Fraud Management & Cybercrime , Fraud Risk Management , Governance & Risk Management

The Economics of Software Flaw Discoveries, Exploits

Casey Ellis of Bugcrowd on Understanding the Dynamics
Casey Ellis, founder and CTO, Bugcrowd

The economics of vulnerability discoveries and exploits is always evolving, and knowing those dynamics can provide insights into what attackers are doing, says Casey Ellis, founder and CTO of Bugcrowd, a platform for crowdsourced vulnerability reporting and bug bounties.

See Also: Live Webinar | The Role of Passwords in the Hybrid Workforce

Researchers are finding more bugs that ever, including CVEs that drop attackers off at privileged points in networks, he says.

"Remote access software has definitely had its limits tested over the past 12 months -- people just basically expanding the usage of those types of systems and potentially deploying them when they haven't necessarily thought through security architecture," Ellis says.

The National Security Agency and the Cybersecurity and Infrastructure Security Agency have warned that nation-state actors are using "n-day" vulnerabilities - those for which patches have been issued - for scaled, persistent espionage, he points out.

Successfully using old vulnerabilities is advantageous for attackers, as "you're not exposing the potential for your more expensive exploit to get burned or detected," Ellis says. That's why it's so essential to keep patches up to date.

In this video interview, Ellis discusses:

  • Why there's a surge in software vulnerabilities;
  • Why build pipelines are attractive targets for supply chain compromises;
  • How the FBI hacked an iPhone 5 and recently cleaned up web shells from infected Microsoft Exchange servers.

Ellis is the founder, chairman and CTO of Bugcrowd. He was previously chief security officer for ScriptRock, now UpGuard, and director of White Label Security, which he founded.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.