For decades, the independent White Hat community have helped make cyberspace more secure for the rest of us by finding security vulnerabilities in the software products we use every day. They have been called security researchers, ethical hackers and sometimes go by more unsavoury names. These individuals are motivated by curiosity, passion and a desire to fix security holes.
Bug bounties have been one of the most effective ways of harnessing this expertise. Such programmes recognise White Hat hackers that report security bugs with acknowledgement or monetary awards.
While this model is gaining traction in the U.S. and Europe, adoption is still weak in Asia. Most companies in the region tend to be more conservative and risk averse in comparison to companies in other regions, believing that an open invitation to “Hack Me” will lead to disastrous outcomes.
Yet the reality is that cyber criminals do not need an invitation. If you have something of value and you are participating in the global connected economy, you are always subjected to a certain level of cyber risk. This is especially so if you are pushing hard on digital initiatives. Some security folks tell me that becoming engaged with the White Hat community would put them on the radar of malicious parties. But the contradiction is that the business want their company and brands to be on the radar of consumers. That is the whole point of investing in digital innovations. But these innovations will be worthless if brand and corporate reputation suffers as a result of data breaches.
Other security colleagues have the fear that malicious hackers are hidden in the crowd. Seriously, we should be fearful of those that do not need to hide in the crowd to move forward with their nefarious agendas.
We can actually draw a parallel with the open source software movement. Both models rely on engaging the community and adoption is dependent on the security perception.
Let’s talk about open source
Do we trust open source software? Apparently now more than ever.
According to the 9th Annual Future of Open Source Survey, 78% of companies use open source software and less than 3% do not use open source software in any way. Even governments and public sector agencies around the world have embraced the use of open source software as an alternative to commercial proprietary solutions.
For those non-IT folks, open source software refers software which is developed collaboratively by a decentralised community of thousands of volunteers.
But what about security? Open source advocates say that since the code is open and anyone can have access, vulnerabilities can be identified and fixed far faster than is the case with proprietary software. Others believe that since anyone can contribute, malicious or vulnerable code can also just as easily be injected into the software
On the flip side, we have software vendors who maintain that keeping the code closed is better for security since bugs are not as easily discovered and subsequently exploited. This then falls into the trap of “security through obscurity”- generally accepted as ineffective.
In either case, it is undeniable that more and more organisations have come to trust open source software and adoption has been steadily increasing over the past decade.
Today, open source software runs most of the Internet. When it comes to operating systems, Linux is the choice of 36% for Internet systems when compared to Windows’ 32%. While the top Web server software deployed on the Internet is Apache and NGINX, with a combined market share of 82%. And did you know that more than 74 million websites use WordPress. In fact, open source runs the world. Google Android and Chrome, Firefox, Apple iOS, OS X and Safari are all based on open source projects.
More interestingly, all these open source software projects openly encourage the independent White Hat community to hack the software to help identify security bugs.
So here we have a situation where open source software is written by the community and “hacked” by the independent White Hat community, yet embraced by nearly 80% of enterprises and runs most of the Internet.