Harri Sinnelä
Labs / 26 Nov 2015

Gone hunting

Harri Sinnelä

You may have noticed that the applications, services and everything else accessed via networks are exposed to other entities. No surprise here, this is the key reason these even exists – bringing in money, users, experiences, information – you name it. You may have also noticed that many things have changed in the development of these applications, services and everything else. Waterfall development process with strictly defined release dates is more and more replaced with agile world and only constant is change. Time to market is bigger criteria than ever. Number of services, applications and components listening the  network and available for your partners, customers, employees, friends and virtually everyone has gone (or is soon to go) through the roof.

What has this to do with security you ask? If the development processes and world surrounding us has changed during the last years it is time to change our response to the security measures we take. While traditional audits and assessments still play important role in the security of digital service it is impossible to run all services and application and every release of these through traditional security audit procedure. Even when it might be possible it can be overkill and heavy process for every. So how to respond? Our answer is to do adjust the security response to match the challenge. Example activities include

1) During the development ensure that security practices are followed, do incremental reviews
2) Hack yourself before someone else does it and
3) Know and react when you are being hacked.

In this blog post we focus mostly on the step 2.

As stated before the traditional model of hacking yourself is to run assessment before going live. While this is good practice it – like any single solution – doesn’t fit all. What about all the systems already live and getting constant new features or software gone live without assessment at first place? As a response we have now started the new bug bounty program:

Nixu Private Bug Bounty Program

The model is extremely simple:

1. Hire our expert team and define the digital boundaries where we are allowed to operate (can be single application or network of hundreds of targets – it really doesn’t matter)

2. Our expert team with proved skills starts going through digital space defined and search anything a malicious actor could use.

3. Once weakness is found and confirmed, we report it to you using the method best suited for You (e.g. internal Jira)

4. We help you to respond to the flaws by providing Nixu’s competences for you. Regardless if you need incident response, software security support or privacy experts – we are here to help

5. And we keep on going as long as our contract holds (and there is battery in our fridge).
How about money? This works so that there is monthly fee (way lower than any typical assessment) and then additional bounty for each found major findings (low severity items are complimentary).

This follows the traditional mode of Bug Bounty programs (where you authorize anyone hacking you and pay bounties for externals finding flaws from your system) with few key differences:

1. No need to give open hacking invitation out to the world

2. Exposure window of the weaknesses in wild is reduced

3. All findings coming in are confirmed and done by true experts – no huge number of random false positives (For example Facebook received 16 000 reports 2014, from which only 61 were confirmed to be high severity items).

4. There is support available for any possible countermeasure ever to be needed

5. You don’t pay for audits / assessment but for actual, meaningful results (OK, this is true also for public bug bounty)

This may also be first step towards external, open Bug Bounty program. And if that’s your goal we will help you to get there either through this private model or directly – your call!

Happy bug hunting everyone – season has already started!