Only a hacker can think like a hacker. So, when it comes to becoming “hacker-proof,” you might need to turn to a hacker.
Application security has always been a hot topic that has only gotten hotter with time.
Even with a horde of defensive tools and practice at our disposal (firewalls, SSL, asymmetric cryptography, etc.), no web-based application can claim that it’s secure beyond the reach of hackers.
Why is that?
The simple reason is that building software remains a very complex and brittle process. There still bugs (known and unknown) inside the foundation developers use, and new ones are being created with the launch of new software and libraries. Even the top-tier tech companies are ready for occasional embarrassment, and a good reason.
Now hiring . . . Hackers!
Given that bugs and vulnerabilities will probably never leave the software realm, where does it leave the businesses dependent on this software for their survival? How can, for instance, a new wallet app, be sure that it’ll stand up against the nasty tries of hackers?
Yes, you’ve guessed it by now: by hiring hackers to come and take a crack on this newly minted app! And why would they? Just because there’s a big enough bounty on offer — the bug bounty! 🙂
If the word “bounty” brings back memories of the Wild West and bullets being fired without abandon, that’s exactly what the idea here is. You somehow get the most elite and knowledgeable hackers (security experts) to sound out your app, and if they find something, they get rewarded.
There are two ways to go about it: 1) hosting a bug bounty on your own; 2) using a bug bounty platform.
Bug Bounty: Self-hosted vs. platforms
Why would you go to the trouble of selecting (and paying) a bug bounty platform when you can simply host it on your own. I mean, just create a page with the relevant details and make some noise on social media. It obviously cannot fail, right?
Well, that’s a neat idea right there, but look at it from the perspective of the hacker. Jostling for bugs is no easy task, as it requires several years of training, virtually limitless knowledge of things old and new, tons of determination, and more creativity than most “visual designers” have (sorry, couldn’t resist that one! :-P).
The hacker doesn’t know who you are or is not sure that you’ll pay. Or maybe, is not motivated. Self-hosted bounties work for juggernauts like Google, Apple, Facebook, etc., whose names people can put on their portfolio with pride. “Found a critical login vulnerability in the HRMS app developed by XYZ Tech Systems” doesn’t sound impressive, now, does it (with due apologies to any company out there that might resemble this name!)?
Then there are other practical (and overwhelming reasons) for not going solo when it comes to bug bounties.
Lack of infrastructure
The “hackers” we’ve been talking about are not the ones that stalk the Dark Web.
Those have no time or patience for our “civilized” world. Instead, we’re talking here about researchers from a computer science background who are either at a university or have been a bounty hunter for a long time. These folks want and submit information in a specific format, which is a pain in itself to get used to.
Even your best developers will struggle to keep up, and the opportunity cost might turn out to be too high.
Finally, there’s the issue of proof. Software might be built on fully deterministic rules, but exactly when is a particular requirement met is up for debate. Let’s take an example to understand this better.
Suppose you created a bug bounty for authentication and authorization errors. That is, you claim that your system is free from the risks of impersonation, which the hackers have to subvert.
Now, the hacker has found a weakness based on how a particular browser works, which allows them to steal a user’s session token and impersonate them.
Is that a valid finding?
From the perspective of the hacker, definitely, as a breach is a breach. From your perspective, maybe not, because either you think that this falls in the domain of user’s responsibility, or that browser is simply not a concern for your target market.
If all this drama were happening on a bug bounty platform, there’d be capable arbiters to decide the impact of the discovery and close out the issue.
With that said, let’s look at some of the popular bug bounty platforms out there.
Among the bug bounty programs, Hackerone is the leader when it comes to accessing hackers, creating your bounty programs, spreading the word, and assessing the contributions.
There are two ways you can use Hackerone: use the platform to collect vulnerability reports and work them out yourself or let the experts at Hackerone do the hard work (triaging). Triaging simply is the process of compiling vulnerability reports, verifying them, and communicating with hackers.
Hackerone is used by big names like Google Play, PayPal, GitHub, Starbucks, and the like, so of course, it’s for those who with severe bugs and serious pockets. 😉
Bugcrowd offers several solutions for security assessments, one of them being Bug Bounty. It provides a SaaS solution that integrates easily into your existing software lifecycle and makes it a snap to run a successful bug bounty program.
You can choose to have a private bug bounty program that involves a select few hackers or a public one that crowdsources to thousands.
If you’re an enterprise and don’t feel comfortable making your bug bounty program public — and at the same time need more attention than can be offered by a typical bug bounty platform — SafeHats is your safest bet (terrible pun, huh?).
Dedicated security advisor, in-depth hacker profiles, invite-only participation — it’s all provided depending on your needs and maturity of your security model.
Intigriti is a comprehensive bug bounty platform that connects you with white hat hackers, whether you want to run a private program or a public one.
For hackers, there’s plenty of bounties to grab. Depending on the company’s size and industry, bug hunts ranging from €1,000 to €20,000 are available.
Synack seems to be one of those market exceptions that break the mold and end up doing something massive. Their security program Hack the Pentagon was the major highlight, leading to the discovery of several critical vulnerabilities.
So if you’re looking for not just bug discovery but also security guidance and training at the top level, Synack is the way to go.
Just as you stay away from healers that proclaim “miracle cures,” please stay away from any website or service that says bulletproof security is possible. All we can do is move one step closer towards the ideal. As such, bug bounty programs should not be expected to produce zero-bug applications but should be seen as an essential strategy in weeding out the really nasty ones.
Check out this bug bounty hunting course if looking to learn and gain hall of fame, rewards, appreciation.
I hope you squash many of ’em bugs! 🙂