The security researcher community at Bugcrowd is quite diverse with backgrounds and experience of all shapes and sizes. This week’s researcher spotlight is on Casey Dunham, a security professional with a computer science background and experience as a software developer. In our interview below, you will see how Casey’s background informs his approach to security testing and enables his success.
Casey is one of our top performing researchers and we’re excited to have him in the Bugcrowd community. You can find him on Twitter at @CaseyDunham. Read below to learn how Casey approaches bug bounties, some tips for other researchers, and where he sees the bug bounty market going.
Casey Dunham is a Security Consultant with GuidePoint Security where he focuses on pentesting web applications. Casey has a B.S. in Computer Science and in his spare time he enjoys Open Source Intelligence research and working on his reverse engineering skills.
Q: How did you get started in security research?
I grew up hacking and breaking things. When I started working as a software developer while in college, I started focusing my time more on finding bugs in the software that we produced. Having spent a summer doing QA work at the start of my professional career gave me insight into common issues in software development such as how certain bugs manifest in a certain framework. Or how the lack of certain development practices will lead to certain classes of bugs.
I also learned a more methodical testing strategy which still helps me today,such as my overall approach to testing, the method in which I test for certain flaws, and how I compartmentalize my testing. All throughout my time as a developer, I’ve tried to find flaws in the applications that I worked on and fix them. However, it was only a few years ago that I decided to leave software development and do security full time.
Q: How long have you been doing bug bounty work?
I’ve been doing bug bounty work off sporadically as my personal time allows for about three years.
Q: Do you have a specific focus or specialty that you tend to spend your time on?
Recently most of my focus has been on web applications. As far as specific focus within web applications, I try not to focus too much on one class of vulnerability.
I would be careful not to fall into the trap of only looking for what you are most familiar with. For example, if you are really good at finding Cross Site Scripting, you may get caught up in only looking for XSS and miss other issues. To be successful you need to understand all of the common issues that can arise in modern applications.
Being familiar with the technology also helps a lot, for example, building a few applications using different technology stacks can teach you a lot about how to exploit applications built with those libraries and frameworks.
Lately, I’ve been trying to get into more mobile testing and getting back into
Q: What motivates you to do what you do? What keeps you going?
I like subverting technology and making it do things it wasn’t intended to do.
There is a certain rush in being able to bypass a syntax filter after spending hours (or days) trying or when you manage to find that one Blind SQL Injection after not finding anything for a while.
There’s a certain satisfaction there that not everyone understands.
Q: Any tips or suggestions that you would give to other bounty hunters?
Persistence. Patience. Preparation.
Persistence. Some of my findings were near the end of testing when I thought I wasn’t going to find anything, and then there it was. Keeping at it is key to finding anything non trivial.
Patience. It can take time to really learn the application and the better you understand how the application works, and how a normal user is intended to use the application, you start to get a feel for where the more interesting things are.
Preparation. Practice using your tools before hand. Understand how to use them and some of the common issues that you will encounter and how to work around those issues. Bug bounties are an incredible opportunity to test real world applications, but go in and use your time to make the best of it.
Q: What do you think of the future of bug bounties?
I think they are going to be an increasingly important aspect of our industry and will see larger growth and more competition which will lead to higher payouts for researchers, but at the same time the issues will become more complex and time consuming to find.
Q: Where do you see them going, where would you like to see them go?
In most companies, internal security teams are just not going to be able to scale when it comes to the security testing of their applications. The tooling is not there (and never will be) to automate this type of exploratory testing and since a good deal of what we offer is also finding flaws in business logic, bug bounty programs are a great addition to any security program.