At this week’s RSA conference there was an interesting report presented by Katie Moussouris, chief policy officer of HackerOne, a ‘bug bounty’ organisation. The research was carried out by herself and MIT scientist Michael Siegel.
Moussouris is a well known security face, having served as the Microsoft security officer who set up their bug bounty programme in 2013.
What these very clever people have discovered, which is directly in line with our thinking as presented at our HeartShock event earlier this year is that, to quote Moussouris; “You cannot outbid the dark market, instead, you need to create more interesting incentives.”
In other words, no matter what vendors pay people to report Zero days, the bad guys will pay more if the Zero day can make them money, directly, or indirectly through the sale of credentials for instance.
The report makes another very pertinent point that if vendors pay fortunes for Zero days, security researchers, who already have a short shelf life, might choose to work part time by the beach or pool rather than slaving away in the soulless, often windowless offices that the geeks get because they probably will neither notice or care.
Faced with this somewhat gloomy projection, akin to antibiotics not working anymore, what should the software industry do?
Well the tonic suggested is to invest in software testing tools, in fact to even offer bounties to people who develop vulnerability discovery tools. This is something that HackerOne has already initiated.
The suggestion is that with better tools, the security researcher’s careers would be longer and more productive and that Vendor’s investment would go a lot further. Is this the dawn of ‘Software Defined Software Security’ we wonder? What could possibly go wrong?
Whilst this seems like a sensible approach for software in development, we worry terribly about all the old code out there – like SSL libraries for instance, and are fairly confident that we will still be required to add layers of process (patching), discovery and defence against nasty Malwares for some time to come.
If you want to read the research, which is very interesting and readable even if you don’t have a beard, you can find it here.
If you would like to know how ITC’s NetSure360° managed service platform, or indeed the tools we use within it can help discover Zero days lurking in your devices, which we can by the way, please contact us on: [email protected] or call 020 7517 3900.