HackerOne believes the risk of undiscovered vulnerability is much higher. Remove Security ObscurityĮach organization must accept the level of risk involved on both ends: that is, the risk of security breach versus the risk of ethical hacking assistance. Was it ethical hacking to protect personal information? Or did the reporter launch a political hit job? As we said earlier, nobody likes to have their weakness exposed. The result? Missouri Governor Mike Parson launched a criminal investigation of the reporter behind the story. The reporters informed the agency of the blunder before releasing the story, which gave the school plenty of time to take the pages down. It turns out the agency’s website had displayed over 100,000 Social Security numbers for school teachers, administrators and counselors in its HTML source code. Louis Post-Dispatch exposing a problem at the Missouri Department of Elementary and Secondary Education. Don’t Do Me Any FavorsĬonsider the case of the St. The last thing anyone wants is a weak set of terms and conditions through which a hired offensive security tester could stray (by mistake or on purpose) and target out-of-bounds systems. Still, a company should seek advice from legal when crafting a program. If the bounty hunters discover and remedy a major vulnerability, that’s a good thing. So, are bug bounty programs worth it? It depends on the details. In fact, due to pressure to deliver products faster, 81% of developers at large organizations admit to knowingly releasing vulnerable applications. Why do companies resist this type of scrutiny? On one hand, many believe fixing security flaws hampers innovation or hurts operations.
#SECURITY VIA OBSCURITY FULL#
A full 67% of those surveyed said they prefer to accept software vulnerabilities rather than work with hackers. Even if these hackers are part of an internal team, management might force them to work in obscurity. But many companies are reluctant to work with ethical hackers.
On the surface, this sounds like a good thing. Ethical hacking helps find security vulnerabilities, which the team can then fix before a threat actor has the chance to exploit them. This can mean copying the strategies and actions of malicious attackers. Are Ethical Hackers the Cure?Įthical hacking involves an authorized attempt to gain unauthorized access to a computer system, app or data. But none of this happens if you don’t look under the hood. Also, teamwork through vulnerability reporting helps others to improve their security posture as well. It’s key that business leaders know the risks. None of this helps fix the problem of weak security. And only 29% of boards get “deeply involved” in cybersecurity strategy. Only 12% of those surveyed have departments (outside of security and IT) that make cyber awareness and training a core focus, according to the survey. In the corporate world, this refusal to admit vulnerability may be pathologic. It’s hard for us to admit our weaknesses. Still, business leaders are like any other human being. The truth is that attackers could breach any company on earth. So, where does this leave the ethical hacker? They may become the target of a criminal investigation. Still, it’s not easy to open up about your weaknesses. When a group denies vulnerability and does not seek help, it leaves the door open for damaging attacks. The continued practice of security through obscurity is harmful. Meanwhile, 64% maintain a culture of security through obscurity, and 38% aren’t open about their cybersecurity practices at all. This may explain why 65% of organizations want to be seen as infallible, as per a recent HackerOne survey.
What many companies might fear most is the latter: damage to their reputation. Security breaches can lead to damage to a business’s finances, operations and reputation.