Saturday, March 6, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Relying on bug bounties ‘not appropriate risk management’: Katie Moussouris

August 19, 2019
in Internet Security
Relying on bug bounties ‘not appropriate risk management’: Katie Moussouris
585
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

If you expect a bug bounty to find and fix your organisation’s hidden cybersecurity problems, you’re wrong. To steal a line from the late John Clarke, you’re a fool to yourself and a burden to others.

Bug bounties are certainly sexy. You’ll look like you’re engaging with the wider cybersecurity community, and you’ll get great media coverage when a hacker strikes it rich.

You might also like

Microsoft Exchange zero-day vulnerabilities exploited in attacks against US local governments

$100 in crypto for a kilo of gold: Scammer pleads guilty to investor fraud

These two unusual versions of ransomware tell us a lot about how attacks are evolving

There’s also the belief that if your organisation doesn’t pay to know about the bugs, then organised criminals and nation-states will.

But the reality? You may well be paying out big bucks to find generic, easy-to-find vulnerabilities, according to Katie Moussouris, founder and chief executive officer of Luta Security.

“Not all bugs are created equal,” she told the Gartner Security and Risk Management Summit in Sydney on Monday.

The vast majority of bugs found via bug bounty programs are cross-site scripting [XSS] bugs, a known class of bugs that are easy to detect, and easy to fix.

“Why would organised crime or nation-states pay for simple classes of bugs that they can find themselves? They’re not going to pay some random researcher to tell them about cross-site scripting bugs,” Moussouris said.

“You should be finding those bugs easily yourselves too.”

Moussouris is a huge supporter of bug bounties, having run both the Hack the Pentagon and Hack the Army programs for the US military. But she says that relying on a public bug bounty program just creates the “appearance of diligence”.

“This is not appropriate risk management. This is not getting better when it comes to security vulnerability management,” she said.

Moussouris told the story of one security researcher who’d made $119,000 in a bug bounty program. That’s more than $29,000 per hour to find simple bugs in a known class.

“That’s a great ROI [return on investment] for that researcher. It’s a terrifying ROI for the organisation that paid him,” she said.

Security professionals researching new and complex classes of vulnerabilities are paid well, but nowhere near $29,000 an hour. Simple bugs can be found way, way more cheaply.

Bug bounties can also have a low signal-to-noise ratio, as shown in statistics from HackerOne.

Of the more than 300,000 registered hackers, only around one in 10 has found something to report, and only a quarter of those have been paid a bounty. Only 1000 hackers have earned $5000 or more, which is less than a third of a percent of the total.

Another hacker made a million dollars over three years. But to do that, he filed more than 1600 bug reports, only 128 of which were critical.

“He really was just jamming away with those publicly-available tools — honing his skills certainly — but nowhere near the skill level and the value delivery over that three years that equates to a million dollars,” Moussouris said.

Whether an organisation has a public bug bounty program or not, most have no organisation pipeline for handling them.

Only three of the exhibitors at Gartner’s summit in São Paulo, Brazil, earlier this month could tell Moussouris how to report a vulnerability to their organisation. One exhibitor even said something like “No, we don’t have vulnerabilities. We protect you from vulnerabilities”.

They’re not alone. Some 94% of the Forbes Global 2000 companies have no published way to report a security vulnerability, she said. Few have a formalised process for validating and triaging vulnerability reports and making sure they’re fixed.

Then there’s the eternal problem of basic cyber hygiene. Moussouris says we “struggle as an industry” to deal with the last-kilometre problem of actually applying the patches.

“A lot of the patterns [have] not actually shifted that much from where we were when I started out professionally 20 years ago as a penetration tester,” she said.

“We’ve created a $170 billion industry, which, we’re really good at a few things, security not exactly being one of them. Marketing, definitely.”

Related Coverage

Credit: Zdnet

Previous Post

Machine Learning on Mobile: An On-device Inference App for Skin Cancer Detection

Next Post

Exclusive Statistical Report on Machine Learning in Finance Market Analysis and Forecast to 2024

Related Posts

Microsoft Exchange zero-day vulnerabilities exploited in attacks against US local governments
Internet Security

Microsoft Exchange zero-day vulnerabilities exploited in attacks against US local governments

March 6, 2021
$100 in crypto for a kilo of gold: Scammer pleads guilty to investor fraud
Internet Security

$100 in crypto for a kilo of gold: Scammer pleads guilty to investor fraud

March 6, 2021
These two unusual versions of ransomware tell us a lot about how attacks are evolving
Internet Security

These two unusual versions of ransomware tell us a lot about how attacks are evolving

March 6, 2021
Microsoft: We’ve found three more pieces of malware used by the SolarWinds attackers
Internet Security

Microsoft: We’ve found three more pieces of malware used by the SolarWinds attackers

March 6, 2021
Zigbee inside the Mars Perseverance Mission and your smart home
Internet Security

Zigbee inside the Mars Perseverance Mission and your smart home

March 6, 2021
Next Post
Exclusive Statistical Report on Machine Learning in Finance Market Analysis and Forecast to 2024

Exclusive Statistical Report on Machine Learning in Finance Market Analysis and Forecast to 2024

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Microsoft Exchange zero-day vulnerabilities exploited in attacks against US local governments
Internet Security

Microsoft Exchange zero-day vulnerabilities exploited in attacks against US local governments

March 6, 2021
Hands-on Guide to Interpret Machine Learning with SHAP –
Machine Learning

Hands-on Guide to Interpret Machine Learning with SHAP –

March 6, 2021
$100 in crypto for a kilo of gold: Scammer pleads guilty to investor fraud
Internet Security

$100 in crypto for a kilo of gold: Scammer pleads guilty to investor fraud

March 6, 2021
Revolution by Artificial Intelligence, Machine Learning and Deep Learning in the healthcare industry
Machine Learning

Revolution by Artificial Intelligence, Machine Learning and Deep Learning in the healthcare industry

March 6, 2021
Deploy AI models -Part 3 using Flask and Json | by RAVI SHEKHAR TIWARI | Feb, 2021
Neural Networks

Deploy AI models -Part 3 using Flask and Json | by RAVI SHEKHAR TIWARI | Feb, 2021

March 6, 2021
These two unusual versions of ransomware tell us a lot about how attacks are evolving
Internet Security

These two unusual versions of ransomware tell us a lot about how attacks are evolving

March 6, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Microsoft Exchange zero-day vulnerabilities exploited in attacks against US local governments March 6, 2021
  • Hands-on Guide to Interpret Machine Learning with SHAP – March 6, 2021
  • $100 in crypto for a kilo of gold: Scammer pleads guilty to investor fraud March 6, 2021
  • Revolution by Artificial Intelligence, Machine Learning and Deep Learning in the healthcare industry March 6, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates