Fraud Management & Cybercrime , Fraud Risk Management , Governance & Risk Management

The Economics of Software Flaw Discoveries, Exploits

Casey Ellis of Bugcrowd on Understanding the Dynamics
Casey Ellis, founder and CTO, Bugcrowd

The economics of vulnerability discoveries and exploits is always evolving, and knowing those dynamics can provide insights into what attackers are doing, says Casey Ellis, founder and CTO of Bugcrowd, a platform for crowdsourced vulnerability reporting and bug bounties.

See Also: 2018 Best Practices Award for Global Vulnerability Management Customer Value Leadership

Researchers are finding more bugs that ever, including CVEs that drop attackers off at privileged points in networks, he says.

"Remote access software has definitely had its limits tested over the past 12 months -- people just basically expanding the usage of those types of systems and potentially deploying them when they haven't necessarily thought through security architecture," Ellis says.

The National Security Agency and the Cybersecurity and Infrastructure Security Agency have warned that nation-state actors are using "n-day" vulnerabilities - those for which patches have been issued - for scaled, persistent espionage, he points out.

Successfully using old vulnerabilities is advantageous for attackers, as "you're not exposing the potential for your more expensive exploit to get burned or detected," Ellis says. That's why it's so essential to keep patches up to date.

In this video interview, Ellis discusses:

  • Why there's a surge in software vulnerabilities;
  • Why build pipelines are attractive targets for supply chain compromises;
  • How the FBI hacked an iPhone 5 and recently cleaned up web shells from infected Microsoft Exchange servers.

Ellis is the founder, chairman and CTO of Bugcrowd. He was previously chief security officer for ScriptRock, now UpGuard, and director of White Label Security, which he founded.


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.