Bug Bounty Platforms

Download PDF
2 downloads 217 Views 996KB Size Report
Comment
like smartphones, laptops and tablets, that run a variety of operating systems. ... purchase price for Yahoo by US$ 350
Advertorial

The Growing Popularity of

Bug Bounty Platforms After a spate of high-profile ransomware and malware infiltrated IT systems worldwide, Indian enterprises are now sitting up and adopting bug bounty programmes to protect their applications from hacking attacks.

T

he global security threat scenario has changed radically in recent times. If hackers of yore were mainly hobbyists testing the security limits of corporate systems as an intellectual challenge, the new threat comes from well-concerted plans hatched by criminal gangs working online with an eye to profit, or to compromise and damage information technology systems. The widespread hack attacks have also become possible because of the high degree of connectivity of devices, like smartphones, laptops and tablets, that run a variety of operating systems. When consumer data gets compromised it has an immediate impact on the brand and reputation of the affected company, as was evident when Verizon cut its purchase price for Yahoo by US$ 350 million, after the online portal revealed that it had been repeatedly hacked. When the data of a company gets compromised, and is

18  |  december 2017  |  OPEN SOURCE For You  |  www.OpenSourceForU.com

followed by frequent attempts to conceal the fact after the incident, it can seriously impact whether customers will continue to deal with the company in any way. In the final analysis, customers are not willing to put their data at risk with a vendor who does not value and protect their personal information. India has not been spared in this regard. Recent reports allege that customer data at telecom giant Reliance Jio was compromised and previously, this occurred at online restaurant guide Zomato. Companies need to team up with the right kind of hackers. Organisations cannot on their own match the wiles of the thousands of very smart hackers. This battle cannot be fought with internal resources alone. Companies need to build a culture of information-sharing on security issues with government CERTs (computer emergency response teams), security companies and security researchers.

Advertorial Countering malicious hackers needs a large number of ‘ethical hackers’, also known as ‘white hats’, who will probe your systems just as any hacker would, but responsibly report to you any vulnerabilities in your system. Many of them do this work for recognition, so don’t hesitate to name the person who helped you. Do appreciate the fact that they are spending a lot of their time identifying the security holes in your systems. This concept is not new. It has been tried by a number of Internet, information technology, automobile and core industry companies. Google, Facebook, Microsoft, ABN AMRO, Deutsche Telekom and the US Air Force are some of the many organisations that have set up their own reward programmes. And it has helped these companies spot bugs in their systems that were not evident to their own in-house experts, because the more pairs of eyes checking your code, the better. Some companies might hesitate to work with hobbyist researchers, since it is difficult to know, for example, whether they are encouraging criminal hackers or not. What if the hobbyists steal company data? As more and more organisations are becoming digital, startups now offer their services through Web or mobile applications, so their only assets are the software apps and customer data. Once the data breach happens, customer credentials get stolen or denial of services attacks occur, leading to huge losses in revenue, reputation and business continuity. By becoming part of the bug bounty platform, companies can create a security culture within the organisations. Indian companies have a unique advantage if they decide to crowdsource the identification of security vulnerabilities in their IT infrastructure since the country has one of the largest number of security researchers, who are part of the crowd that are willing to help organisations spot a bug before a criminal does. The 2017 Bugcrowd report cited 11,663 researchers in India that worked on bug bounty programmes, which is behind the US with about 14,244 white hat hackers. While most of them have jobs or identified themselves as students, 15 per cent of bug hunters were fully engaged in the activity, with this number expected to increase, according to Bugcrowd. Although Indian hackers earned over US$ 1.8 million in bounties in 2016-17, the bounties paid by Indian companies added up to a paltry US$ 50, according to HackerOne, indicating that local firms are not taking advantage of the crowdsourcing option. Part of the reason is that Indian companies are still wary of having their security infrastructure and any vulnerability in it exposed to the public. This over-cautious approach could backfire in the long term, as it is always better to look for bugs cooperatively with responsible hackers in a controlled environment, rather than have the vulnerabilities eventually spotted and exploited by criminals.

Companies also take cover behind a smokescreen of denial when they are actually hit by cyber attacks, as Indian law does not make it mandatory to report security incidents to the CERT or any government agency. However, the regulatory framework is expected to change with the Reserve Bank of India, for example, making it mandatory for banks to report cyber security incidents within two to six hours of the attacks being noticed. Indian organisations also do not have a local platform for engaging with researchers, which would define the financial, technical and legal boundaries for the interaction in compliance with local regulations. Such a platform would give these companies the confidence that they can engage safely with people who are not on their payroll, even if their main objective is to hack for bugs. Bug bounty platforms like SafeHats are connecting enterprises with white hacker communities in India. Safehats.com, powered by Instasafe Technologies, is a leading Security as a Service provider. It offers a curated platform that helps organisations to create a responsible vulnerability disclosure policy that lays down the rules of engagement, empanels reputed researchers, and makes sure that the best and the safest white hackers get to your systems before the bad guys do. SafeHats has been working with some leading banking organisations and e-commerce players in securing their applications. Once vulnerabilities are discovered, SafeHat helps to fix them and to launch secure apps to the market. The key difference with this kind of platform is that the organisations pay the security researchers only if the bug is found, and the amount paid is based on the severity of the bug. A large number of Indian enterprises are in dire need of tightening up on their security, as the compute infrastructures of an increasing number of organisations are being breached. On the other hand, we see an opportunity for Indian companies to leverage the large talent pool of white hackers from India. SafeHats in Bengaluru was born out of the need to bring Indian companies and hackers together, in a safe environment. More organisations are now aware about their security needs after the high-profile Wannacry and Petya ransomware attacks. Lot of growth stage startups have shown interest in adopting bug bounty programmes as they have realised application security is key to their next round of funding. Sandip Panda, CEO of Instasafe, says, “Security is now an important topic in every organisation’s board room discussions. Investment in security is as important as investment in the product itself. Bug bounty platforms will create an entirely new security culture in India.” By: Shasanka Sahu The author works at Instasafe Technologies Pvt Ltd.

www.OpenSourceForU.com  |  OPEN SOURCE For You  |  december 2017  |  19