Caroline Wong, CISSP and VP of Security Strategy at Cobalt, which “makes bug bounty programs and pen tests painless,” headed this engaging and fast-paced session at OWASP AppSec on crowdsourced security. It was her interest in diversity that led her to crowdsourced security, and in this session she went through the risks and benefits of using it.
She made it clear up front that she wasn’t here to tell the audience which option was better than another, but simply to provide information and evaluation criteria about the different options so that people could decide which was the best fit for their specific security needs.
What exactly is crowdsourcing? When Caroline took a Lyft from her Airbnb dressed in a new outfit from Betabrand to get to the conference, she made use of three examples of crowdsourcing. (Despite the fact, as she reminded us, that most of us were told by our parents not to get into a stranger’s car, this has become an increasingly common way of life!)
Obtain information or input into a task or project by enlisting the services of a large number of people, either paid or unpaid, typically via the Internet.
In order to fully explore this topic, Caroline started by taking a step back to show the audience how crowdsourced application security has seen three major developments (or waves) throughout history:
The People Wave (1990s) - The primary driver for this was the Mosaic browser, which launched in 1993 and resulted in an increase of personal computing and electronic commerce. Hackers came together to form nonprofits and conferences.
The Machine Wave (turn of the century) - The primary driver for this was commercial scanners which could automatically look for vulnerabilities in web applications. They were able to take over some of the manual scanning done by humans.
The Crowdsourced Platforms Wave (today) - The primary driver for this was the public bug bounty programs where organizations work with security researchers to leverage world-wide creative thinking via a crowdsourced platform.
What are our security application options today?
Security consultants. If you want quality security testing, it’s going to require human creativity, so one option is to hire security consultants. These people provide testing and use both scanners and human thinking to predict how attackers might interact with software in unexpected ways.
Security Scanners. Scanners are programmed to automatically identify vulnerabilities and, unlike humans, will never miss what they are programmed to look for.
Crowdsourced Bug Bounty. In the 2000s, web pages became more complex, so new demand for human-powered manual testing arose – like bug bounties and pen tests. The first bug bounty was in 1995 when Netscape offered cash to anyone who could find any valid vulnerabilities in their browser, and today Google, Facebook (who paid out $5 million in 5 years) and PayPal all have bug bounty programs.
Crowdsourced Penetration Tests. Like bug bounties, pen tests are globally sourced and highly vetted, though they are more collaborative and less competitive than bug bounties.
What is the evaluation criteria?
The three major criteria for evaluation are scalability, coverage and ease of use.
Scalability. Critical for organizations that have double or triple digit numbers of applications in their software portfolio.
Coverage. It's necessary to mimic what a malicious actor will do – which is pretty much trying everything they can to reach their ultimate target.
Ease of Use. This is where the rubber meets the road. What's the return on the investment? Can you get to the results you need? Are they actionable?
The bottom line, Caroline reminded the audience, is that fixing tech issues need people – human creativity, human customization, human filtering of results – when using any method.
About Selena Templeton
Selena Templeton is the Column Editor for the Equal Respect column on ITSPmagazine.