. Broke:
VDP as an external virtue signal
Woke:
VDP as a way to teach the
business that “to err is human, to
learn from error divine”
42. Broke:
“Bug bounty’s are a vulnerability
swatting silver-bullet”
Woke:
“Bug bounty help more
organization internalize that the
boogeyman is, in fact, a real thing”
43. Broke:
Bug bounty payouts as a vanity metric
Woke:
Required payout as a proxy metric for cost
of successful attack
44. Broke:
“The assurance we get from pentesting is
sufficient”
Woke:
“We need assurance AND impact to
understand risk and create builder/
breaker feedback loops”
45. Broke:
“$NATIONSTATE wouldn’t bother with my
stuff”
Woke:
“How do I route, detect, contain, and eject
a nation-state assuming they are
successful”
47. disclose.io - Fixing the Internet’s Auto-Immune Problem
- Open Source Disclosure Policy
Framework
- Safe Harbor logo recognition
- Public directory of adopters and
search tools for hunters
- Legal standardization of
vulnerability disclosure language
- Safe Harbor for good-faith
hackers
- Rewarding proactive behavior on
the company
49. • Threat actors will continue to blur together.
• Chaotic threat actors will re-emerge and we will be totally unprepared.
• Wholesale access to AI/GAI/ML will accelerate the defenders dilemma to the
point where we’ll need to reboot our view of “the game”.
• The business will force cybersecurity to continue shifting from capability-
based value towards risk-based value.
• Policy and regulation will play a key role in defining the future operating
landscape.
• Basic hygiene is still hard - Our primary problem will continue to be reminding
people to “wash their hands after they use the restroom”.
51. https://bugcrowd.com/try-bugcrowd
in summary
hackers have a seat at almost any table now
good things happen when you step out
hackers kick ass at this stuff
there’s urgency and a window of opportunity
…so hence forth and be rad.
52. “a ship in
port is
safe…
…but
that’s not
what ships
are for”