The Economics of Software Flaw Discoveries, ExploitsCasey Ellis of Bugcrowd on Understanding the Dynamics
The economics of vulnerability discoveries and exploits is always evolving, and knowing those dynamics can provide insights into what attackers are doing, says Casey Ellis, founder and CTO of Bugcrowd, a platform for crowdsourced vulnerability reporting and bug bounties.
Researchers are finding more bugs that ever, including CVEs that drop attackers off at privileged points in networks, he says.
"Remote access software has definitely had its limits tested over the past 12 months -- people just basically expanding the usage of those types of systems and potentially deploying them when they haven't necessarily thought through security architecture," Ellis says.
The National Security Agency and the Cybersecurity and Infrastructure Security Agency have warned that nation-state actors are using "n-day" vulnerabilities - those for which patches have been issued - for scaled, persistent espionage, he points out.
Successfully using old vulnerabilities is advantageous for attackers, as "you're not exposing the potential for your more expensive exploit to get burned or detected," Ellis says. That's why it's so essential to keep patches up to date.
In this video interview, Ellis discusses:
- Why there's a surge in software vulnerabilities;
- Why build pipelines are attractive targets for supply chain compromises;
- How the FBI hacked an iPhone 5 and recently cleaned up web shells from infected Microsoft Exchange servers.
Ellis is the founder, chairman and CTO of Bugcrowd. He was previously chief security officer for ScriptRock, now UpGuard, and director of White Label Security, which he founded.