The need for bug bounty programs
began years ago as a void formed. The manufacturers were producing their goods
and services, as to be expected. An issue experienced was the manufacturers had
the “first to market” mentality in place. There was and continues to be in
certain markets, a hurry to design, engineer, and manufacture the product. The
product needs to be the first in the marketplace for the consumer to purchase the
unit. In theory, the manufacturer would be the market leader, and sell the
maximum number of units and gain the market share. If the manufacturer were to
wait, they would not be maximizing the sales volume and would be trying to
catch up with their peers. This sales process methodology is unfortunately
still prevalent. As of late this has been noted with routers, IP cameras, and
other like equipment.
With
these and other products security architecture was applied in various levels.
This ranged from very little, with too many of the IoT products, to a moderate
level of security applied. A contributing factor to this has been the lack of
information security talent. This is a function of the limited number of
programs focused on this, newer programs not coming online at a quick enough
pace, and a time lag once these are in place of at least three years prior to
graduates entering the workforce.
One
area growing in importance is vehicle security. The number of vehicles with
embedded systems continues to grow. The autonomous vehicles are actively being
tested on the roads used by other people presently. These vehicles are expected
to be in full production within five years. These systems are being developed
with the focus of having them operational in a timely manner with security
being a secondary focus.
With
the growing need for information security (InfoSec) professionals, there is an
issue. In this specialty, there is a limited number of people that have the
knowledge and expertise to attack the embedded systems in a vehicle. Most firms
in this specialty do not allow their personnel to contribute to these bug
bounty programs (Gray, 2017). This appears to be starting to relax, but is
still a parameter to overcome.
With
a bug bounty program, the sponsoring firm is able to add to their baseline of
security. With vehicles, there are ample areas to research. The connected and
autonomous vehicles in use today tend to be more computers on wheels than
anything. From an administrative side, a bug bounty program is easier with a
vehicle that has been sold for years. This allows for more vehicles and modules
to be tested, as there are more vehicles on the lots and junkyards. With the
new vehicles an issue could be, dependent on the circumstances, the cost. The
new vehicles cost upwards of $30k new. The internal client may not want to part
with two or three vehicles due to this constraint on their budget. With the
junkyard vehicles, these may not have all the original equipment due to an
accident or other force, however many of the modules would be intact and
perfectly testable.
There
is much to do with InfoSec and vehicles. This subfield of InfoSec is growing by
leaps and bounds. More of the manufacturers are producing more connected
vehicles, applications, and hardware. The bug bounty programs are a welcome
addition to the InfoSec environment for those manufacturers that without an
internal testing program. This has and will continue to provide knowledge re:
the vulnerabilities that may not normally be found.
Reference
Gray, P.
(2017, July 2). Biz soap box: Bugcrowd founder and CEO casey ellis on the
future of crowd sourced security. Retrieved from https://risky.biz/
No comments:
Post a Comment