“Governments could gain a lot from this bounty model – they only stand to gain from allowing the good guys to hack”. The concept, he admitted, is “controversial. But give it time.”
Grossman suggested that websites accepting ‘security research’ (also known as crowd-sourcing vulnerability assessment or bug bounties) have “closed hundreds, if not thousands, of vulnerabilities, and protected hundreds of million users.”
Collectively, Google, Facebook, Mozilla and PayPal have paid out over five million dollars as bounty money “to those that discretely hand over vulnerabilities allowing them to fix them”, Grossman said.
Given that more code is being produced than can possibly be tested, eight out of ten websites have serious vulnerabilities, and there are 142.2 million undiscovered serious vulnerabilities on SSL websites alone (according to Grossman’s calculations: 1.8million SSL websites X 79 vulnerabilities a year), the need for such an initiative has never been stronger.
The average number of serious vulnerabilities found on websites across vertical sectors shows that retail websites are the most insecure, followed by insurance. “If PCI works, I can’t see it in the numbers”, Grossman remarked.
The biggest application security challenge today, Grossman argued, is the huge shortage of qualified application security people. “We need builders, breakers and defenders”, he said. “We certainly have a hiring issue.”
| Facts and Figures presented by Jeremiah Grossman, Founder and CTO, WhiteHat Security in his presentation at Hacker Halted. |
|