Before you high-five yourselves for setting up that bug bounty, you've got the staff in place to actually deal with security, right?

Katie Moussouris speaks out on modern-day flaw finding and infosec jobs


Disclosure Bug-bounty pioneer Katie Moussouris has urged companies to hire the necessary staff to handle vulnerability disclosures before diving headlong into handing out rewards.

Likening the process to digestion, the CEO of Luta Security said many companies launch bounty programs without the ability to properly process bug reports and use them to improve the security of their software beyond just patching over individual issues. As a result, developers end up receiving loads of reports for basic flaws, like denial-of-service or cross-site scripting errors, and paying out bounties, but don't ever fix the root causes of those errors.

"It is like going to an all you can eat buffet without a working digestive system," Moussouris told attendees of Okta's Disclosure infosec conference in San Francisco on Tuesday. "Really unpleasant. I do not recommend it."

Even penetration tests can be ineffective: customers may not have the in-house expertise to really understand the findings of a red-team and their recommendations. "When I was a professional pentester, certain clients were just checking a box," Moussouris told The Register after her conference talk. "When we came back a year later, I just needed to change the date on the report."

Requirements too high, talent pool too small

Part of the problem is the misconception that offering rewards for vulnerability discoveries, and opening your doors to bug-bounty hunters, is a silver bullet that will kill off all your security bugs. In too many cases, companies use the programs in place of hiring qualified staff who can root out flaws before code is pushed to production.

In reality, bounties should be just one item in a large shed of tools used by IT departments to defend their systems. It doesn't help that some organizations running bug bounties for clients tend to market them as must-have programs.

"It is hard when bug-bounty companies are venture-capital backed, marketing heavy, and all they want you to do is the one thing they sell," Moussouris said. "Bug bounties make more money the less secure you are."

Another issue is the way companies view the lowest levels of their security staffing. In what has become a running joke of sorts in the infosec community, jobs labeled as "entry level" often ask for years of experience and arbitrary certifications. This not only leaves businesses short-staffed, but excludes a potentially massive pool of smart folks retraining or wishing to retrain from other industries, particularly women and minorities – groups who feel the deck is already stacked against them.

"We can't fill all the security maintenance roles, the people who have to do the vulnerability management and bug fixing roles, with the number of professionals that exist today," she told us, adding that people who can't meet the ridiculous requirements for so-called entry-level jobs are an "untapped natural resource."

Here is where Moussouris – who back in the day launched Microsoft's first bug bounty scheme, and founded the Windows giant's vulnerability research program – sees an opportunity for everyone to benefit. Companies wanting to throw cash at a bug-bounty program could put their budgets to better use by instead hiring professionals for true entry-level security roles, checking for and fixing bugs in-house, and making sure they don't pop up again in new code.

Once the business has that structure in place, they will be ready to make full use of penetration testing reports and bug-bounty programs, she said.

A woman in the classic "black hoodie hacker" shot

In a world of infosec rockstars, shutting down sexual harassment is hard work for victims

READ MORE

Culture also plays a role

The infosec community needs to adjust its focus as well, according to Moussouris. In large part, the idea of the celebrity bug-hunter needs to give way to a more mature approach that emphasizes the defensive role of security rather than just finding ways to break things.

"It is about different labor types in security, and it is about changing this idea that all rock stars in security do is find holes," Moussouris mused. "As you mature and look for more meaningful work, the idea should be you can have a career that progresses not just in destruction, but also in prevention."

Then there is the matter of making routine security maintenance exciting again. Moussouris is tasking the security sector with glamming up things like software updates.

"We need to make it sexy to keep your servers up to date," she said, "but more important than that, we need to make it so it is not just patching all the time." ®


Other stories you might like

  • Will Lenovo ever think beyond hardware?
    Then again, why develop your own software à la HPE GreenLake when you can use someone else's?

    Analysis Lenovo fancies its TruScale anything-as-a-service (XaaS) platform as a more flexible competitor to HPE GreenLake or Dell Apex. Unlike its rivals, Lenovo doesn't believe it needs to mimic all aspects of the cloud to be successful.

    While subscription services are nothing new for Lenovo, the company only recently consolidated its offerings into a unified XaaS service called TruScale.

    On the surface TruScale ticks most of the XaaS boxes — cloud-like consumption model, subscription pricing — and it works just like you'd expect. Sign up for a certain amount of compute capacity and a short time later a rack full of pre-plumbed compute, storage, and network boxes are delivered to your place of choosing, whether that's a private datacenter, colo, or edge location.

    Continue reading
  • Intel is running rings around AMD and Arm at the edge
    What will it take to loosen the x86 giant's edge stranglehold?

    Analysis Supermicro launched a wave of edge appliances using Intel's newly refreshed Xeon-D processors last week. The launch itself was nothing to write home about, but a thought occurred: with all the hype surrounding the outer reaches of computing that we call the edge, you'd think there would be more competition from chipmakers in this arena.

    So where are all the AMD and Arm-based edge appliances?

    A glance through the catalogs of the major OEMs – Dell, HPE, Lenovo, Inspur, Supermicro – returned plenty of results for AMD servers, but few, if any, validated for edge deployments. In fact, Supermicro was the only one of the five vendors that even offered an AMD-based edge appliance – which used an ageing Epyc processor. Hardly a great showing from AMD. Meanwhile, just one appliance from Inspur used an Arm-based chip from Nvidia.

    Continue reading
  • NASA's Psyche mission: 2022 launch is off after software arrives late
    Launch window slides into 2023 or 2024 for asteroid-probing project

    Sadly for NASA's mission to take samples from the asteroid Psyche, software problems mean the spacecraft is going to miss its 2022 launch window.

    The US space agency made the announcement on Friday: "Due to the late delivery of the spacecraft's flight software and testing equipment, NASA does not have sufficient time to complete the testing needed ahead of its remaining launch period this year, which ends on October 11."

    While it appears the software and testbeds are now working, there just isn't enough time to get everything done before a SpaceX Falcon Heavy sends the spacecraft to study a metallic-rich asteroid of the same name.

    Continue reading
  • Rise in Taiwanese energy prices may hit global chip production
    National provider considering cost increase of 8%, which could be passed on to tech customers

    Taiwan's state-owned energy company is looking to raise prices for industrial users, a move likely to impact chipmakers such as TSMC, which may well have a knock-on effect on the semiconductor supply chain.

    According to Bloomberg, the Taiwan Power Company, which produces electricity for the island nation, has proposed increasing electricity costs by at least 8 percent for industrial users, the first increase in four years.

    The power company has itself been hit by the rising costs of fuel, including the imported coal and natural gas it uses to generate electricity. At the same time, the country is experiencing record demand for power because of increasing industrial requirements and because of high temperatures driving the use of air conditioning, as reported by the local Taipei Times.

    Continue reading
  • Tech companies ready public stances on Roe v. Wade
    Some providing out-of-state medical expenses, others spout general pro-choice statements

    Several US tech companies have taken a stance or issued statements promising healthcare-related support for employees following the Supreme Court's ruling to overturn Roe v Wade last Friday.

    A Supreme Court draft opinion that was leaked in February provided advanced warning of the legal eventuality, giving companies plenty of time to prepare official positions and related policies for employees.

    Without proper policies in place, tech companies could put themselves at risk of "brain drain" as employees become tempted to relocate to states where abortion access is readily available or to companies that better support potential needs as healthcare in the US is more often tied to an employer than not.

    Continue reading

Biting the hand that feeds IT © 1998–2022