Funding that is allocated to the development and improvement of open source code should be redirected to bug bounty programs.
In an email to IT Security Guru, TK Keanini, CTO of Lancope, said that while he welcomed the move to boost open source code by the Linux Foundation, he would like to see a renewable and talented set of security researchers rewarded for finding flaws in these open source projects so that they can be fixed quickly and prior to any major incident.
He said: “Bug bounties have done well so far in my opinion because the researcher not only makes a little bit of money, but socially money is a great score keeper for leader boards. In my experience, the talent out there is motivated by discovery and notoriety among their peers, the money is just a way to keep score.”
Cris Thomas, technical manager at Tenable and former L0pht member Spacerogue said that bug bounties make researchers “motivated by money” and Keanini said he agreed that too much money draws the wrong crowd, so it is important to continuously calculate the right pay-outs.
“The structure of bug bounties also are open to new talent and continuously getting new talent involved is critical so that these processes don’t go stale over time,” he said: “Each individual has limits to their tools and techniques which is why you want to attract a diverse pool.”
Jaime Blasco, director of AlienVault Labs, said that developers and security professionals alike want to ensure the work they’re doing is solid, and said it was a good idea to keep bug bounties.
He said: “Companies such as Microsoft, Oracle or Facebook have been doing it for
years, paying people to find vulnerabilities in either their infrastructure or their software.
“At the same time, companies such as HP have been running bug bounties such as the Zero-Day Initiative, where they pay security professionals that discover vulnerabilities in wide-broad software, then they use this information to improve the detection signatures on their products and, at the same time, they notify affected companies.”
Asked if he felt that the problem with open source was that updates are not delivered and that no one was watching the bugs – why this OpenSSL issue arose in the first place –Keanini said: “It is table stakes for quality and security, but just because it takes place, does not still mean that a bug might be missed.
“Automated code analysis, manual code analysis, bug bounties, together make for a better system because where something may slip by one technique, another will catch it. I’ve always said, it is not about ‘defence in depth’, it is about ‘defence in diversity!”. Just having more of the same things brings the risks inherent to a monoculture. Diversity is how nature keeps everything in balance and we have a thing or two to learn from her as we design complex systems.”
Keanini called upon the companies who are funding open source initiatives to begin to deliver a more sophisticated auto-update system for the hardware and software they deploy. “It may very well be that this funding will drive even more bugs found driving them to issues more updates in the short term,” he said.
“This is painful if systems are designed to ‘set and forget’. Nothing on the
internet will survive without being able to rapidly change as the co-evolution of defenders and threat continues in a update spiral that dictates change or die.”