Are your competitors recruiting hackers today?
Bug bounty programs continue to expand, while internal hacker recruitment rockets to 700 per cent.
It may sounds counter-intuitive, but demand for hackers has never been higher, with a host of enterprises and government bodies turning to ethical hackers to test their digital defences, the most recent example being the US military.
This is the first time the US military has fully and publicly engaged with external hackers - albeit registered via HackerOne, and targeting a selected list of public-facing US Army websites.
"We're not agile enough to keep up with a number of things that are happening in the tech world and in other places outside the Department of Defense," US Army Secretary Eric Fanning explained. "We're looking for new ways of doing business."
The Pentagon has also trialled limited bug bounty-style programs, technically becoming the US Government’s first ever bug bounty program earlier this year with ‘Hack the Pentagon’, although the targets for this were non-live examples. More than 138 unique software vulnerabilities were resolved as a result of the scheme, and tens of thousands of dollars awarded to 58 individual hackers.
It’s not just government institutions looking to crowdsource penetration testing, with a host of major corporations announcing bug bounty programs, from Apple and Yahoo through to Facebook - the latter recently announcing that it had paid out $5m to over 900 researchers in the last five years, with 12.2 per cent of the total being spent in early 2016 alone.
However, research by High-Tech Bridge found that although plentiful, many bug bounty programs are not delivering effectively. Researchers found that some companies are beginning to experience ‘bug bounty fatigue’, essentially when researchers have already found all simple and easily detectable vulnerabilities, and are wary of the time costs of digging deeper in the hunt for more advanced vectors of attacks and exploitations. Many Private Bug Bounties have shifted towards pay-per-result penetration testing, introducing new restrictions for researchers to participate, as the US army has. Meanwhile, fully open bug bounty programs, such as OpenBugBounty have continued to increase their value to the community, seeing hundreds of submissions every month.
Ilia Kolochenko, High-Tech Bridge CEO, said: “In our web security testing practice, it’s fair to say that 9/10 companies with public or private bug bounty programs have at least two high or critical risk vulnerabilities detected in less than three days of professional auditing, and missed by the crowd due to detection and exploitation complexity.”
Perhaps in light of this, some enterprises are shifting the focus from outsourced to internal skills. Postings for ethical hacker jobs on the career site Dice.com rocketing from 100 jobs in 2013 to over 800 jobs today - a 700 per cent rise. A search on UK jobs site Indeed.co.uk turns up 55 live roles today alone. A report from Radware and Merrill Research found that and impressive 59 per cent of respondents said they either had hired ex-hackers to help with security or were willing to do so, with one respondent saying, “Nothing beats a poacher turned gamekeeper.”
However, whether outsourced or internal, the same rules apply to the business of vulnerability testing. As Kolochenko has said before: “Vulnerability testing methodologies should be proportional to your web infrastructure size, scope and, most important, its expected usage in production. If you are a large company with numerous publicly facing web applications available and designed for everyone – a bounty program can definitely be a great added-value for your security arsenal. Otherwise, you'd be better spending your budget on traditional web security solutions, proper integration of S-SDLC, and mitigation of the most popular web application security risks”.