Cyber security professionals are often male and white. So it was an interesting experience this week to interview a woman expert, Katie Moussouris, who is adept in vulnerability disclosures and a pioneer in bug bounty programmes.
She believes that bug bounties are good but should only be used as a way to discover the well-hidden vulnerabilities and exploits that in-house security experts cannot find.
A security vulnerability is an error in an IT system that can be exploited by an attacker to compromise the confidentiality or integrity of the system or to deny legitimate user access to a system.
To detect and report the vulnerabilities so that they can be fixed, organisations offer rewards to individuals to report such errors. These are called bug bounty.
Moussouris believed strongly that organisations should not use bug bounties as a lazy way to detect vulnerabilities, at least not before trying to find some of the loopholes themselves.
She was speaking to Techgoondu on the sidelines of the GSEC security conference, organised by Hack in the Box.
Bug bounty activities of some American tech companies which are offering US$1 million to discover remote exploitation vulnerabilities, she argued, have sent “the wrong signal to their own security teams because they employ engineers and testers to prevent such issues from happening”.
“Why would these professionals who aren’t paid as much, bother to work for any company? They may as well become freelance bug hunters and get the bounty,” she said.
“So to compete with the offense market, companies are in fact, ruining the future pipeline,” she added.
Describing this as perverse incentive, she pointed out the tech companies’ efforts will make it difficult for them to hire the next generation of security professionals to prevent the next generation of exploits.
But many governments, tech companies and organisations are offering bug bounties too. Are they useful?
“They are useful but not as a first step in security,” said Moussouris. “Due diligence is the first step: detect and ferret out the bugs, and eliminate them yourself. Bug bounties may come after that.”
Moussouris is a noted authority on vulnerability disclosure and bug bounties. She is a subject matter expert for the US National Body of the International Standards Organization (ISO) in vulnerability disclosure.
Her own startup, Luta Security, specialises in helping businesses and governments work with hackers to better defend themselves from digital attacks.
Security company Trend Micro pointed out in a report in February 2018 that vulnerability disclosures have been increasing. Citing research from research firm Frost and Sullivan, the report said that vulnerabilities disclosed by public vulnerability reporting agencies totalled 1,522 in 2017, an increase from the 1,262 in 2016.
Ultimately, Moussouris believed that organisations ought to develop special tools that can identify the vulnerabiliites and exploits that have security implications.
She noted: “There are bugs all over IT systems. The challenge is to find those bugs that are most likely dangerous, take them out so that the organisations make the most gains in defence.”
Organisations should also hunker down to software maintenance and patching. The Wannacry ransomware which caused widespread disruption two years ago is still affecting systems because despite repeated public warnings, many servers remain unpatched today.
“I’ve retired for 12 years but I’m still seeing the same bugs. Preventing vulnerability is like dental hygiene – it has to be regular, maintained and become a routine process,” said Moussouris.
