By: Shasanka Sahu
The author works at Instasafe Technologies Pvt Ltd.Countering malicious hackers needs a large number
of ‘ethical hackers’, also known as ‘white hats’, who
will probe your systems just as any hacker would, but
responsibly report to you any vulnerabilities in your
system. Many of them do this work for recognition, so
don’t hesitate to name the person who helped you. Do
appreciate the fact that they are spending a lot of their time
identifying the security holes in your systems.
This concept is not new. It has been tried by a number of
Internet, information technology, automobile and core industry
companies. Google, Facebook, Microsoft, ABN AMRO,
Deutsche Telekom and the US Air Force are some of the many
organisations that have set up their own reward programmes.
And it has helped these companies spot bugs in their systems
that were not evident to their own in-house experts, because
the more pairs of eyes checking your code, the better.
Some companies might hesitate to work with hobbyist
researchers, since it is difficult to know, for example,
whether they are encouraging criminal hackers or not.
What if the hobbyists steal company data?
As more and more organisations are becoming
digital, startups now offer their services through Web
or mobile applications, so their only assets are the
software apps and customer data. Once the data breach
happens, customer credentials get stolen or denial of
services attacks occur, leading to huge losses in revenue,
reputation and business continuity. By becoming part of
the bug bounty platform, companies can create a security
culture within the organisations.
Indian companies have a unique advantage if they
decide to crowdsource the identification of security
vulnerabilities in their IT infrastructure since the country
has one of the largest number of security researchers, who
is part of the crowd that are willing to help organisations
spot a bug before a criminal does.
The 2017 Bugcrowd report cited 11,663 researchers
in India that worked on bug bounty programmes, which
is behind the US with about 14,244 white hat hackers.
While most of them have jobs or identified themselves as
students, 15 per cent of bug hunters were fully engaged
in the activity, with this number expected to increase,
according to Bugcrowd.
Although Indian hackers earned over US$ 1.8 million
in bounties in 2016-17, the bounties paid by Indian
companies added up to a paltry US$ 50, according to
HackerOne, indicating that local firms are not taking
advantage of the crowdsourcing option.
Part of the reason is that Indian companies are still wary
of having their security infrastructure and any vulnerability
in it exposed to the public. This over-cautious approach
could backfire in the long term, as it is always better to
look for bugs cooperatively with responsible hackers in a
controlled environment, rather than have the vulnerabilities
eventually spotted and exploited by criminals.
Companies also take cover behind a smokescreen of
denial when they are actually hit by cyber attacks, as Indian
law does not make it mandatory to report security incidents
to the CERT or any government agency. However, the
regulatory framework is expected to change with the Reserve
Bank of India, for example, making it mandatory for banks to
report cyber security incidents within two to six hours of the
attacks being noticed.
Indian organisations also do not have a local platform
for engaging with researchers, which would define the
financial, technical and legal boundaries for the interaction
in compliance with local regulations. Such a platform would
give these companies the confidence that they can engage
safely with people who are not on their payroll, even if their
main objective is to hack for bugs.
Bug bounty platforms like SafeHats are connecting
enterprises with white hacker communities in India.
Safehats.com, powered by Instasafe Technologies, is a
leading Security as a Service provider. It offers a curated
platform that helps organisations to create a responsible
vulnerability disclosure policy that lays down the rules of
engagement, empanels reputed researchers, and makes sure
that the best and the safest white hackers get to your systems
before the bad guys do.
SafeHats has been working with some leading banking
organisations and e-commerce players in securing their
applications. Once vulnerabilities are discovered, SafeHat
helps to fix them and to launch secure apps to the market.
The key difference with this kind of platform is that the
organisations pay the security researchers only if the bug is
found, and the amount paid is based on the severity of the bug.
A large number of Indian enterprises are in dire
need of tightening up on their security, as the compute
infrastructures of an increasing number of organisations are
being breached. On the other hand, we see an opportunity
for Indian companies to leverage the large talent pool of
white hackers from India. SafeHats in Bengaluru was born
out of the need to bring Indian companies and hackers
together, in a safe environment.
More organisations are now aware about their
security needs after the high-profile Wannacry and Petya
ransomware attacks. Lot of growth stage startups have
shown interest in adopting bug bounty programmes as
they have realised application security is key to their
next round of funding.
Sandip Panda, CEO of Instasafe, says, “Security is
now an important topic in every organisation’s board
room discussions. Investment in security is as important as
investment in the product itself. Bug bounty platforms will
create an entirely new security culture in India.”Advertorial
http://www.OpenSourceForU.com | OPEN SOURCE FOR YOU | DECEMBER 2017 | 19