Bug bounties, vulnerability disclosure, PTaaS, fractional pentesting – Grant McCracken – ASW #306
Full Audio
View Show IndexSegments
1. Bug bounties, vulnerability disclosure, PTaaS, fractional pentesting – Grant McCracken – ASW #306
After spending a decade working for appsec vendors, Grant McKracken wanted to give something back. He saw a gap in the market for free or low-cost services for smaller organizations that have real appsec needs, but not a lot of means to pay for it. He founded DarkHorse, who offers VDPs and bug bounties to organizations of all sizes for free, or for as low of cost as possible.
While not a non-profit, the company's goal is to make these services as cheap as possible to increase accessibility for smaller or more budget-constrained organizations. The company has also introduced the concept of "fractional pentesting", access to cyber talent when and how you need it, based on what you can afford. This implies services beyond just offensive security, something we'll dive deeper into in the interview.
We don't see DarkHorse ever competing with the larger Bug Bounty platforms, but rather providing services to the organizations too small for the larger platforms to sell to.
Guest
Grant is the founder of DarkHorse Security, an organization whose mission is to make proactive security accessible and affordable for organizations of all sizes and budgets. DarkHorse believes that all organizations should have access to affordable proactive cybersecurity solutions, and achieves this by prioritizing access for organizations over maximizing profit.
Prior to starting DarkHorse, Grant was at Bugcrowd for nearly a decade, serving most recently as the VP of Operations. He pioneered and built Bugcrowd’s PTaaS product line, and oversaw service delivery across all product lines, including bug bounty and vulnerability disclosure. Grant has his OSCP, has spoken at various conferences, including Appsec EU, and Appsec USA, and likes trail running, hiking, writing, and making / playing music in his free time.
Hosts
2. Total Recall? LLM finds bug in SQLite, C++ safety failures, zero time for zero privs – ASW #306
Microsoft delays Recall AGAIN, Project Zero uses an LLM to find a bugger underflow in SQLite, the scourge of infostealer malware, zero standing privileges is easy if you have unlimited time (but no one does), reverse engineering Nintendo's Alarmo and RedBox's... boxes.
Bonus: the book series mentioned in this episode The Lost Fleet by Jack Campbell.
Hosts
- 1. EmeraldWhale’s Massive Git Breach Highlights Config Gaps
- 2. Cybersecurity Job Market Stagnates, Dissatisfaction Abounds
- 3. Cultivating a successful engineering culture with Platform Engineering
- 4. Hackers exploit 52 zero-days on the first day of Pwn2Own Ireland
- 5. Inside the Massive Crime Industry That is Hacking Billion Dollar Companies
Infostealers are a HUGE problem, and they're partially targeting devs and engineers. Initially, they were designed to steal cryptocurrency and crypto wallet keys, but a nice bonus for them was realizing they were scooping up AWS API keys, Slack keys, and other creds that ransomware crews will pay top dollar for to get into enterprises.
- 6. Microsoft delays Windows Recall again, now by December
Coming from our infostealer story, Microsoft Recall looks like a HUGE potential opportunity for this malware category. It will be interesting to see how they eventually decide to roll it out. I'll be shocked if it's opt-out instead of opt-in.
- 7. Looking into the Nintendo Alarmo
Writeups reverse engineering and jailbreaking the latest shiny gadget always make me smile. This is a great one, detailing the discovery process and linking to resources and code you can use to learn how to do this kind of reverse engineering work yourself!
- 8. Zero Standing Privileges: The Essentials
The approach suggested here is fantastic, until it makes contact with the real world. One of the things that bugs me about these types of writeups from vendors is that what they're proposing is a potential nightmare at scale. I really need microsegmentation and zero trust vendors to spend more time explaining how they tackle the scale problem.
We can't add 600% time and budget to every project to perfectly configure application/identity/data access controls and privileges. Can AI do it? Maybe. Hopefully. We'll see.
- 1. Project Zero finds buffer underflow vuln in SQLite via LLM
This is a space we've been interested in this year - how can we leverage these LLM things to make our software more secure? Google's Project Zero is now teaming up with Google's DeepMind to venture further into this space with an AI agent named Big Sleep. It's first vulnerability was found recently, a buffer underflow in the SQLite database.
One interesting point they mention is that they're trying to build tools that will find vulnerabilities that fuzzing can't. For a while we thought of fuzzing as the best way to find a lot of vulnerabilites, but over time we're seeing fuzzing can be expensive, noisy, and not always fruitful.
- 2. Why Safety Profiles Failed
I've been following this drive to get C++ memory-safe for a few months now. In the last few weeks, a proposal has been out for "safe C++" - an alternative to Bjarne Stroustrup's proposal of C++ "profiles." Last week one of the authors of the Safe C++ proposal took a shot at Stroustrup's ideas with a post discussing why safety profiles have "failed."