Newsletter

09.07.2021 | 6'' read

The fake labor shortage in cyber

by Ryan Naraine

[ Advertisement: Last call for registrations for SecurityWeek’s CISO Forum 2021 — Sept 14-15, 2021. Prominent CISOs and security leaders will discuss topics ranging from ransomware, cyber-insurance, SBOMs and supply chain security, attack simulations, zero-trust, and post-pandemic attack surface expansion. Register here! ]


The most clicked link from the last newsletter issue was the blog post from researchers Thijs Alkemade and Daan Keuper on the Zoom zero-click RCE exploit used at Pwn2Own this year.

Note.

  • I’m quoted heavily in this VentureBeat piece on VCs and uncontrolled spending that’s actually making things worse in cybersecurity. It’s a solid piece by Sage Lazzaro with my unfiltered (and pessimistic) not-so-hot takes.
  • Security Conversations is offering paid internships to talented folks looking to work on podcast transcripts, audio + video editing, and social media shenanigans. Ideal for university students and newcomers looking to learn about cybersecurity. Under-represented folks to the front of the line. Ping me directly (naraine SHIFT 2 gmail.com) with your interest.

Monday blues.

In preparation for some hosting work I’m doing at this year’s CISO Forum, I spent parts of a quiet Labor Day weekend musing about the so-called skills shortage in cyber, the ongoing effects of ‘the great resignation’ (yes, it’s real), and whether the country’s wider good wages and workers rights shortage have now settled on cybersecurity’s doorstep. Oh, and the role of VCs in this big mess.

Just for grins, let’s use the bug-bounty sector as an example. The two main public platforms — HackerOne and BugCrowd — have raised a combined $189 million in venture capital funding. That, my friends, is a *lot* of money poured into two startups essentially creating a category on the fly. These are now well capitalized companies in so-called “growth-mode” with IPO or big-money acquisition ambitions.

The dark side of all this is worker rights and what appears to be abusive terms meted out to researchers on these public bug-bounty platforms.

Bill Demarkapi, an offensive security researcher at Zoom and a well-known hacker in the bug-bounty world (I interviewed him for OPCDE), provided examples of this abuse in a Twitter thread that makes my head spin. The self-righteous entitlement, the absence of logic, the immature tone from these vendors are so counter-productive and unnecessary.

Do yourself a favor, follow Katie Moussouris and pay attention to everything she says on this topic: “The problem is bug bounty platforms sell an illusion of control over a workforce they say doesn’t work for them as employees, yet they try to control their work & speech by threats to ban them…from submitting bugs to you through the platform. What does this do for your security?”

I argue that these stories out of the bug-bounty trenches mirror much of what’s happening in the rest of cyber. Security recruiters are looking for “rock-stars” that don’t really, leading to employers hiring junior coders and expecting senior-level engineering output.

The tide is starting to turn and now we’re hearing of a “skills shortage” that can only be solved via, you guessed it, more cybersecurity spending. And around and around we go.

Speaking of bug bounties, my pal Dennis Fisher’s opus on the birth and maturity of bug bounties is required reading for all cybersecurity practitioners. I’m serious, go read it all:

_ryan

On to the newsletter…

The big Confluence exploit story.

The big story bubbling to the surface this week is the after-effects of a Confluence vulnerability that prompted a weekend “patch-or-else” warning from the U.S. government. Here’s the latest:

 

Research things.

 

Nation-state apex predators.

 

Say what now?

 

A section on Apple.

 

Photo of the day.

Crossbeam CISO Chris Castaldo signs copies of his book Startup Secure. This was meant to be a part of an event at Black Hat/Defcon (sponsored by our friends at Uptycs and Armorblox) but due to COVID, we had to cancel.

P.S. Full podcast episodes are available on the SecurityConversations.com home page, and on all major platforms. Subscribe directly: Apple/iPhone, Google/Android, Spotify and Amazon/Audible.

|

This site uses cookies and may process personal data based on our Privacy Policy