Businesses continue to be plagued by software vulnerabilities, which remain among the biggest concerns for organisations.
A particular challenge is the fact that any individual with the capability and motivation (malicious or not) to exploit such vulnerabilities could potentially gain access to confidential and sensitive information.
With the increase in malicious software, combined with technological intelligence, key vendors realise they need to continuously update their products to address newly discovered vulnerabilities.
But how are all of these vulnerabilities being identified? Increasingly, it’s not the developers’ labs or testers, as was traditionally the case – it’s more often the (public) “crowd”.
Security enthusiasts, ranging from curious teenagers to senior software engineers spread across the globe, are now analysing software with the hope of being the next one to discover a vulnerability that will bring them cyber-eminence or a big reward.
Much of this activity is fuelled by financial rewards or “bug bounties” distributed by software authors and security research programmes to those who find vulnerabilities and disclose them responsibly.
Crowdsourcing gives anyone the opportunity to solve problems and, by harnessing the power of the internet this way, software vendors may be able to recruit a huge pool of testers to evaluate their products.
In light of these positive motives and outcomes, certain other businesses are also turning to this model to – for example, perform penetration tests on their applications and websites.
In many ways, this could be a huge leap forward for security – in theory leading to much faster identification and remediation of vulnerabilities. However, organisations should carefully consider the risks before employing this methodology.
The objective of crowdsourcing security testing is to allow independent researchers to report flaws directly to the business – in exchange for publicity and/or financial reward, rather than disclosing it online or selling it on the dark web to be exploited by malicious parties.
Crowdsourcing websites typically recruit from a broader range of participants, who normally have more specific skills and experiences than independent testing providers, or in-house teams. This allows for a more diversified skill set and customers can draw on a vast range of expertise to meet all the requirements in a single place.
Although the benefits of using crowdsourcing for security testing are evident, there are also associated risks that organisations should be aware of.
Confidentiality risks can arise because these services depend on allowing a large pool of unvetted individuals to explore vulnerabilities in a piece of software. In addition, testers require permission to avoid violating laws, such as the Computer Misuse Act, and permission is effectively given if you ask them to do the testing.
However, in authorising a crowd group, you may be seen to be authorising everyone within the group, regardless of their intentions. The danger lies in allowing unauthorised access to information and intellectual property included in system design.
Equally, if an asset being tested is hosted on a corporate network, testers may be able to gain access to other areas of the network being used for more sensitive information.
To mitigate this risk, organisations should require testers to be registered and have participated in other ‘bug bounty’ programmes prior to being allowed to test on their site.
However, this may become challenging as it is often difficult to maintain confidentiality with private individuals who are involved without solid legal contracts in place.
Another risk associated with crowdsourcing is the unclear methodology it brings. Organisations have no oversight of the testing methodology being used by researchers, making it difficult to establish how vulnerabilities were detected or to replicate problems.
This is in contrast to formal testing providers, who are able to provide evidence of their capabilities through certifications such as the BCS – The Chartered Institute for IT (e.g. ISTQB Software Testing), and the Council for Registered Ethical Security Testers (CREST).
Members of the crowd may use testing as an opportunity to gather information about the test system, in the knowledge that their activities will not be detected by conventional security protocols and information may then be used in future attacks.
Alternatively, testers may participate in this type of programme and then attempt to sell vulnerabilities to cybercriminals through dark-web forums.
It is clear that crowdsourcing is going to play an increasingly important role in online security over the coming years. This is particularly relevant to large organisations that might prefer to disclose vulnerabilities responsibly, rather than have hackers sell or exploit the vulnerabilities that they find.
However, before engaging the crowd, businesses should consider the risks and take steps to ensure their assets are adequately protected.
It is necessary to verify what information is stored or used by the application and be aware that testers may already have, or could gain, access to this information.
Consider where the asset is hosted, if the website or application is hosted on the company’s infrastructure; check that it is segregated from the remainder of the network. It is important to use a designated test environment to reduce the risk of unauthorised users gaining access to other assets.
To test “offline” assets, vendors will have to make a copy of the application available for testers to download. This carries additional risk as discovered vulnerabilities will affect not just the vendor, but everyone using that software version.
Once the application or website has been tested, organisations need to determine a remediation plan which should be a logical, prioritised way of stopping identified flaws. This is essential to prevent vulnerabilities from being exploited after discovery.
Lastly, organisations need to put legal protections in place to ensure that the sign-up process involves a clear and, where possible, legally binding agreement to maintain confidentiality during and after the activity.
Crowdsourcing may still be in its infancy, but it’s clear that the model, if approached sensibly and carefully, could provide substantial benefits to solving many problems – including those related to vulnerability detection.
It is highly likely that its use will continue to grow and develop, emphasising the importance to organisations in addressing the concerns surrounding confidentiality and unsolicited access.
Until organisations can mitigate such concerns, they should consider employing the services of a professional accredited team for testing applications that handle confidential information.
This will ensure increased legal protection and will provide the customer with a greater level of assurance, as they can verify that a recognised professional body has appropriately certified the testers being used.
Sourced from James Nunn-Price, Deloitte UK cyber lead