Embracing the Hackers
Engaging in Penetration Testers to gauge the security of existing online services has become a standard practice in our industry in Switzerland. Established services and new offerings are tested alike in order to uncover hidden bugs or to raise awareness of security problems that often go unnoticed with management or developers.
But of course, there is more to security than only a pen-testing contract from time to time. It has to be part of a comprehensive application security program together with other elements. Yet some of the standard elements of successful security programs are missing across the board in the Swiss context: It’s Bug Bounties and related initiatives that very few companies are using as tools in their security programs.
I think it is typically Swiss to take penetration testers under contract and have them attack dedicated systems after a detailed scoping workshop. Yet people lack the trust and self-confidence it takes to open up and to allow anonymous security researchers to attack productive services to complement the picture.
That self-confidence is rare around here. That’s why bug bounties are rare in Switzerland and this leads to several problems:
- Security issues are going undetected
- Researchers discovering security issues have no way to report them in a legally sound way
- There is a a lack of engagement of IT companies with the wider security community and companies are likely out of touch with bleeding edge security developments
- Recruitment opportunities are being missed
- Excessive money is spent on security with a far smaller return on investment
I am not advocating the replacing of penetration testing with cheaper bug bounties. Far from it. Running a bug bounty program on a system you have not tested thoroughly by other means is likely to lead to disaster and embarrassment.
Bug bounties are meant to uncover additional problems after you have looked everywhere you can think of. When you have exhausted your standard means of security assurance and you think you are done. This is when bug bounty hunters come in and leave no stone unturned. As it happens, these are also the dark corners of your application that attackers will be looking at and what’s better than a security vulnerability disclosed to you before an attacker discovers it?
So the big internet companies all have their bug bounty programs, but only Swisscom has a similar permanent offering in Switzerland. But we see some movement now.: Regulators are actively pushing for more openness in the development process, red teams are being formed and several Swiss companies are actively considering to launch Bug Bounty programs themselves. It is a big shift in corporate policies: We are seeing Swiss companies starting to embrace the hackers!
We think this is a very useful development and it is so strong and so important that we have chosen “Embracing the Hackers” as our motto for Swiss Cyber Storm 2019.
“Embracing the Hackers” also means that we leave the meta-discussions and conceptual talks of the “Trust” theme of 2018 behind and dig deeper into the systems, getting our fingers dirty with the code and thus closer to where the bugs are hidden.
After all, it’s bugs that spice up the security game and it’s bugs that bring down bold programs.
When the Federal Chancellery updated the regulation for E-Voting – or online voting if you will – they added relatively benign checkbox that a fully blown E-Voting system would need to publish it’s source code before being admitted to Federal Votes. Additionally, a political initiative from the national parliament lead to the inclusion of a limited public intrusion test into he regulation. Both items were meant to be little additions to complete the certification process, mostly imposed to raise the transparency and in consequence the public trust in the systems. You see the concept here.
Yet in the case of Swiss Post, this is not how it played out. The source code was published in February, closely followed by the announcement of a separate public intrusion program maxing out at a top bounty of 50’000 CHF. This brought global attention to both programs and within weeks, several teams were picking apart the source code of Scytl, the Spanish partner of Swiss Post. This lead to three major findings that proved that the Swiss Post E-Voting system was not meeting the Swiss regulation as is. The media outcry was so loud, few people noticed that despite the bad quality of the source code, none of the attackers was able to actually exploit the Swiss Post systems which is an interesting twist to this partnership between a Spanish development company and a Swiss operator.
But whatever. What we can learn here is, that not the formal review process and the costly audits lead to the discovery of the fundamental security problems in the Swiss Post E-Voting system. Instead, it was the publication of the source code, the bigger transparency and the bug bounty program that attracted hundreds of researchers.
So the openness and engagement with the wider security research community brought immediate results. And there is one researcher that made a name for herself, with her team discovering no less than three fundamental bugs in the Scytl code. She is Sarah Jamie Lewis, the executive director of Open Privacy in Canada. And we are very happy to announce her as a speaker for Swiss Cyber Storm 2019.
Sarah Jamie Lewis is an outspoken critic of big tech, a privacy activist and author of the book “Queer Privacy”. She has made a career as penetration tester and security auditor, she maintains the “OnionScan” Tor scanner and has a big interest in cryptography. That’s how she got hooked up on the Scytl E-Voting source code and literally spent days and nights for several weeks digging down into the rabbit hole. And while she maintains she and her team only scratched the surface, it was enough to stop Swiss Post from offering E-Voting for the national vote next Sunday.
Swiss Cyber Storm 2019 will happen on October 15, 2019 in Bern. Please join us to see Sarah Jamie Lewis and many, many other speakers. The early bird sale is open.