Unleashing Bug Bounty Programs
How to use Vulnerability Assessments, Penetration Testing, and Bug Bounty Programs Together to Improve your Security Posture
An Interview with Jasmin Landry, Sr Cyber Security Engineer at leading MSSP SecureOps
Jasmin Landry Introduction
Jasmin Landry is a Sr. Cyber Security Engineer here at SecureOps. He helps SecureOps customers with vulnerability management, pen testing, and bug bounty programs. He is certified in CEH or ethical hacking, GWAPT, and has an OSCP certification from Offensive Security.
Jasmin is ranked in the top 50 in Bugcrowd’s bug bounty program ranking and has been invited and is a funded participant in bug bounty competitions across the world including competitions in Montreal, Buenos Aires, San Luis Obispo, San Francisco, Miami, and Las Vegas.
He has also participated in publishing popular cybersecurity-related articles including “Sleeping with the Enemy” which discusses finding vulnerabilities in automobiles that could be exploited by cybercriminals.
Penetration Testing Certifications
Interviewer: Tell us about your certifications, Jasmin.
Jasmin: I started with the CEH certification which is the most widely known ethical hacker certification and is fairly theoretical in nature. Lots of organizations offer 4- or 5-day boot camps for a few hundred dollars. They teach you many of the tools used for penetration testing and of course, they try and get you to learn the pen testing mindset which is “to stop a hacker you need to think like a hacker.” This is a solid certification to get started on the road to becoming a quality pen tester. The second certification that I earned is the OSCP.
The OSCP certification from Offensive Security is the most advanced in my opinion because you have the opportunity to actually break into systems and machines and steal data. The OSCP examination consists of a virtual network containing targets of varying configurations and operating systems. At the start of the exam, each student receives the exam and connectivity instructions for an isolated network that they have no prior knowledge or exposure to. The course is fairly “real-world” in nature and the 24-hour exams really bring out the best in true pen testers.
The GWAPT is specific to web application penetration testing, nothing else. Web application penetration testing has become increasingly critical as cybercriminals are targeting vulnerabilities in software and using their own technology to uncover these vulnerabilities more quickly. The GWAPT is geared to help pen testers understand SQL injection and authentication types of attacks as an example.
Protecting PII or Personal Information through Pen Testing
Interviewer: What is the goal of most organizations when they hire a Pen Tester like you?
Jasmin: Organizations want to protect PII or the personal information of its customers, employees, and partners. This is critical because the truth is that organizations that I work with want to avoid the inevitable brand damage that they experience when they end up on the evening news as having experienced a breach that exposed their client’s personal information.
In addition, with legislation like GDPR and other compliance legislation that is likely to be coming soon in the United States, organizations are having to pay enormous fines. Thus far GDPR has incurred over 350 million Euro’s in fines from organizations like Marriot, Google, and British Airways so companies are taking security and protecting their customer’s PII much more seriously than they have in the past.
Interviewer: The audience would love to understand the differences between vulnerability assessments, penetration tests, and bug bounty programs.
Jasmin: Let’s start with vulnerability assessments since this is where I believe organizations who are trying to improve their security posture should start. A vulnerability assessment is the process of identifying, quantifying, and prioritizing the vulnerabilities in a system – just to make the definition simple. Ultimately, vulnerability assessments will include the prioritization of each system with systems holding PII or other critical data landing at the top of the list.
Taking assessments, a step further, vulnerability management is the systematic process of scanning and eliminating vulnerabilities by priority. Last year we saw 22,000 vulnerabilities published by the CVE which is 3 times as many as they published in 2016 and nearly 8,000 more than they published in 2017. From a risk management standpoint, there is no way to cost-effectively eliminate all vulnerabilities the moment they are found and recognized. Organizations must patch systems by priority in a systematic fashion and there is no way to do this unless you understand which systems hold critical information and which vulnerabilities may be on those systems.
An enormous number of attacks including WannaCry and the Equifax breach leveraged known vulnerabilities and attackers are weaponizing these vulnerabilities more quickly than ever.
Interviewer: How about penetration tests?
Jasmin: A pen test or an ethical hacking exercise is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system. A pen test will typically identify the target systems and a particular goal, such as stealing PII – the personal information of the organization’s customers. The pen tester usually has very little information on the system and undertakes various means to attack the system and steal the information – this is a black box pen test.
A penetration test target may be a white box, which provides information about the target or black box, which provides only basic or no information except the company name. There is also a gray box penetration test which is a combination of the two.
Ultimately, a pen test can help determine whether a system is vulnerable to attack and which defenses the pen test defeated.
Bug Bounty Programs
Interviewer: How about Bug Bounty Programs?
Jasmin: Hunter & Ready initiated the first known bug bounty program in 1983 for their Versatile Real-Time Executive operating system. Anyone who found and reported a bug would receive a Volkswagen Beetle as a reward. A little over a decade later in 1995, Jarrett Ridlinghafer, a technical support engineer at Netscape Communications Corporation coined the phrase “Bugs Bounty.”
However, the term wasn’t widely used in IT security until Microsoft, Facebook, and Yahoo among others started to offer substantial rewards to pen-testers who helped them uncover vulnerabilities in their own software.
A bug bounty program is a reward offered by quite a few websites, organizations and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and unknown vulnerabilities.
Most organizations that we serve here at SecureOps are not managing bug bounty programs like the Microsoft’s of the world who are constantly pushing out new software, however, they do require rigid vulnerability management and pen testing programs.
Bug Crowd and Hacker One Bug Bounty Competitions
Interviewer: You are ranked in the top 50 of over 100,000 participants in bug bounty programs and literally have traveled the globe participating in contests. What advice do you have for pen testers who want to get involved in these competitions?
Jasmin: The main advice I’d give pen testers who want to get involved in bug bounty and get invited to those live hacking competitions, is to simply start submitting high-impact reports to those bug bounty platforms like HackerOne and Bugcrowd. These platforms have a points-based leaderboard and ranking; the more points you have, the better it is for you.
Eventually, after having reported a handful of good vulnerability reports, you start getting invited to private programs. Since these programs are private, there are fewer researchers looking at them so there are more chances for you of finding high impact or critical bugs. At one point, once you’ve shown you consistently submit good reports with a high impact, the platforms will notice it and that’s when you can get in the conversation of who they’re inviting to the next competition.
Vulnerability Assessments, Pen Testing, and Bug Bounty Programs – The Conclusion
Interviewer: Can you take a minute to explain where organizations should start and what they should expect from the programs we have discussed today?
Jasmin: Of course. As I suggested when you asked me about vulnerability assessments – this is the first step. Organizations must prioritize their systems and the vulnerabilities on their systems. Patching some systems will have almost no effect on their overall company risk while patching priority systems will have an enormous impact on the overall risk.
Vulnerability assessments will prioritize the systems and vulnerabilities – this is critical to establishing a vulnerability management program which is critical to reducing overall risk in the environment.
A good vulnerability management program will provide a real-time snapshot into risk levels of various systems and the overall risk to the organization. If organizations want to improve security posture, they have to measure their improvements and a vulnerability management program will provide the platform for improvement.
Pen testing is all about uncovering system and user weaknesses. Most people don’t realize that the vast majority of major breaches start with a phishing scam by cybercriminals. They send out malicious attachments and links to unsuspecting, untrained employees who click on the link or open the attachment which starts the chain of events in a cyber attack.
Thus, in pen testing, we not only look for vulnerabilities to break into systems so that the vulnerability can be mitigated but also to educate the employees and partners as to what to look for in a phishing attack.
Interviewer: Great information Jasmin – thank you for speaking with us today!