This is a topic that I have written about before, and in fact, I plan to be writing an eBook about it in Q1 of next year. This is the issue of secure source coding, but more importantly, finding any weaknesses or gaps, and immediately remediating them.
Many people like myself have fully advocated for using a modular based approach, in which each module of the source code that is being compiled is thoroughly vetted for any issues.
After all, it makes sense to do it this way, right, rather than waiting till the very end, when really, it is just too late? However, to many software developers, security is not something they are familiar with, or really for lack of a better term, even care about.
But that is now catching up with them, as there are more and more headlines coming out as to how software developers need to be much more cognizant in this realm of their employer.
In an effort to help ensure that all is good before the project is delivered to the client, other initiatives have also taken place such as implementing a rock solid DevSecOps program, making more use of the OWASP initiative, etc. But yet, there is another area in which companies have been using for quite some time in order to unearth the gaps and weaknesses.
This is known as the Bug Bounty program. This is where a company, before they are just about to launch a new software application into the world, hire a bunch of both ethical and even unethical hackers to totally rip it apart, and report on the most serious vulnerabilities that were discovered. In return, the hacker is also supposed to provide a fix or fixes to the situation, and submit that back to the company in the way of a detailed report.
These are then completely reviewed by the IT Security team, and if a report is found that is deemed to be totally astonishing, the hacker is then paid a nice some of money. We are not just talking about a few hundred dollars, we are talking about well into the five figures, like $30,000 or $40,000.
This kind of program has been more widely used with those tech companies that have much deeper pockets like Microsoft, AWS, Oracle, IBM, Google, etc.
Obviously, it is not meant designed at all for the SMBs, because of the high amount of payouts that have to be made. There are both advantages and disadvantages to using a Bug Bounty program. For example, this is yet another way for a company to get an outside pair of eyes to look at something, but you really don’t know who is looking at it, because hackers are usually not vetted.
Also, you are giving an individual access to your IT and Network infrastructure, for a brief period of time.
But on the flip side, Bug Bounty testing is one of the best ways in which you can avoid Zero Day Attacks to external facing web applications. But whatever the situation is, there is now talk in the Cyber world that this program is now starting to crack under its own weight.
While it may be exciting for the company to remediate something that they completely overlooked and for the hacker to get a great pay out, keep in mind the other party that has to review them: The It Security team.
Research has found that Bug Bounty programs work great within the first 18 or 24 months since they are first launched, because of the new influx of cases that are being received. But after that, it tends to become a mountain load of paperwork to be reviewed, and this in part is what causes IT Security teams to fall even further behind, as if they don’t have enough to do.
Second, there has been a belief in the larger organizations that simply relying upon Bug Bounty programs will be enough to cure them of their Cyber woes. But this is all myth. For instance, it can take a while to discover new flaws, but it can take even longer to have them reviewed and their remediative plan of action to be approved as well.
From then until here, a newer version of the software package could have been released without knowing there have been bugs from the first version that still need correcting.
Third, Bug Bounty hunters are also getting burned out of the process as well. It is important to keep in mind here that these hackers are not automatically paid for all of their submissions. Only if it has been selected by the IT Security team, will the hacker get their hard-earned payout. So it could be years of trial and error until an ethical hacker can win their first bounty.
My Thoughts On This:
I have some numerous thoughts on the Bug Bounty program. First, I think it is a good idea. As mentioned, it is simply a great way to get an extra pairs of eyes to try to find something that was overlooked.
But the way in which the programs are offered needs to be changed. For example, I honestly think that the hackers need to be vetted first before they are allowed to participate. It’s like getting a third-party supplier involved. You wouldn’t hire anybody just off the street, would you?
Also, I think all of the ethical hackers that participate and submit a report should get paid, even though if their particular report was not chosen. After all, they are putting in their own time, and are giving you something in return. You also need to reciprocate in turn, as well. But of course, this is not something that you want to broadcast to the entire world, only to those people you have selected.
Perhaps also, you can even add a more motivating factor. You could perhaps even make a job offer to the winning hackers, if you are so impressed by them. They may not have to be direct hires, but you can at least get them to be contractors in the beginning.
That way, you can not only tap further into their direct knowledge and skill set, but this can also be your way of trying to tighten up the job market for Cyber.
Second, I view having Bug Bounty programs pretty much as a nice resource to have for companies, but it should not be the primary tools used to check for vulnerabilities and weaknesses in the source code. This should all be done internally, making use of DevSecOps.
Third, if you are going to have a Bug Bounty program, make sure you spell everything out, like a job description. And when work is submitted, pay those hackers on time!!!
Fourth, don’t give everybody access to everything at your company. Remember and enforce the concept of Least Privilege.