Disclosure Bug-bounty pioneer Katie Moussouris has urged companies to hire the necessary staff to handle vulnerability disclosures before diving headlong into handing out rewards.
Likening the process to digestion, the CEO of Luta Security said many companies launch bounty programs without the ability to properly process bug reports and use them to improve the security of their software beyond just patching over individual issues. As a result, developers end up receiving loads of reports for basic flaws, like denial-of-service or cross-site scripting errors, and paying out bounties, but don't ever fix the root causes of those errors.
"It is like going to an all you can eat buffet without a working digestive system," Moussouris told attendees of Okta's Disclosure infosec conference in San Francisco on Tuesday. "Really unpleasant. I do not recommend it."
Even penetration tests can be ineffective: customers may not have the in-house expertise to really understand the findings of a red-team and their recommendations. "When I was a professional pentester, certain clients were just checking a box," Moussouris told The Register after her conference talk. "When we came back a year later, I just needed to change the date on the report."
Requirements too high, talent pool too small
Part of the problem is the misconception that offering rewards for vulnerability discoveries, and opening your doors to bug-bounty hunters, is a silver bullet that will kill off all your security bugs. In too many cases, companies use the programs in place of hiring qualified staff who can root out flaws before code is pushed to production.
In reality, bounties should be just one item in a large shed of tools used by IT departments to defend their systems. It doesn't help that some organizations running bug bounties for clients tend to market them as must-have programs.
"It is hard when bug-bounty companies are venture-capital backed, marketing heavy, and all they want you to do is the one thing they sell," Moussouris said. "Bug bounties make more money the less secure you are."
Another issue is the way companies view the lowest levels of their security staffing. In what has become a running joke of sorts in the infosec community, jobs labeled as "entry level" often ask for years of experience and arbitrary certifications. This not only leaves businesses short-staffed, but excludes a potentially massive pool of smart folks retraining or wishing to retrain from other industries, particularly women and minorities – groups who feel the deck is already stacked against them.
"We can't fill all the security maintenance roles, the people who have to do the vulnerability management and bug fixing roles, with the number of professionals that exist today," she told us, adding that people who can't meet the ridiculous requirements for so-called entry-level jobs are an "untapped natural resource."
Here is where Moussouris – who back in the day launched Microsoft's first bug bounty scheme, and founded the Windows giant's vulnerability research program – sees an opportunity for everyone to benefit. Companies wanting to throw cash at a bug-bounty program could put their budgets to better use by instead hiring professionals for true entry-level security roles, checking for and fixing bugs in-house, and making sure they don't pop up again in new code.
Once the business has that structure in place, they will be ready to make full use of penetration testing reports and bug-bounty programs, she said.
In a world of infosec rockstars, shutting down sexual harassment is hard work for victimsREAD MORE
Culture also plays a role
The infosec community needs to adjust its focus as well, according to Moussouris. In large part, the idea of the celebrity bug-hunter needs to give way to a more mature approach that emphasizes the defensive role of security rather than just finding ways to break things.
"It is about different labor types in security, and it is about changing this idea that all rock stars in security do is find holes," Moussouris mused. "As you mature and look for more meaningful work, the idea should be you can have a career that progresses not just in destruction, but also in prevention."
Then there is the matter of making routine security maintenance exciting again. Moussouris is tasking the security sector with glamming up things like software updates.
"We need to make it sexy to keep your servers up to date," she said, "but more important than that, we need to make it so it is not just patching all the time." ®