The report examines the state of crowdsourced security
In September of 2017, the consumer credit reporting agency Equifax announced a data breach that affected over 140 million people. The breach cost the company a blow to its reputation and billions of dollars in settlements. It was an exploitation of a vulnerability in the open-source web application framework “Apache Struts 2” made the breach possible. The vulnerability in Apache Struts was no secret, and Equifax could very well have avoided the event entirely.
On August 1st, 2019 the crowdsource security company Bugcrowd is releasing its 2019 Priority One Report on top bugs, bug bounties, and the state of security. Bugcrowd’s report analyzes propriety platform data from thousands of crowdsourced data programs. The report examines crowdsourcing implementation, it’s economics, and the white hacker community over tens of thousands of hours of work, going back to 2012.
The Priority One report lists the Apache Struts error among other superbugs like ETERNALBLUE, Double Kill, Meltdown, and Spectre. It shows “superbugs” as being more of a commonplace, and illustrates the evolution of challenges facing cyber-security. It also reports a 92% increase in total vulnerabilities that have been discovered by their crowdsourced data program over the previous year. The average payout per vulnerability also increased this year by, with average payouts for critical vulnerabilities are as high as $2,669.92 — a 27% increase over last year.
Bugcrowd researchers note a shift away from easy to detect vulnerabilities, to weaknesses that are difficult, if not impossible for a machine to find. Broken access controls, sensitive data exposure, server security misconfiguration, and broken authentication and session management are systemic issues with critical impact and there are very few programming frameworks out there that protect against them. The ones that do are far from perfect.
It is becoming increasingly popular for companies to install automated scanners that can protect them from the easier to detect, prevalent weaknesses such as XSS, CSRF, and SSI. According to the report, the migration away from some of these targets will require a deeper level of scanning, however, and is accelerating the need for solutions which can evolve and adapt right along with the threats.
In addition to the status of top bugs and their current trends, Bugcrowd also discusses in their report just how effective crowdsourced solutions are in hunting and exposing a vulnerability before it becomes an issue. Rewarding hackers to find and disclose these flaws has allowed some savvy ventures to fix the problem well before it can ever be used against them.
Bugcrowd finds a considerable spike in crowdsourced pen testing and vulnerability disclosure in companies and public programs. With a significant 92% increase in vulnerability submissions, it is reported that there are massive increases in submissions for all potential targets as well as the number of crowdsourced programs with these targets in scope.
The Priority One report outlines evidence supporting the investment of providing an incentive for hackers to hunt and disclose weaknesses which could end up potentially destroying your organization. Along with testimony from executives who have used these tactics, Bugcrowd lists clear and tangible returns on investment for implementing these types of programs. It’s worth mentioning the $1.7 billion that Equifax has paid out to those affected in their breach that could have been avoided had Equifax deployed a program like Bugcrowd who was, in fact, one of the resources which discovered the flaw in Apache Strut 2.
Bugcrowd has done an excellent job in putting together the massive research project that provided data for this report. They have given readers much to consider. If your systems, services, products, and software need to be battle-hardened you should consider deploying advanced analytics and intelligent security automation.
Download your copy of the Priority One Report
Cody Bowcut is a Contributing Editor for Brilliance Security Magazine