For decades, the independent White Hat community have helped make cyberspace more secure for the rest of us by finding security vulnerabilities in the software products we use every day. They have been called security researchers, ethical hackers and sometimes go by more unsavoury names. These individuals are motivated by curiosity, passion and a desire to fix security holes.
Bug bounties have been one of the most effective ways of harnessing this expertise. Such programmes recognise White Hat hackers that report security bugs with acknowledgement or monetary awards.
While this model is gaining traction in the U.S. and Europe, adoption is still weak in Asia. Most companies in the region tend to be more conservative and risk averse in comparison to companies in other regions, believing that an open invitation to “Hack Me” will lead to disastrous outcomes.
Yet the reality is that cyber criminals do not need an invitation. If you have something of value and you are participating in the global connected economy, you are always subjected to a certain level of cyber risk. This is especially so if you are pushing hard on digital initiatives. Some security folks tell me that becoming engaged with the White Hat community would put them on the radar of malicious parties. But the contradiction is that the business want their company and brands to be on the radar of consumers. That is the whole point of investing in digital innovations. But these innovations will be worthless if brand and corporate reputation suffers as a result of data breaches.
Other security colleagues have the fear that malicious hackers are hidden in the crowd. Seriously, we should be fearful of those that do not need to hide in the crowd to move forward with their nefarious agendas.
We can actually draw a parallel with the open source software movement. Both models rely on engaging the community and adoption is dependent on the security perception.
Let’s talk about open source
Do we trust open source software? Apparently now more than ever.
According to the 9th Annual Future of Open Source Survey, 78% of companies use open source software and less than 3% do not use open source software in any way. Even governments and public sector agencies around the world have embraced the use of open source software as an alternative to commercial proprietary solutions.
For those non-IT folks, open source software refers software which is developed collaboratively by a decentralised community of thousands of volunteers.
But what about security? Open source advocates say that since the code is open and anyone can have access, vulnerabilities can be identified and fixed far faster than is the case with proprietary software. Others believe that since anyone can contribute, malicious or vulnerable code can also just as easily be injected into the software
On the flip side, we have software vendors who maintain that keeping the code closed is better for security since bugs are not as easily discovered and subsequently exploited. This then falls into the trap of “security through obscurity”- generally accepted as ineffective.
In either case, it is undeniable that more and more organisations have come to trust open source software and adoption has been steadily increasing over the past decade.
Today, open source software runs most of the Internet. When it comes to operating systems, Linux is the choice of 36% for Internet systems when compared to Windows’ 32%. While the top Web server software deployed on the Internet is Apache and NGINX, with a combined market share of 82%. And did you know that more than 74 million websites use WordPress. In fact, open source runs the world. Google Android and Chrome, Firefox, Apple iOS, OS X and Safari are all based on open source projects.
More interestingly, all these open source software projects openly encourage the independent White Hat community to hack the software to help identify security bugs.
So here we have a situation where open source software is written by the community and “hacked” by the independent White Hat community, yet embraced by nearly 80% of enterprises and runs most of the Internet.
Is engaging the community helpful?
Today, most companies will engage outsourced vendors for their security testing needs and commit on the cost with no guarantee of the results. Return on spend is highly dependent on the capabilities of the individuals performing the work. Companies can only rely on their best judgement when selecting the vendor and hope that the testing team is delivering on their professional obligations. Where does hope come into it? Well, a clean report can mean one of two things, either that the company is secure or that the capabilities of the consultants are suspect. It is difficult to know which.
Since the independent White Hats are paid for each vulnerability they find, results are directly correlated to spend.
How successful are bug bounty programs today? Facebook has paid out close to US$4 million to the independent White Hat community since 2011. In 2015 alone more than 500 security bugs were identified by the community. At the BlackHat USA 2015 conference, LinkedIn shared that 27% of the critical security bugs fixed in 2014 was identified through their bug bounty program. PayPal identified around 1,000 vulnerabilities in 2014 alone.
It is important to note that these companies are not security pushovers. Each have a robust and mature security programmes and the bug bounty programs are run in addition to their existing vulnerability management programme.
While quite a number of U.S. tech companies have embraced the model, more traditional companies are also starting to get involved, including Western Union, General Motors, AT&T and United Airlines. Western Union started their program in March last year and have identified more than 130 bugs to date.
Can we really make bug bounty programs work?
In the world of open source software, solution providers and managed service providers have helped address the support and reliability issues, easing enterprises’ road to adoption.
We see a similar development for bug bounty programs. A handful of companies have emerged in the U.S. market over the last 2-3 years offering managed bug bounty services. These “managed service providers” help companies run their bug bounty programs by organizing the crowd of independent White Hats and managing the reporting, validation and award process.
A few have taken the model a step further and adopted a “solution provider” approach to address the trust issue. The independent White Hats are curated and authenticated for their capabilities and validated for their identity and background before being legally contracted to the platform. Through this process, the customer gets a much higher signal-to-noise ratio. Additional assurance may come in the form of activity monitoring to further detect anomalous behaviour.
Just as open source software is not for everyone, so are such community engagement models. Cyber criminals are getting more creative by the day and our cyber defenders can either stick to the 1980s mantra “No one ever got fired for buying IBM”, or switch to “Innovate or die!”
Ultimately companies will have to judge the risk and rewards and choose to be “open” or “closed”.