Of all the tools available to stock your app security arsenal with, we have to say — bug bounties might just be the hammer you’re looking for.
Modern application assembly bears only a passing resemblance to the historical development methodologies it inherited its DNA from, often leading to a sort of complacency when it comes to securing the dev cycle. If you determine that it is indeed time to scale your security to keep pace with your developers, consider what we at Auth0 did, we set up a bug bounty program and are already reaping the benefits.
Application development environments today more closely resemble an actual assembly line, with developers picking and choosing where to insert a pre-existing extension or module and where to build from scratch. It’s a lot like a build-your-own-bowl lunch place, where you make it your own by mixing the existing bases with just the right tasty sauce combo. Combine the conveyor belt model with a dispersed workforce of developers who may be sitting on opposite sides of a continent from one another, and you get a new and unprecedented workplace paradigm that puts collaboration front and center.
Bugcrowd is working at the forefront of this new remote paradigm, blending that collaborative spirit with a crowdsourcing model to bring a diversity of perspectives to the hunt for exploits and vulnerabilities.
What Is a Bug Bounty and Who Is Bugcrowd?
TLDR — A bug bounty is when a company or app developer rewards ethical hackers for finding and safely reporting vulnerabilities in their code. And, Bugcrowd is a company who provides this service through a crowdsourced security platform.
A few brief words about a word — “hacker.” If your only exposure to this word is based on media reports about data breaches, you probably have a negative image of who “hackers” are. In the world of bug bounties and app security, the word has multiple connotations. A hacker can be either good or bad. An ethical cybersecurity researcher, or an unethical bad actor. The researchers used by Bugcrowd are ethical hackers, meaning they’re using their security knowledge, deep curiosity, and coding skills to help companies like Auth0 secure their digital assets.
OK, back to our story.
A bug bounty program can be implemented by any company with a software product. Whether it faces the public or not, anything written with code and connected to a network can be broken into. Offering a bounty for ethical hackers/researchers to find and document these exploits is the best way to stop bad actors from finding and, well, exploiting them later.
That’s a bug bounty in a proverbial nutshell; now on to Bugcrowd. Their unique model combines traditional pentesting with a cutting-edge crowdsourced bug bounty program to quickly and effectively locate vulnerabilities in their client’s code. The crowdsourcing aspect is used to connect their client companies with carefully curated and vetted cybersecurity researchers from around the world who are ready to bring their individual perspectives to the project of zapping bugs.
Luke Stephens, Manager of Training and Quality Assurance for Bugcrowd, puts it like this, “Bug bounty programs aren’t just about accessing talent; they’re about understanding what your security posture looks like; when a motivated adversary shows up.” By bringing ethical hackers with a variety of backgrounds and a mixed set of skills together with a singular goal, finding the backdoors attackers use to wreak havoc, Bugcrowd sets the security bar that much higher by finding the exploits before the bad guys have a chance to.
What Role Can Bug Bounties Play in Modern App Assembly?
As mentioned above, the state of modern app assembly is a far cry from the early days of software development. Rather than a piece of software being written and tested by a team of in-house developers from start to finish, today’s apps are an amalgamation of custom code integrated with pre-existing modules written by third-party providers. It’s like the way your burrito-sauce-mixed-with-sriracha creation brings out the tanginess in the adobo pork in that lunch bowl last week.
This model speeds up your development time, makes it very easy to iterate, and leads to a more familiar user experience; however, it also opens up a whole new world of security concerns. It increases the complexity of your attack surface, which now includes a constellation of third-party code and services.
Consider an app that uses an IAM solution from one provider, residing on a PaaS (platform-as-a-service) from another, with a payment system from a third. This all sits behind a custom UI written in-house. That’s four discrete code sets, multiple programming languages, and untold possibilities for vulnerabilities to slip between the code cracks. Remember the heartburn that bowl gave you last week? Yeah, that.
A bug bounty program brings together researchers from around the world, each with their own unique background and particular expertise, and turns them loose on that amalgam. Your developers know their code, but how well do they know the code used in all those modules? The range of perspectives and specializations brought by a team of crowdsourced bug bounty hunters is unparalleled and means you stand a much stronger chance of vulnerabilities and potential exploits being found before an attacker can get at them.
All of that said, bug bounties are not a one-and-done solution to all of your testing needs. A program like that offered by Bugcrowd forms one prong of a defensive, in-depth approach to app security. Traditional third-party pentesting still holds a place in the pantheon of security measures, and a solid IAM solution can still find its place alongside bug bounties in a mature security program.
“Strong internal security practices and compliance need to be accompanied by active, continuous, incentivized security testing, and bug bounty programs are an effective and scalable way to achieve this.” -Luke Stephens, Manager of Training and Quality Assurance, Bugcrowd
The Business Impact Of a Bug Bounty Program
ROI is king when it comes to business decisions, right? What if you could make one change to your dev ecosystem that could potentially raise ROI by 4x? Well, that’s precisely what our experience has been. Dollar-for-dollar, we see in the range of 3-4x the vulnerabilities with this program than we have in the past. More bugs are found in less time and for less money. With the global average cost of a data breach in 2019 sitting at over $3.8 million USD — we think our bug bounty program is a sound investment.
Beyond the purely financial aspect, there’s a team cohesion and training aspect to setting up a bug bounty program that can’t be overlooked. People trust people, so having a living, breathing researcher document a vulnerability has a much stronger impact on the development team than an automated scan or test sequence does. And that’s how you build better security awareness into your next iteration or new product. To go back to Luke at Bugcrowd:
“Bug bounty programs provide a scalable way to not only identify risk to help the security team but to help impart security awareness to builders within our organization.” -Luke Stephens, Manager of Training and Quality Assurance, Bugcrowd
Lessons Learned From Our Ongoing Partnership With Bugcrowd
In our time working with Bugcrowd and their researchers, we’ve learned some valuable lessons around app security and the value of discovery. We’ve drilled down and come up with our top two most impactful lessons to share with you:
First and foremost, the bugs identified by Bugcrowd have been far more complex and deeply buried than anything we’ve found in the previous testing. This dovetails with the quote earlier about bug bounty programs finding 3-4x more vulnerabilities per dollar spent.
Be ready. You should expect to see a significant increase in the number of vulnerabilities discovered compared to before the program. That means you need to be sure your security team is ready to triage and mitigate those vulnerabilities, so you ensure they’re dealt with before a malicious actor.
Both of these lessons are reciprocal. We’ve learned a lot about our product, and by having the resources to address issues quickly, we’ve shown the Bugcrowd researchers that we’re responsive and how highly we value the work they do.
Auth0 Senior Manager of Product Security, Marcin Hoppe, sums it up succinctly:
“We don’t control what types of vulnerabilities bug hunters are looking for, and they might be looking for things we have not included or prioritized in our own security testing efforts. This gives us a chance of getting reports of vulnerabilities we might have otherwise missed.”
What Does The Future Hold For Bug Bounty Programs?
Though relatively new to the security scene, official bug bounty programs are seeing a high adoption rate across industries. That’s right; bug bounties aren’t just for the tech sector. According to a report from Bugcrowd themselves, 2019 saw an increase of 29% in the number of bug bounty programs launched, along with a 50% increase in public programs. Leading the way were the financial (71%) and retail (50%) sectors, with healthcare (41%) coming in third.
With programs like Bugcrowd showing the way to proactively seek out, document, and mitigate potential vulnerabilities before they cost the company millions of dollars — that trajectory shows no signs of slowing down. By answering the formerly unanswerable question, “what is a vulnerability worth?” bug bounty programs are providing a new peace of mind for today’s app devs.
Auth0 and Bugcrowd: A Security Partnership That Works
Here at Auth0, security is what we do. By partnering with Bugcrowd, we found added peace of mind, further tightened our security perimeter, and have sped up the resolution process when a vulnerability is discovered.
About Auth0
Auth0 by Okta takes a modern approach to customer identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need. Safeguarding billions of login transactions each month, Auth0 delivers convenience, privacy, and security so customers can focus on innovation. For more information, visit https://auth0.com.
About the author
Duncan Godfrey
Sr. Director of Security and Compliance