Hacking is gaining major mindshare - good and bad - as global dependence on technology and information is at its peak. The increasing popularity and necessity of security research has given rise to a structured ecosystem, where hacking legally is both lucrative and prestigious. In India, interest in these structured programs and bug bounties is rising with security researchers, even as organizations across the globe look at such initiatives to supplement their secure development lifecycles.
"Developers worldwide need to invest in understanding how to write more secure software," says Katie Moussouris, Chief Policy Officer at HackerOne - a platform provider for coordinated vulnerability response & structured bounty programs. "But it is important to realize that as long as code is written by humans, there will be bugs. And where there are bugs, there needs to be a bounty program."
Structured bounty programs can become an important part of the SDL process, but are only supplementary to a secure development culture, she believes. Bounty programs are no longer limited to software giants with cash to burn. Moussouris says any internet-facing business today needs to have a vulnerability handling mechanism allowing researchers to report them to appropriate stakeholders. This is also the idea behind a platform like HackerOne.
"We need to recognize that not all hackers are villains - we are not in the movies. Researchers coming forward with information are trying to help," she says. "As we look for the next generation of defenders, understanding the attacker's mindset through security research is invaluable."
Moussouris was in India as a keynote speaker at the 6th nullcon security conference held in Goa. In this exclusive interview with Information Security Media Group, Moussouris speaks at length about this ecosystem and some of the trends from an Indian perspective.
She also shares informed insight on various other aspects of this ecosystem, such as:
- The legal liability around vulnerability reporting;
- How structured bug bounty programs work;
- The ISO standards for vulnerability disclosure (ISO 24147) and vulnerability handling (ISO 30111).
Moussouris is the Chief Policy Officer for HackerOne, a platform provider for coordinated vulnerability response and structured bounty programs. She oversees the company's philosophy on vulnerability disclosure, and works to legitimize and promote security research. Moussouris' earlier work encompassed industry-leading initiatives such as Microsoft's bounty programs and Symantec's and Microsoft's vulnerability research programs. She is also a subject matter expert for the US National Body of the International Standards Organization (ISO) in vulnerability disclosure (29147), vulnerability handing processes (30111), secure development (27034), and penetration testing (20004). Katie is a visiting scholar with MIT Sloan School, doing research on the vulnerability economy and exploit market and was previously a 'hacker' herself.