Pavol Luptak
CEO of Nethemba - Slovak IT security company founded in 2007, primarily focused on web application security and various penetration tests.
Hacktrophy - the rise of crowdsourced security
Traditional & crowdsourced approach
Bug bounty programs in details
Objections
Commercial bug bounty programs
Traditional & crowdsourced approach
Bug bounty programs in details
Objections
Commercial bug bounty programs
Victims of Hackers' attacks
Victims of hacker's attacks
(Czech Republic & Slovakia)
| Customer | Vulnerability | Damage | Fix time |
|---|---|---|---|
| Czech Construction Company | Vulnerable contact form allowing to send malware including ransomware | Direct 4000 EUR + indirect costs (loss of reputation) | 5 days |
| Czech e-shop | Dump of the whole database using SQL injection | Direct 10000 EUR + indirect costs (loss of reputation) | 14 days |
| Slovak IT company | Weak password to the admin interface leading to compromise VPN & access to the internal network | Direct 250000 EUR | 6 months |
| Slovak e-shop | The application vulnerability allowing to send spams to their customers | Indirect costs (loss of reputation) | 3 days |
Threats vs typical attacks
| Threats | Typical attacks |
|---|---|
| Insiders (disgruntled employee) | Leakage, Backdooring, Espionage |
| Ransomware (Malware) | Forced disk encryption with unknown passphrase |
| Automated botnets | Simple infrastructure scans, simple WebAppSec attacks, DDoS attacks |
| Cyber Crime Syndicates, Rented blackhat hackers | Complex & Sophisticated WebAppsec attacks + infrastructure attacks, installing malware |
| Social Engineers | Pretexting, Phishing, Vishing, Baiting, Piggybacking, Typosquatting... |
| Hacktivists, political hackers | Web defacing, DDoS attacks |
Traditional approach
-
customer chooses one specific company for penetration testing that means:
-
a limited number of ethical hackers is used for the given testing
-
a limited amount of time is used for the given testing
-
a limited competition of the given company in the given region leading to high prices
-
- on the other hand, the traditional penetration testing company guarantees the given testing is always performed, but with no guarantee of real results (revealed vulnerabilities)
Crowdsourced approach
-
customer sets an economic incentive (bounty) for a big group of ethical hackers around the globe to test his application/service that means:
-
a big crowd of ethical hackers is used for the given testing
-
almost unlimited amount of time is used for the given testing
-
because of global competition of ethical hackers, prices could be relatively low or reasonable
-
- in case of insufficient incentive (bounty), there is no guarantee of being tested by the ethical hackers, but there is a guarantee of revealing real vulnerabilities when the customer is obligated to pay
Hackers vs. companies
-
their relationship is usually strongly asymmetrical:
-
army of skilled blackhat hackers need to reveal at least one vulnerability
-
usually defender (company) have to patch all vulnerabilities
-
-
bug bounty programs change this paradigm:
- they allow to use the crowd of ethical whitehat hackers, use their knowledge and experience to protect customers and their systems
Bug bounty programs
-
benefits from the global market
-
more eyes (of the crowd) usually mean better security
-
allow people with hacker skills to gain their money in a completely legal way without a risk of prosecution
-
end-to-end connection between the customer and the ethical hackers may lead to a reduction of transaction costs (the same for Uber, Airbnb, ...)
-
because of the relatively anonymous crowd, the reputation becomes much more important
Bug bounty program flow
Bug bounty program as "Uber for hackers"
-
Bug bounty programs represent a sharing economy model ("Uber for hackers") with all related advantages:
-
strong reputation of the ethical hackers
-
lower transaction costs in case of end-to-end connection between the customer and the hacker
-
strong economic incentive to do the job properly (and firstly try to find the most "valuable" critical vulnerabilities)
-
Bounty pricing
Example price template
| Priority | Vulnerability Types | Pricing in EUR |
|---|---|---|
| Critical | RCE, SQLi, XXE, Vertical Authentication Bypass | 700 / 2200 / 6000 |
| High | Stored XSS, CSRF, Lateral Authentical Bypass | 400 / 750 / 1200 |
| Medium | Reflective XSS, URL redirect | 125 / 250 / 425 |
| Low | SSL misconfigurations, XSS/CSRF with limited impact | 45 / 60 / 135 |
Bug bounty pricing rules
- customers can choose a bug bounty pricing template according to their needs to create a sufficient incentive for the ethical hackers, e.g. according to the answers of the following questions:
- What is your company´s annual turnover?
- Do you process your client´s personal data through your application/web?
-
Do you process your client´s economic data (such as accountancy) OR financial transactions (such as credit card payment) through your application/web?
-
How extensive are potential consequences of your application/web when being hacked?
Bug bounty price template
- security should always make an economic sense - you should not invest more money to your IT security than you can potentially loose (but consider also non-financial losses that cannot be quantified)
- bug bounty price template should be chosen carefully:
- if bug bounties are too low, the hackers are simply not motivated to hack your website/application
- probably a good strategy:
- if you are not sure about the real security of your application, start with low bug bounties and increase them over time if no vulnerabilities are reported
- if you have a secure application, start with higher bug bounties
Commercial bug bounty programs
Thanks for your audience!
Objection #1
- Question: "How can I be sure hackers from my subscribed bug-bounty program do not misuse the revealed vulnerabilities for their personal profit and keep informing me about them?"
- Answer: "Firstly, the hackers don't need to be registered in any bug-bounty program to hack your website or application to reveal the given vulnerabilities and exploit them for their personal profit. That's exactly why you need to be a part of bug bounty programs where you can rely on the hackers' background checking and strict "firing" policy if they fail to follow the defined ethical rules. Secondly, the hacker in the bug bounty programs compete with others. If he does not submit the revealed vulnerability, it is quite likely it'll be revealed by the other hacker who receives "his" bounty.
Objection #2
- Question: "I am already paying for regular penetration tests. Does it still make sense for me to use bug bounty programs?"
- Answer: "Yes, especially during the periods when your application is not in the process of testing to achieve a continuous security. And thanks to bug bounty programs, you have a guarantee of "many eyes" that might be a problem for the most traditional penetration tests."
Objection #3
- Question: "Our web application is PCI-DSS certified with highly trusted EV-SSL certificate. Does it still make sense for me to use bug bounty programs?"
- Answer: "Of course. PCI-DSS or EV-SSL certification are for sure fine, but they are just a small part of the complex security process and do not reflect an overall real security of your web application".
Objection #4
- Question: "I have never heard about bug bounty programs. Why do you think it is a good idea to prefer them instead of a regular penetration test?"
- Answer: "The penetration test is definitely a good choice if you require a systematic security approach during the specific period. Unfortunately it can be quite expensive (usually starts at 1000 EUR and more for one test). In case of bug bounty programs you pay for real vulnerabilities and you pay as much as you wish. This may be a viable solution even for small e-shops and companies with a limited budget which cannot afford relatively expensive penetration tests."
The rise of crowdsourced security
By Pavol Luptak
The rise of crowdsourced security
Uberization (allowing anyone to provide any service to anyone) is embracing our lives. Peer to peer relationships together with the global world's competition allow offering skilled hackers' services even to small and medium-sized companies for a reasonable price. Thanks to omnipresent mobile technology, a rise of Internet of Things (IoT) and dying perimeter security; everything is online and can be a potential target for malicious hackers. Often, a relationship between hackers and companies is strongly asymmetrical. Usually, one defender responsible for patching all vulnerabilities has to face the army of skilled blackhat hackers who need to reveal just one critical vulnerability. Bug bounties programs change this paradigm; they allow you to use the crowd of ethical whitehat hackers, use their knowledge to protect your applications and systems.
