Pulling in security help on a project has traditionally meant either hiring more full-time help, or bringing in an outside consultant. Enterprises and vendors alike, however, are starting to really go outside the perimeter these days and are taking advantage of crowdsourcing.
Given the paranoia in the industry, putting out an open call to find vulnerabilities in an application, for example, seems like a thought that would never get off the ground. But more organizations are giving it a shot—and no project seems out of scope. Plans are in the works to crowdsource some of the remaining cryptanalysis in the TrueCrypt audit, and companies such as HP and Microsoft have built platforms for threat intelligence sharing that facilitate the phenomenon.
“My personal view is that crowdsourcing lends itself perfectly to security,” said Bugcrowd CEO and founder Casey Ellis.
Bugcrowd is a relatively young company whose business model is crowdsourcing vulnerability discovery and management by providing the platform, research community and monetary rewards to do so. Ellis said crowdsourcing corrects the fundamental imbalance between attackers and defenders.
Ellis points out that attackers, whether they’re opportunistic criminals or focused nation states interested in espionage, are a large group with a diverse skill set. In-house help and consultants, while skilled, cannot match the diversity posed by the opposition, he said.
“They can be good at what they do, but the fact is that there’s not a large group of them. It puts companies at a fundamental disadvantage,” Ellis said. “Where the economics comes into it, is that it’s impossible to hire everyone by the hour. By bringing in crowdsourced results based on an incentive model, it’s the most logical way to get things done.”
Bugcrowd, which has 9,500 researchers registered in its network, today announced the public availability of its Flex Bounty Program, which has been used internally for some time with customers, Ellis said. It’s structured to look like a penetration test where the customer sets a fixed time frame for results, as well as the scope of the engagement, and how much the bounty will be. Ellis said a recent customer required a pen test for compliance with the Payment Card Industry Data Security Standard (PCI-DSS). The flex program was carried out in a 24-hour period where 50 participants from Bugcrowd’s pool hammered away at an application, essentially getting the same number of man-hours as a two to three week engagement.
Success, Ellis said, can be measured with a quick comparison to previous pen-test results.
“Spreading that out across a group people, you end up with results that are dramatically comparable to stuff that’s been done in the past,” Ellis said. “Once it’s been done once, you see this was really effective.”
Others are hoping to cash in on the effectiveness of crowdsourcing. The second half of the TrueCrypt audit, for example, is set to commence shortly and will also take this approach in its quest to determine whether the open source encryption software has been compromised by a backdoor.
Project leaders Thomas Ptacek and Nate Lawson are expected to follow a model employed by Ptacek’s company, Matasano Security. Matasano’s Crypto Challenges were a set of more than 40 exercises demonstrating attacks on real-world crypto, exploiting weaknesses in real systems and cryptographic constructions. Those interested in participating emailed Matasano and were sent eight challenges at a time, each stage more difficult than the previous.
That same format could be part of the TrueCrypt audit, said Kenneth White, who along with Johns Hopkins professor and crypto expert Matthew Green kickstarted the Open Crypto Audit Project.
“It’s an incredible way for people to identify researchers rising and promising researchers who are not widely known in the community,” White said. “We have top people collaborating and now with the crowdsourcing, I’m excited about it.”