- The report is based on a survey of the platform’s users and security research conducted from May 2020 to August 2021, in addition to millions of proprietary data points collected on vulnerabilities from nearly 3,000 security programs.
- Bug bounties have their merit in the cybersecurity field but still fall into the category of focusing efforts on post-deployment and being reactive, added Archie Agarwal, founder and CEO of ThreatModeler.
- “Only by leveraging automated threat modelling that weaves seamlessly throughout the software development life cycle will we start to truly tackle the scale of vulnerabilities being found,” he said.
According to research released Tuesday by a renowned bug bounty site, ethical hackers have prevented more than US$27 billion in crimes in the last year a reported by TechNews World.
Ethical hackers
In its annual Inside the Mind of a Hacker report, Bugcrowd maintained that ethical hackers working on its platform we’re able to prevent those cybercrime losses to organizations by exposing vulnerabilities that would otherwise have gone undetected.
The report is based on a survey of the platform’s users and security research conducted from May 2020 to August 2021, in addition to millions of proprietary data points collected on vulnerabilities from nearly 3,000 security programs.
The report noted that nearly three of four ethical hackers (74%) agreed that vulnerabilities have increased since the start of the Covid-19 pandemic.
“Due to the rapid change almost everyone underwent due to the pandemic, many vulnerabilities and weaknesses were introduced,” observed John Bambenek, a principal threat hunter at Netenrich, a San Jose, Calif.-based IT and digital security operations company.
“You can do things fast or do things secure and out of necessity we did things fast,” he told TechNewsWorld.
Shifting vulnerability landscape
There’s little question that the vulnerability landscape has shifted since the start of the pandemic, added Jake Williams, co-founder and CTO of BreachQuest, an incident response company in Dallas.
“As the majority of knowledge workers moved from on-premises to remote work, network architecture fundamentally shifted,” he explained to TechNewsWorld.
“We view security as the intersection of confidentiality, integrity, and availability,” he continued.
“Vulnerabilities caused by the rapid transition to remote work will certainly continue to be discovered,” Williams insisted.
The pandemic has also increased the demand for new talent at cybersecurity companies.
Continuous monitoring needed
The Bugcrowd report also noted that more than nine in 10 of the ethical hackers surveyed (91%) acknowledged that point-in-time testing — which is what they do — can’t secure an organization year-round.
“That’s a reflection of what software delivery professionals have known for years and years — shorter, more agile cycles improve quality,” said Tim Wade, technical director for the CTO team at Vectra AI, a San Jose, Calif.-based provider of automated threat management solutions “Rapid, smaller scope engagements with an opportunity to incrementally measure capabilities over time are almost certainly going to move the needle for organizations,” he told TechNewsWorld.
Bug bounties have their merit in the cybersecurity field but still fall into the category of focusing efforts on post-deployment and being reactive, added Archie Agarwal, founder and CEO of ThreatModeler, an automated threat modelling provider in Jersey City, N.J. “I would rather legitimate security researchers always find vulnerabilities before the criminals, however, the industry focus must shift towards proactive, continuous security in the design and build phase,” he told TechNewsWorld.
“Only by leveraging automated threat modelling that weaves seamlessly throughout the software development life cycle will we start to truly tackle the scale of vulnerabilities being found,” he said.
Hacker lifestyle
The report also contains information on the lifestyle, expertise and motivations of the ethical hackers on the Bugcrowd platform, in addition to several “up close” pieces on several hackers.
“I’m always inspired by the ingenuity and entrepreneurial mindset of those drawn to ethical hacking,” observed Bugcrowd Founder and CEO Casey Ellis.
“The report also found that this is the youngest, and most ethnically diverse, generation of ethical hackers in history,” he added.
“The impact this cohort has on thwarting cyberattacks and advancing the industry is monumental, and this is sure to continue.”
Craig Young, a principal security researcher at Tripwire, a cybersecurity threat detection and prevention company in Portland, Ore. explained that organizations leverage bug bounty programs as a form of crowdsourced security testing.
“No security team, no matter how mature, is able to catch 100% of the issues 100% of the time,” he told TechNewsWorld, “but bug bounty programs help reduce the risk that a missed issue will be leveraged for intrusion.”
‘Many Eyes’ advantage
“Having many eyes, especially with the necessary talent and training, is one of the best things you can do to find and eradicate bugs,” added Roger Grimes, a defence evangelist at KnowBe4, a security awareness training provider in Clearwater, Fla. “No matter how great your internal bug finding team is, an external team will always find bugs the internal team did not,” he told TechNewsWorld.
“Bug bounty programs invite many external people and teams to look for bugs in your software — before the malicious hackers do.”
Despite the benefits ethical hackers can bring to an organization, pockets of distrust remain.
“Most industries are not comfortable with bug bounties and ethical hackers because they do not understand the tremendous benefits,” Grimes said.
Nevertheless, he noted things have gotten better over the years.
“A decade ago, most organizations would never have allowed bug bounty programs,” he observed.
Did you subscribe to our newsletter?
It’s free! Click here to subscribe!
Source: TechNews World