The problem with bug bounties, white-hat hacking … and analysts!
By Benjamin Cher April 19, 2016
- Generally bug bounties are good, but they encourage a certain kind of behaviour
- Security industry still stuck, and you can blame analysts and vendors for that
TECH giants like Google and AT&T have bug bounty programmes, where they reward white hat hackers and researchers for finding vulnerabilities in their systems, but there is a danger in encouraging such behaviour, according to one expert.
While such programs have the benefit of allowing companies to essentially crowdsource their vulnerability testing, Tenable Network Security’s Global Strategy vice president Matt Alderman has mixed feelings.
“Is it worthwhile to identify where these vulnerabilities are? In general, yes,” he says, speaking to Digital News Asia (DNA) in Singapore recently.
“We all know our software has bugs in it, but is it advantageous to pay people to find them? … Sure, if we want to protect our systems, it makes sense to identify them earlier instead of later, but as an industry I don’t think it makes sense to pay for them,” he adds.
This is because bug bounty programmes can create behaviours that run counter to what they actually hope to achieve, argues Alderman.
“I think it’s good that there are people researching it, but I don’t believe that there should be a market around encouraging such behaviour,” he says.
“Because … what if a hacker will pay you [the researcher or white-hat hacker] more for it, and keep it as a zero-day [vulnerability]?” he adds.
Blame the analysts
The conventional cybersecurity practices of the last 20 years are failing and people know it, according to Alderman (pic above). And there are three main groups that are to blame, starting with the analysts.
“What has the analyst community done? Analysts have created a bunch of standalone security markets and tried to measure the overall growth and impact of these markets.
“But what they have not done is address security as a whole – they always break it up to little markets,” he says, adding that they should instead advise people on what they need to do to address security as a whole.
Categorising security into standalone markets ends up seeing the vendors perpetuate similar thinking, which leads them to sell point solutions, Alderman argues.
“The vendors use that to build a point solution for the market that the analysts have built, because they are chasing the money,” he says.
“The vendor community has been building point solutions to align to the point market that the analysts have been creating, and it is allowing us to continue to perpetuate all these point solutions that aren’t working together,” he adds.
Finally, there are the organisations which look to analyst reports to implement solutions and even decide on their budgets.
“Think about this – most companies still have an antivirus budget. We’ve known for years that antivirus is not effective, yet we still have a line item in our security budget for antivirus solutions because the analysts have an antivirus market,” says Alderman.
Companies should instead be building up the six core domains instead of relying on ‘defence-in-depth,’ he argues.
“We all know the current defence-in-depth model is not working – it creates gaps in our network defences, and that’s where attackers hide, that’s why they can sit on our networks for over 200 days to hang out, find data, and exfiltrate.
“But if we know that it doesn’t work, why do we continue to do it?
“There’s one reason – no-one has provided an alternative approach,” he adds.
In Tenable Network Security’s thinking, the six core domains are: Discovery, Assessment, Analytics, Contextualise, Respond, and Protect. All six are needed to secure todays’ networks, according to the company.
“Whether it is one product or 10 products, it doesn’t matter – you need to build up a holistic security approach that addresses those six main domains,” says Alderman.
“That’s what we need to do as an industry, but we are not there yet. Certain companies talk about it, but there is a ton of vendors in the space that don’t care about the bigger problem and which are trying to capitalise on a single security market the analyst have created to drive revenue.
“And that’s what gets the security industry in so much trouble,” he adds.
The six domains of network security, and fighting IT
Cybersecurity industry facing AI, privacy and trust issues: RSA president
Cybersecurity: It’s about visibility and analytics, these days