Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Wednesday, 1 February, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Lancope CTO: Divert open source funding to bug bounties

by The Gurus
April 28, 2014
in Editor's News
Share on FacebookShare on Twitter

Funding that is allocated to the development and improvement of open source code should be redirected to bug bounty programs.
 
In an email to IT Security Guru, TK Keanini, CTO of Lancope, said that while he welcomed the move to boost open source code by the Linux Foundation, he would like to see a renewable and talented set of security researchers rewarded for finding flaws in these open source projects so that they can be fixed quickly and prior to any major incident.
 
He said: “Bug bounties have done well so far in my opinion because the researcher not only makes a little bit of money, but socially money is a great score keeper for leader boards. In my experience, the talent out there is motivated by discovery and notoriety among their peers, the money is just a way to keep score.”
 
Cris Thomas, technical manager at Tenable and former L0pht member Spacerogue said that bug bounties make researchers “motivated by money” and Keanini said he agreed that too much money draws the wrong crowd, so it is important to continuously calculate the right pay-outs.
 
“The structure of bug bounties also are open to new talent and continuously getting new talent involved is critical so that these processes don’t go stale over time,” he said: “Each individual has limits to their tools and techniques which is why you want to attract a diverse pool.”
 
Jaime Blasco, director of AlienVault Labs, said that developers and security professionals alike want to ensure the work they’re doing is solid, and said it was a good idea to keep bug bounties.
 
He said: “Companies such as Microsoft, Oracle or Facebook have been doing it for
years, paying people to find vulnerabilities in either their infrastructure or their software.
 
“At the same time, companies such as HP have been running bug bounties such as the Zero-Day Initiative, where they pay security professionals that discover vulnerabilities in wide-broad software, then they use this information to improve the detection signatures on their products and, at the same time, they notify affected companies.”
 
Asked if he felt that the problem with open source was that updates are not delivered and that no one was watching the bugs – why this OpenSSL issue arose in the first place –Keanini said: “It is table stakes for quality and security, but just because it takes place, does not still mean that a bug might be missed.
 
“Automated code analysis, manual code analysis, bug bounties, together make for a better system because where something may slip by one technique, another will catch it. I’ve always said, it is not about ‘defence in depth’, it is about ‘defence in diversity!”. Just having more of the same things brings the risks inherent to a monoculture. Diversity is how nature keeps everything in balance and we have a thing or two to learn from her as we design complex systems.”
 
Keanini called upon the companies who are funding open source initiatives to begin to deliver a more sophisticated auto-update system for the hardware and software they deploy. “It may very well be that this funding will drive even more bugs found driving them to issues more updates in the short term,” he said.
 
“This is painful if systems are designed to ‘set and forget’. Nothing on the
internet will survive without being able to rapidly change as the co-evolution of defenders and threat continues in a update spiral that dictates change or die.”

FacebookTweetLinkedIn
Tags: Bug BountyOpen Source
ShareTweetShare
Previous Post

Infosecurity Week – Day One

Next Post

Alert Logic make UK debut

Recent News

JD Sports admits data breach

JD Sports admits data breach

January 31, 2023
Acronis seals cyber protection partnership with Fulham FC

Acronis seals cyber protection partnership with Fulham FC

January 30, 2023
Data Privacy Day: Securing your data with a password manager

Data Privacy Day: Securing your data with a password manager

January 27, 2023
#MIWIC2022: Carole Embling, Metro Bank

#MIWIC2022: Carole Embling, Metro Bank

January 26, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information