This is a topic that I have written about before, and in
fact, I plan to be writing an eBook about it in Q1 of next year. This is the issue of secure source coding, but
more importantly, finding any weaknesses or gaps, and immediately remediating
them.
Many people like myself have fully advocated for using a
modular based approach, in which each module of the source code that is being
compiled is thoroughly vetted for any issues.
After all, it makes sense to do it this way, right, rather
than waiting till the very end, when really, it is just too late? However, to many software developers, security
is not something they are familiar with, or really for lack of a better term,
even care about.
But that is now catching up with them, as there are more and
more headlines coming out as to how software developers need to be much more
cognizant in this realm of their employer.
In an effort to help ensure that all is good before the project
is delivered to the client, other initiatives have also taken place such as
implementing a rock solid DevSecOps program, making more use of the OWASP initiative,
etc. But yet, there is another area in which
companies have been using for quite some time in order to unearth the gaps and weaknesses.
This is known as the Bug Bounty program. This is where a company, before they are just
about to launch a new software application into the world, hire a bunch of both
ethical and even unethical hackers to totally rip it apart, and report on the
most serious vulnerabilities that were discovered. In return, the hacker is also supposed to
provide a fix or fixes to the situation, and submit that back to the company in
the way of a detailed report.
These are then completely reviewed by the IT Security team,
and if a report is found that is deemed to be totally astonishing, the hacker
is then paid a nice some of money. We are
not just talking about a few hundred dollars, we are talking about well into the
five figures, like $30,000 or $40,000.
This kind of program has been more widely used with those
tech companies that have much deeper pockets like Microsoft, AWS, Oracle, IBM,
Google, etc.
Obviously, it is not meant designed at all for the SMBs, because
of the high amount of payouts that have to be made. There are both advantages and disadvantages
to using a Bug Bounty program. For example, this is yet another way for a
company to get an outside pair of eyes to look at something, but you really don’t
know who is looking at it, because hackers are usually not vetted.
Also, you are giving an individual access to your IT and
Network infrastructure, for a brief period of time.
But on the flip side, Bug Bounty testing is one of the best
ways in which you can avoid Zero Day Attacks to external facing web
applications. But whatever the situation is, there is now talk in the Cyber world
that this program is now starting to crack under its own weight.
While it may be exciting for the company to remediate
something that they completely overlooked and for the hacker to get a great pay
out, keep in mind the other party that has to review them: The It Security team.
Research has found that Bug Bounty programs work great
within the first 18 or 24 months since they are first launched, because of the new
influx of cases that are being received.
But after that, it tends to become a mountain load of paperwork to be
reviewed, and this in part is what causes IT Security teams to fall even
further behind, as if they don’t have enough to do.
Second, there has been a belief in the larger organizations
that simply relying upon Bug Bounty programs will be enough to cure them of
their Cyber woes. But this is all
myth. For instance, it can take a while
to discover new flaws, but it can take even longer to have them reviewed and
their remediative plan of action to be approved as well.
From then until here, a newer version of the software package could have
been released without knowing there have been bugs from the first version that
still need correcting.
Third, Bug Bounty hunters are also getting burned out of the
process as well. It is important to keep
in mind here that these hackers are not automatically paid for all of their submissions.
Only if it has been selected by the IT Security team, will the hacker get their
hard-earned payout. So it could be years
of trial and error until an ethical hacker can win their first bounty.
My Thoughts On This:
I have some numerous thoughts on the Bug Bounty program. First, I think it is a good idea. As mentioned,
it is simply a great way to get an extra pairs of eyes to try to find something
that was overlooked.
But the way in which the programs are offered needs to be changed. For example, I honestly think that the hackers
need to be vetted first before they are allowed to participate. It’s like getting a third-party supplier
involved. You wouldn’t hire anybody just
off the street, would you?
Also, I think all of the ethical hackers that participate and
submit a report should get paid, even though if their particular report was not
chosen. After all, they are putting in their
own time, and are giving you something in return. You also need to reciprocate in turn, as
well. But of course, this is not
something that you want to broadcast to the entire world, only to those people
you have selected.
Perhaps also, you can even add a more motivating
factor. You could perhaps even make a
job offer to the winning hackers, if you are so impressed by them. They may not have to be direct hires, but you
can at least get them to be contractors in the beginning.
That way, you can not only tap further into their direct
knowledge and skill set, but this can also be your way of trying to tighten up
the job market for Cyber.
Second, I view having Bug Bounty programs pretty much as a nice
resource to have for companies, but it should not be the primary tools used to
check for vulnerabilities and weaknesses in the source code. This should all be done internally, making use
of DevSecOps.
Third, if you are going to have a Bug Bounty program, make
sure you spell everything out, like a job description. And when work is
submitted, pay those hackers on time!!!
Fourth, don’t give everybody access to everything at your company. Remember and enforce the concept of Least
Privilege.
No comments:
Post a Comment