Lets go five years back, year 2007-08 major news in Information Security industry were:
1. Estonia recovers from massive Denial of Service attack
2. Spear phishing attack at Office of the Secretary of Defense
3. United Nations website hacked
4. Trend Micro website hacked
Strange that even after having Top in Class IT Security infrastructure & talented resources from the area of Security, premier organizations got hacked! Does it mean the Infrastructure and/or 'Security' human resources are useless?
Lets come back to year 2012-13
Organizations like Facebook, Google, Microsoft, Paypal, ebay and many more are allowing hackers to hack their websites! Well there's no trap, you find vulnerabilities, exploit them, give proof of concept to Security teams of those organizations *that's it*
So your next question might be, whats next? Why would a hacker give POC to Facebook? Answer is simple, to earn Bug Bounties! I hate numbers but let me give you some statistics, as per one source Facebook itself paid 329 people across 51 countries total bounty amount that exceed $1 million!
Check out this website which gives a list of Organizations who have bug bounty program https://bugcrowd.com/list-of-bug-bounty-programs/
Just imagine, Facebook pays minimum $500 for a valid bug and there is no upper cap! Severe the vulnerability, the richer you become!
I'm sure you might be thinking, what should i do to be a Bounty Hunter? Well let me tell you, it's not difficult at all to find these bugs. The only thing you need is knowledge of how internet works , if you can play well with technology like - php, javascripts, asp.net, python, shell etc. the list goes on, another best thing is awareness about OWASP Top 10 vulnerabilities And last but not the least - Patience! You might just find a bug in your College's website within minutes, but it may take months to find out a bug in Facebook!
So my point is, even after having kick ass security professionals in your organization why do you still have to pay bounties? Aren't they effective in securing your organization's website? Why don't you just fire them and pay only bug bounties?
Well In my opinion it's difficult to 'Why hire, just pay Bounty', no one/no organization on this planet earth can claim to provide 100% security. Risk is uncertain, technology changes very often so there is absolutely no option than having dedicated security professionals to monitor, plan, act your organization's perimeter security! Lets talk about Java, one of the most widely used technology, platform. Lately Java has been in news, every now and then because of the vulnerability in the platform. So if Java Version XX is vulnerable to certain attack (know to public) and if your Application is built on Java Version XX then your application is vulnerable! Then Java releases an update, if your IT/security team fails to apply it to your application - possibly you'll get Royally Hacked even by a Script Kiddie.
I really liked the concept of Bug Bounty, it's more or less similar to crowd sourcing where in you openly ask general public to hack you! It may happen, you'll get tons of security bugs identified by kids which your 5yrs+ experienced Security Tester missed out very easily. So you pay the hacker, who are termed as White Hat Hackers and he spreads it on Social Network. Few more hackers read it & try hacking into your application, finding more bugs for you. In this way even after being in production, you application get tested by people every now and then. They contribute to your application making it more secured than earlier & in return they get paid for their efforts.
I would conclude by stating, our Ecosystem is becoming matured day by day and programs like Bug Bounties are helping organizations to strengthen their fences not by it's employees but by intruders itself!
NOTE: I'm strictly against differentiating hackers into White/Black, they are just 'hackers'. If a so called White Hat Hacker can't think like Black Hat Hacker (Cracker), he'll never be able to help you in protecting yourself from Black Hat Hackers(Cracker).
Happy (bug) Hunting!
1. Estonia recovers from massive Denial of Service attack
2. Spear phishing attack at Office of the Secretary of Defense
3. United Nations website hacked
4. Trend Micro website hacked
Strange that even after having Top in Class IT Security infrastructure & talented resources from the area of Security, premier organizations got hacked! Does it mean the Infrastructure and/or 'Security' human resources are useless?
Lets come back to year 2012-13
Organizations like Facebook, Google, Microsoft, Paypal, ebay and many more are allowing hackers to hack their websites! Well there's no trap, you find vulnerabilities, exploit them, give proof of concept to Security teams of those organizations *that's it*
Check out this website which gives a list of Organizations who have bug bounty program https://bugcrowd.com/list-of-bug-bounty-programs/
Just imagine, Facebook pays minimum $500 for a valid bug and there is no upper cap! Severe the vulnerability, the richer you become!
I'm sure you might be thinking, what should i do to be a Bounty Hunter? Well let me tell you, it's not difficult at all to find these bugs. The only thing you need is knowledge of how internet works , if you can play well with technology like - php, javascripts, asp.net, python, shell etc. the list goes on, another best thing is awareness about OWASP Top 10 vulnerabilities And last but not the least - Patience! You might just find a bug in your College's website within minutes, but it may take months to find out a bug in Facebook!
So my point is, even after having kick ass security professionals in your organization why do you still have to pay bounties? Aren't they effective in securing your organization's website? Why don't you just fire them and pay only bug bounties?
Well In my opinion it's difficult to 'Why hire, just pay Bounty', no one/no organization on this planet earth can claim to provide 100% security. Risk is uncertain, technology changes very often so there is absolutely no option than having dedicated security professionals to monitor, plan, act your organization's perimeter security! Lets talk about Java, one of the most widely used technology, platform. Lately Java has been in news, every now and then because of the vulnerability in the platform. So if Java Version XX is vulnerable to certain attack (know to public) and if your Application is built on Java Version XX then your application is vulnerable! Then Java releases an update, if your IT/security team fails to apply it to your application - possibly you'll get Royally Hacked even by a Script Kiddie.
I really liked the concept of Bug Bounty, it's more or less similar to crowd sourcing where in you openly ask general public to hack you! It may happen, you'll get tons of security bugs identified by kids which your 5yrs+ experienced Security Tester missed out very easily. So you pay the hacker, who are termed as White Hat Hackers and he spreads it on Social Network. Few more hackers read it & try hacking into your application, finding more bugs for you. In this way even after being in production, you application get tested by people every now and then. They contribute to your application making it more secured than earlier & in return they get paid for their efforts.
I would conclude by stating, our Ecosystem is becoming matured day by day and programs like Bug Bounties are helping organizations to strengthen their fences not by it's employees but by intruders itself!
NOTE: I'm strictly against differentiating hackers into White/Black, they are just 'hackers'. If a so called White Hat Hacker can't think like Black Hat Hacker (Cracker), he'll never be able to help you in protecting yourself from Black Hat Hackers(Cracker).
Happy (bug) Hunting!
