Use Crowdsourcing To Find Security Vulnerabilities

Processor.com

Breaches Happen, So It’s Up To Individual Enterprises To Use Every Defensive Resource.

All for one cause. “By working in concert and collaborating on intelligence, white and black hat hackers can find more vulnerabilities and develop more effective exploits than working alone,” says Larry Walsh, chief analyst and CEO of The 2112 Group. “Just as with most management and development processes, collaboration and cooperation often yield better results.”

Identifying security vulnerabilities certainly requires a multilayer approach, and one trend that’s part of this evolving process is crowdsourcing for potential threats through a vendor partnership. Both software manufacturers and larger enterprises are becoming more comfortable with this strategy, but there are plenty of details to consider if you’re the person tasked with managing effective vulnerability tracking procedures.

Crowdsourcing Basics

The concept of crowdsourcing security threats isn’t brand new, yet best practices for this process can look quite different for each company. For example, Larry Walsh, chief analyst and CEO of The 2112 Group, says bug hunting (or the search for vulnerabilities) has long been a crowdsourcing discipline thanks to professionals who will “work on code to identify buffer overflows, cross-site scripting errors, and other vulnerabilities.”

Risks vs. Benefits

Risks are inherent in the practice of enterprise security, and there are some specific vulnerabilities to be aware of within the industry. Walsh says security and code integrity scanners can’t catch everything, “especially services and run-time processes that unintentionally open vulnerabilities through normal operations.” Additionally, there could be untrustworthy contributors to collaborative intelligence projects.

“If you have unscrupulous people working on crowdsourcing projects, they could gain access to information or insights into vulnerabilities that they can either exploit or expose for others to exploit,” Walsh says.

Penetration Testing & Other Strategies

It’s important to have a handle on the responsibilities of a penetration tester (or pentester) so you can determine if this is a security tactic that might augment any crowdsourcing plans you have in place.

Walsh says a pentester isn’t necessarily the same thing as a person or team checking for vulnerabilities because “when you check for vulnerabilities, you’re looking for subtle to obvious holes in the structural integrity of the code or looking to make legitimate processes do illegitimate things.”

SIDEBAR
Get Started

“Crowdsourcing Vulnerabilities 101” involves searching for and identifying threats, and there’s a fundamental problem that accompanies the quest to prevent breaches, says Amy DeCarlo, principal analyst, security and data center services, at Current Analysis. “The problem is whenever you’re talking about sharing security information, it sometimes leads to sharing information about vulnerabilities or even knowing that a certain threat exists against an organization. So there is a reticence to do that with government in a broader sense.” The goal for organizations in the long run is to look for threat patterns.

SIDEBAR – Top Tips

All for one cause. “By working in concert and collaborating on intelligence, white and black hat hackers can find more vulnerabilities and develop more effective exploits than working alone,” says Larry Walsh, chief analyst and CEO of The 2112 Group. “Just as with most management and development processes, collaboration and cooperation often yield better results.”


> Read the entire article on Processor.com