Remember the open source adage that "given enough eyeballs, all bugs are shallow?" Well, open source hasn't quite worked out that way. Heartbleed, Shellshock, and a host of other security holes have made open source, for all its virtues, look somewhat ordinary when it comes to bugginess and security.
At least, that's one way to read the data.
According to open source business luminary and HackerOne CEO Marten Mickos, however, open source absolutely has delivered better security than its proprietary peers. Perhaps even more important, however, is how open source enables bug bounty programs launched by HackerOne and others to be dramatically more successful than they could be in a closed-source context.
I recently sat down with Mickos to delve into the still emerging world of open source, security, and bug bounties.
Better by process, not design
TechRepublic: Open source was supposed to make finding and squashing bugs easier, yet we have a host of major and minor security vulnerabilities uncovered and turned against us at a steady clip. Why has the open source model seemingly not delivered better software security than proprietary software?
Mickos: But it has! If you take the aggregate of all popular open source software, it is very, very stable and bug-free: The LAMP stack, Hadoop, Docker, Android, etc. In a comparison with closed-source alternatives, those projects fare very well on measures of robustness and security.
But we must also note that all software that's more than 10 years old grew up in a time when software security was not a key priority. When open source became mainstream, we didn't really think about how far it could go. We didn't consider the fact that soon everything of value in society would be software-powered, and a majority of that software would be open source. So, we have some catching up to do for some of those products.
SEE: Open source's "shallow bugs" theory hasn't been Shellshocked (TechRepublic)
The [open source] model would have allowed this to happen all along, but again it was us human beings who were ignorant and perhaps overly naïve. The great news is that the model allows us to fix the vulnerabilities quickly. It's not that much spoken of, but there are numerous, prolific closed-source products with severe vulnerabilities that go unfixed for years because there is just one vendor who is allowed to fix the bug, and for some reason they don't.
Putting a bounty on bugginess
TechRepublic: Okay, so let's talk about the promise of HackerOne. How do bounties eliminate or improve this problem of bugginess?
Mickos: When software is deployed in production, it always has vulnerabilities. Some vulnerabilities are the straightforward result of bugs, but some emerge without there necessarily being a bug in the code. Vulnerabilities can emerge from the linking of libraries, from deployment and configuration parameters and options, and from the logic applied in user interfaces.
Whatever you do, your live software will have some vulnerabilities. It is in your dearest interest to find them and fix them before malicious attackers find them and exploit them.
The most effective method for this is a bug bounty program. Bug bounty programs find all kinds of vulnerabilities, they find them faster than other solutions, the hunting is on-going and not happening at just one time, and the cost is a tenth of what it would be with other methods. What's best, you pay only for results, not for efforts. You pay bug hunters for valid vulnerability submissions. So, if you pay more, it is because you are getting more. For each vulnerability that gets fixed, your system is more secure. And when criminals see that you are running a bug bounty program, they will look for easier targets to break into.
SEE: Face it: Developers are becoming babies (TechRepublic)
You can orchestrate your bug bounty program yourself. But if you use a common platform like HackerOne, you get access to all of this in a turn-key fashion. The workflow is automated, the hackers are vetted and scored, payments are handled for you, and so on. As HackerOne already has over 100,000 hackers in its network, you get immediate access to a diverse group of ethical hackers.
Diversity is the key to success here. With a diverse group, all types of vulnerabilities can be found. This is a corollary to the "given enough eyeballs" wisdom.
Where's the love?
TechRepublic: Back to open source, developers were supposed to be coding for the love of it, but you're finding it advantageous to pay them to root around for bugs. Is this the only way to improve software security (i.e., to pay them)?
Mickos: There is nothing wrong in rewarding people financially for the good they do in society. That said, most hackers would hack anyhow. They are passionate about hunting vulnerabilities, and they have endless curiosity and energy. Most of them want to do good, and many are ready to hack for free on open source and nonprofit projects.
The fact that the best vulnerability submissions carry a bounty of up to tens of thousands of dollars makes this practice more advanced and professional. Our highest-earning hacker has made over $600,000 on HackerOne alone over the past two years. With that sort of opportunity to earn a good living, hackers can spend even more time honing their skills. As a result, the model becomes more powerful, and customers benefit. The average bounty is, however, just around $500, so customers get an order of magnitude more bang for the buck than if they resorted to pen testing or expensive software scanners.
TechRepublic: Even with bounties, all developers are not equal in uncovering bugs or security flaws. What are the characteristics of a strong, security-minded developer?
Mickos: The large community of hackers is like a sports league. Every kid will play soccer after school, but only few get to be a Beckham, Ronaldo, or Messi. The most important characteristic is curiosity. After that comes creativity and being able to imagine what the software developer might have been thinking. You also need energy and tenacity, because vulnerabilities can take a long time to detect. Many times, you chain more than one vulnerability together to be able to make your way into the system.
All good hackers have strong mathematical intelligence and a good dose of computer experience. Most hackers are not software developers but just security hackers, but some say that the best security hackers know not just how to break code, but also how to build it in the first place.
And finally, to be a highly productive bug hunter, it makes sense to learn how to write elegant reports that the receiving security team can quickly understand and assess.
- Face it: Developers are becoming babies (TechRepublic)
- Your enterprise needs more developers... a lot more (TechRepublic)
- Understanding the key to finding developer talent (TechRepublic)
- Open source's "shallow bugs" theory hasn't been Shellshocked (TechRepublic)
- Why it's time to stop blaming open source for ransomware attacks (TechRepublic)
Matt Asay is a veteran technology columnist who has written for CNET, ReadWrite, and other tech media. Asay has also held a variety of executive roles with leading mobile and big data software companies.