Transcript of interview with Tobias Ospelt and Raphaël Arrouas
Two weeks ago we ran our second SCS in a nutshell online interview , that we also published as a podcast under this name. This blog posts brings you a few strong take-aways and further down below the complete transcript of the interview.
Our guests were penetration tester Tobias Ospelt from Pentagrid and freelance bug bounty hunter Raphaël Arrouas. Both have a background in pentesting, but Raphaël decided to quite his job and work on his own schedule as a professional bounty hunter in Switzerland.
I used to think competing with other bounty hunters globally would be very tough because of the high costs of living in Switzerland. Yet more and more programs pop up in Switzerland and there seems to be a strong interested in local bounty hunters. So Raphaël is being invited to many private programs. Working as a freelance can be hard at times, yet it also brings a lot of flexibility:
“You need to stay focused, you need to stay organized. Sometimes it’s really hard, but this flexibility is quite good, because it helps me have time to take care of my family.”
— Raphaël Arrouas, bug bounty hunter
We are maybe witnessing a golden period for bounty hunting in Switzerland. But Tobi was quick to point out it might be followed by a hangover once the number of bounty hunter explodes and the bounties come down.
That put aside, what’s in for the companies? It seems that security reports from a bug bounty program tend to be handled differently. The processes get streamlined, the findings reach the developers faster, issues are more likely to be resolved. But we could not really pinpoint why that was the case. Maybe it is the start of a new program that initiates a cultural change. Tobias Ospelt did a very good job describing a modern penetration test and it seems it is all there already. Companies just need to make good use of it.
“If you order a penetration test, but you’re not after the risks, and you don’t want to fix them, then why do you do them at all? That’s like buying a gym subscription at the beginning of the year, and then not going to the gym, right?”
— Tobias Ospelt, penetration tester
So it may sound like the two methods / business models lead to very similar results. Yet both guests agreed that penetration testing should come first, mainly because it is easier to control.
If you’ve never done pentesting, I think it’s probably a very bad idea to start a bug bounty program.”
— Tobias Ospelt, penetration tester
Raphaël went on to explain that private bug bounty programs are evolving rapidly and that there are ways to start with a bug bounty program directly if you know what you are doing.
For a bug bounty hunter like Raphaël, the Swiss criminal law is a real hreat. You would expect this to be less of a problem for a pen-tester like Tobias, who works on a written contract with his customers. Yet Tobias said he was not sure his company would protect him when things went South and he made a major mistake on a job. Raphaël explained that the Swiss criminal law – paragraphs 143bis and 144 – simply does not acknowledge the existence of good faith security researchers.
“I’d say that the Swiss law is insufficient when it comes to good faith security researchers (…) if the company pursues a charge against you for intrusion, if you did the intrusion and it was in good faith and you did nothing and you have contacted the company and so on, well you can get into trouble.”
— Raphaël Arrouas, bug bounty hunter
We’ll see if this can be resolved in the longer run. Changing the criminal law is probably more difficult than killing the Swiss law on EID in a popular vote.
Please find the full transcript of the interview below.
Christian Folini and Adriana Cantaluppi
This is a transcript of the interview “Swiss Cyber Storm in a nutshell”, streamed on Youtube on February 24th, 2021.
Dr. Christian Folini: Welcome to Swiss Cyber storm in nutshell, the program where we talk about security topics from a Swiss perspective. Our guests today are, on my left penetration tester, Tobi Ospelt, founder of Pentagrid, a small pentesting gig up in Grisons and on my right Raphaël Arrouas, a successful freelance bounty hunter, who came here for our talk today.
My guests have a lot in common. They are both expats living in Switzerland. Tobias grew up in Liechtenstein, and Raphael has a French passport. Both were employed for several years as penetration testers, and they both decided [that] they no longer want to do this. For Tobias the response was to fund his own penetration testing company, to be his own boss, and Raphaël went fully professional as a bug bounty hunter.
Tobi, before we want to dive right in, I want to say that I have a stake in this because I’m in close contact with one of the bug bounty companies in Switzerland. But that’s not the reason we’re doing this here. The reason is, this is an important topic. And I’ve invited two experts here to talk about the differences and the similarities between penetration testing and bug bounty hunting. So Tobias, do you get the feeling that Raphaël is eating your cake? Is he taking away your business? How’s it working right now?
Tobias Ospelt: Hi, Christian. No, I don’t think so. I think bug bounty hunting and penetration testing are two not totally different things, but two things that have very different rules and very different environments. And not only rules in the technical sense, and what you’re allowed to do, like the scope and so on, but also in the economic part. And that’s why we’re going to talk about it because it’s not the same, right? I think penetration testing has been around for a longer time and it also provides often more context, that’s at least my opinion. You can also get a lot of security consulting with the penetration test. So, you can get, I would say, more information around your bugs whereas bug bounty is more focused on single bugs, usually. So just a small example what we usually provide: if we have two bugs, and they’re low severity, but they play together, you can get a high risk bug, right? And the more you get to know a company, and the more pentests you do, the more you build up a security knowledge about the company, the environment and everything and you can provide services. So, I think there’s an added service to penetration testing. And I also think there’s plenty of bugs out there, that have to be found yet.
Dr. Christian Folini: There are enough bugs for everybody.
Tobias Ospelt: There are enough bugs for everyone. And then, I think that you need a higher security maturity, to do or to have a bug bounty program at all. I mean, for small companies, that’s not possible to do a bug bounty program. And if you’ve never done pentesting, I think it’s probably a very bad idea to start a bug bounty program.
Dr. Christian Folini: At the start? Okay, yes.
Tobias Ospelt: I think it’s really good to get a very large scope. But then also this large scope. I mean, pentesting can also be internal pentesting, at internal network. And how you provide that, in a bug bounty group program will be hard. How do you provide access to everyone to your internal network? Do you want to do that? And here is the last factor in that: trust. You can trust bug bounty hunters but how bug bounties are set up, it is made for everyone. So, you have to trust everyone, which is not that easy, right? So, you have to be really sure with your own security, to be able to stand there and say, “Everyone is allowed to hack me because I’m pretty good already”. So, I think when you invite the pentester, you get a better opinion and you can also do with the report whatever you want, and you can use it however you want, and you are in charge. Whereas for bug bounties, you can set your own rules – that is also another topic we need to talk about probably-, but it also means that somebody else outside your trust zone might have knowledge about your security bugs, and you have to be prepared for that. You have to think about that. You have to be ready for that.
Dr. Christian Folini: Okay, this penetration testing thing sounds like a very, very good thing.
Tobias Ospelt: Yes.
Dr. Christian Folini: That was good advertising. Raphaël, what can you bring to the table what he cannot? Do you see an additional value, while he says it’s complimentary?
Raphaël Arrouas: Well, first of all, most of what he said of course is true. But this mainly applies to public bug bounty programs. Because nowadays, I would say that 80% of all bug bounty programs are private and use vetted, selected researchers. And so, you might have more flexibility with your rules, and even give some access, some accounts on scopes that need to be audited. It is true that for maturity, it is better to do penetration tests beforehand. However, you know you have new options in bug bounty programs, where you can have bug bounty programs for a limited time, and a cut level of bounties that you wish to award. So, these concerns can be resolved with private bug bounty programs. And I think that although penetration tests bring consultancy to the table, bug bounty hunting brings flexibility on the table, because you are more flexible. For example, let’s say you want to retest a vulnerability, after you have submitted a penetration test. Then in most cases you would need to sign a new contract with the penetration testing company. And with the bug bounty hunting as there’s virtually no bounding contract, then you can just ask the researchers, “Okay, can you retest this for me? And maybe you will have an additional bounty if you managed to bypass my fixed”. So, there were times where I bypassed a fixed three times, because the fix wasn’t sufficient. And so, I guess that penetration testing brings more consultancy, for example, in a penetration test. Then you are able to indicate the remediation after you find a vulnerability, because you can spend time on the recommendation of libraries, of applications, and you may propose a remediation fix for the vulnerabilities you find. But in bug bounty programs, you will be able to spend time on verifying the fix. And also there is more flexibility as it’s not limited in time, potentially, so you may have continuous operational security.
Dr. Christian Folini: Yes, it’s certainly a main difference.
Tobias Ospelt: I think, though, you can also get all that flexibility in pentesting. I think, in the end it’s just a contract and some rules on what you agree on. I mean, we have customers that just buy certain days per year, or something like that, or a rolling release. So, we can always do the retesting as well. And that’s also a standard procedure on our site.
Dr. Christian Folini: But now, if I can do both with each of the options, why would I ever do the two.
Tobias Ospelt: I mean, that’s where I think pentesting and bug bounty hunting are very similar. At the end, if you do all the technical rules, and the rules about engagement and scope, and you are really rotating them as you want, then I think you get both sides of the same. But bug bounty has the economic twist, right? It has another rule of economics.
Dr. Christian Folini: So, from a company perspective, it can look relatively similar, but for the person conducting it, it’s a whole different ballgame, isn’t it?
Tobias Ospelt: Yes, but also for the company it can be very different. If you pay for every bug that is critical, you have to pay for every bug that is critical. If your security posture is not good and you probably pay for one pentest and you get five critical findings, that’s maybe better economic wise than having a bug bounty.
Dr. Christian Folini: Okay, so you will conclude, or would you agree that first do a pentesting thing before you start out with a bug bounty program? Is that the standard procedure?
Raphaël Arrouas: Yes, but the thing is that, as you mentioned, you only pay for bug bounty. You only pay your reward if there is a bug, so you never pay anything if there was no bug at all. With a penetration test, you pay a fixed fee for a number of days. So, there’s also more flexibility in this aspect. If you’re more or less confident about your security posture, then you shouldn’t be paying much at all.
Tobias Ospelt: You can call me old school, but I think somebody who works and puts time should get paid for his work and the time he invests. So, this is the economic twist I am talking about. Bug bounty hunting will be done as long as it’s economic for either side, right? And the question is always it can’t be economic for both sides, right?
Dr. Christian Folini: Yes. But that is the same about penetration testing, if it’s only financial then I’d say penetration testing will continue as long as compliance needs penetration testing. Who cares about the findings?
Tobias Ospelt: Well, definitely. But that’s another thing, right? Compliance and doing the fixing it’s two completely different things apart. Regarding compliance you are right, there are regulations by now that just make it mandatory to do penetration testing. You don’t have to fix anything usually, maybe you have to, I don’t know all these regulation by heart.
Dr. Christian Folini: It really depends. But the tendency is, and what we are seeing in the industry is people are not fixing discovered vulnerabilities after penetration tests. And I personally get the feeling there is a higher tendency of fixing bug bounty bugs, because they cost money. Every bug costs money, and there is the contract that costs or the report as a whole, no matter how many findings you got.
Tobias Ospelt: Then I think you see a different part of the industry than I do.
Dr. Christian Folini: I’m sure I do.
Tobias Ospelt: Because I do think we work with a lot of companies that really want to improve their security. Maybe we’re not the standard compliance …
Dr. Christian Folini: You only have the best customers of course. I’m sure of that.
Tobias Ospelt: Well, we try. Of course, what we sell is what the customer wants, and we find the customers that fit our way of working. And we really want to improve security at our customer’s company. I mean, maybe there are other businesses, right? There are other goals…
Raphaël Arrouas: It’s true. But when you work as a bounty hunter, often the person you discuss with has a technical background. And often in penetration testing, well, it really depends on who you discuss with, but sometimes the person you talk with has more of a managerial background.
Dr. Christian Folini: It’s closer to the business isn’t it? In general…
Raphaël Arrouas: Yes, and I mean, technically, if you speak to a technical person, then the person will instantly get what you mean, when you say “Okay, this vulnerability here is critical, here is why.” And the manager may not consider it the same way. And so, the vulnerabilities may be handled differently in a bug bounty reporting and in a penetration testing.
Dr. Christian Folini: This is also what I’m seeing: the channel into the company is different and the life of the vulnerability or the report is different inside the company. And one tends to go unnoticed. And the other one is right at, at the real level.
Tobias Ospelt: But then that’s more a problem of the company. I mean, that’s like buying a gym subscription at the beginning of the year, and then not going to the gym, right?
Dr. Christian Folini: Yes, that has a lot in common.
Tobias Ospelt: In the end, if you order a penetration test, but you’re not after the risks, and you don’t want to fix them, then why do you do them at all?
Dr. Christian Folini: For compliance.
Tobias Ospelt: That might very well be, but that’s a very big missed opportunity in my opinion. Because you can just do both at the same time with one penetration test, right? You can get the compliance, but you can also improve your security.
Dr. Christian Folini: Okay. Pushing my point a bit further, I mean I’ve read penetration reports, I guess from most Swiss penetration testing companies. They’re good, or they’re not so good. Most of them are quite of good quality. And they come into the company and then people hire me to read them for them, because maybe they don’t understand them or some of the findings. They like “Christian: could you help us mitigate this?” And it is a Word document or a PDF very often. And then there are piles of these, and I have rarely seen people taking them feeding into JIRA directly: “we’re tracking them from now, we’re never forgetting again. And if a new penetration testing finds the same bug over again, we can identify it in the JIRA”. We have spent days trying to match different items. Is this the same? Or is something different? It’s the same codebase, but different service, stuff like that. While it’s very natural for a bug bounty program to use an API from a given platform, it feeds right into JIRA, triage to the right person. So, this thing is much more proficient more professional, there is a process behind it. So, this whole penetration is indeed very old school, I have to say…
Tobias Ospelt: It is not old school at all, if you hire the right company. Because right from the start from our company, our reports are also delivered as a CSV file for JIRA import.
Dr. Christian Folini: Okay!
Tobias Ospelt: Funny you mentioned it because that’s what we get. We have fully parsable reports and you get a PDF and an Excel file and JIRA.
Dr. Christian Folini: That sounds cool. So, that is now a standard for penetration test.
Tobias Ospelt: Yes. But that’s also what we try, right? For me as a founder of a penetration testing company I want to get these risks addressed for my clients. I mean, in the end, it’s their risks, not mine. But I want to try to get them to understand them and be able to do something about it. And we try to get as close to the developers as possible. We reached that with different things. For example, as you said, there are managers sometimes in the penetration testing area. Well, we don’t have them. We, every one of us, does the offering part, the management part, the technical part, reporting part…
Dr. Christian Folini: But your customer is a manager very often, isn’t it?
Tobias Ospelt: Yes. And we have to like make them understand as well. And it’s very hard, but usually our customers are managers, that’s correct but what we try to do is also get down to the developer level and talk to them directly.
Dr. Christian Folini: And ideally, you get to do that.
Tobias Ospelt: And that’s where the security consulting comes in. Sometimes, my job is not even to tell the customer “Okay, there’s this high critical finding” but just to tell, “Hey, by the way, your developer told me this, this and that. Do you know about that?” And the manager says “No, I don’t.” So, it’s more a big communication thing that is still problematic.
Dr. Christian Folini: It’s all about communication in the end.
Tobias Ospelt: Bug bounty I think is doing a better job of saying “You need to do things like this, so it’s proper, so the things get addressed.” But I think you can also do a bug bounty program where this all doesn’t apply. If you do your rules, you can have a “Won’Fix” in your in your rules, right? You can have, you can even pay bugs and say every other bug that is coming in, and is the same, is a duplicate, right?
Raphaël Arrouas: It is true, but it’s where the platforms come into action. I mean, the triagers they have lots to do building the bridge between bug bounty hunters and a company.
Dr. Christian Folini: If you are working with a third-party platform provider that links the program and the hunter. Okay, so they play an important role here and they are not existing in the pentesting world?
Raphaël Arrouas: Well, yes and also there is an old thing, it’s that when you report a bug, you have to justify the impact. So, you have to wonder what the business angle of the vulnerability is, how it will hit the business, if it’s exploited. So, you need to have some business sense when you report a vulnerability.
Dr. Christian Folini: So, you have an incentive to describe the bug very clearly, so it is understood by the other company, because if you’re not, you’re not going to be paid while he is being paid anyway. And he’s just doing a good job if he’s providing the service, but his contract is already established.
Tobias Ospelt: Yes. But then on the other hand, if I think of one project that’s small budget thing, just one penetration test, and then of course, I think it all comes down to people and communication, right? If you have the right people on the penetration testing site, they can provide you as much value as you can get with bug bounty programs. And it’s the same also for companies, I think a lot of companies don’t have people who are able to parse pentest reports, or don’t have the power to do something about it. And I think bug bounty is really cool, because you got the visibility of the managers.
Dr. Christian Folini: Exactly, and that is the point, they don’t have the power to make it happen. So, the vulnerability is known and it’s lingering around. Well, as soon as a bug bounty guy reports it, then “hey, this is costing money. If we’re not fixing it, the next guy is going to report it”.
Raphaël Arrouas: And the triager can help also.
Dr. Christian Folini: I think that’s an interesting difference and that is one that I’ve observed as well. It may be the same vulnerability, the treatment has to be exactly the same, ideally is the same process, but it has a different color or a different framing into it from where it’s coming from.
Tobias Ospelt: Yes, but then that’s more like of ideology thing, right? That’s because maybe bug bounty programs have visibility at the moment. I mean,
Dr. Christian Folini: They’re all the rage now, this is now fashionable.
Raphaël Arrouas: I mean, they have visibility because they have evolved a lot, because a lot of concerns that were historically attributed to bug bounty programs are starting to disappear, because now there are private programs. Now the researchers have been selected. Now there are triagers that help companies interpret reports.
Dr. Christian Folini: So, you see more maturity in bug bounty programs?
Raphaël Arrouas: Yes, and there are better metrics also in terms of critical vulnerabilities found, in terms of how many reports are valid. The statistics are improving all the time, because the platforms also improve the algorithms. And I would say that bug bounty is evolving rapidly and also spreading a lot in Europe.
Dr. Christian Folini: So, you would say you’re adding more and more value with this?
Raphaël Arrouas: Yes.
Dr. Christian Folini: And eventually even helping his vulnerabilities being fixed, because new processes are being set up. And then everybody profits there and as you said and it’s a big market anyway.
Raphaël Arrouas: It’s a very big market. But we need to be scalable because there are more and more cyber-attacks. I mean, the Swiss NCSC has shown that there are 200 cyber-attacks in Switzerland every week. And so, we need to address a lot of Swiss companies and I think that bug bounty hunting can bring this capability also.
Dr. Christian Folini: That’s a good point. You mentioned National Cybersecurity Center. Only on Monday, they said they want to get involved in bug bounty hunting, or at least in a Swiss platform. I quote “a strategic interest in a Swiss bug bounty platform” which I think is quite significant. Last week, the Federal Council responded to a parliamentary postulate from National Council Judith Bellaïche, who asked for government or administration getting involved in the bug bounty programs. Federal Council said yes, that’s exactly our plan. Today, the announcement NZZ bringing a whole page coverage about bug bounty programs, so there is something happening here. It seems to be fashionable, companies are more and more expected to do this. On the other hand, Kate Missouri’s – often been called Queen of bug bounty hunting – she calls this “bug bounty Botox”. So, everybody’s doing a bit of bug bounty hunting now. And then if something bad really happens, it is “Hey, we’ve been doing bug bounty hunting, so what’s wrong? So, we did it all”, so is this a treadmill that just continues to bring up more vulnerabilities? Let’s try to fix them or not. And we continue, as we’ve been doing with penetration testing for 10 – 15 years, or is this really a new development? Raphaël, you have said you’re adding more and more value and the programs are more mature now?
Raphaël Arrouas: Yes, certainly. I think in Europe, we were a bit late to adopt bug bounty hunting.
Dr. Christian Folini: Certainly in Switzerland.
Raphaël Arrouas: Yes. But when penetration testings first started, companies were like “What? Are we supposed to pay a hacker to hack into our company?” And nowadays, it’s everywhere. And it’s quite the same with bug bounty hunting, I would say. The same concerns apply and in two or three years, it will be spread…
Dr. Christian Folini: And standard.
Raphaël Arrouas: Yeah, it will be a standard. Yes.
Dr. Christian Folini: Okay.
Tobias Ospelt: And you will probably also get the compliance bug bounty program you do for compliance.
Dr. Christian Folini: Yes. I mean, I remember Tanya Janca, a presenter at Swiss Cyber Storm, she said “Look, a bug bounty program is one of the elements of a security program for your company. And if you’re not having this, you’re missing something.” And it has its role.
Tobias Ospelt: I think it has its role especially for larger companies, I think for medium and small sized companies, they have different problems. And I think they’re way better off with pentest because they also get the consulting part.
Dr. Christian Folini: I mean, you need to be able to read the report. And the bounty hunter will be extremely disappointed if they’re not getting qualified feedback. And then you get the reputation of running a bad program, and then no hunter is interested in your program.
Let’s touch on something different. I’d like to know a bit: We’ve seen differences within the same thing. How do you guys work on a day-to-day basis? You do your contracts, you read your scopes. But then how do you go about? I mean, you Tobi probably by now have to cover OWASP standards for penetration testing to give you a comprehensive look. While I imagine you Raphaël, you can do cherry picking, you can pick what you want to do, the vulnerabilities that you think are interesting, while as you Tobi, you have to do all the boring stuff.
Tobias Ospelt: I wouldn’t say it’s boring. No, no, no. So, and that’s also one good thing about having your own company, right? You can choose what you do – it helps as well, yes. So, of course when it comes to I would say technically more interesting stuff I think it’s not different, because you will usually get for penetration testing, the scope will usually also be modern stuff, because that’s what companies want to look at.
Dr. Christian Folini: They want to test a new development.
Tobias Ospelt: Exactly, yes. And so, you have to know similar things as bug bounty hunters, right? But I think you can specialize a little bit more in bug bounty hunting probably. Would you agree?
Raphaël Arrouas: I mean, bug bounty hunting is really interesting because we can focus sometimes on legacy servers. Sometimes there is this requirement in penetration testing where everything new has to be pentested, but the risk is on legacy systems most often. So, I would say that bug bounty hunting also allows to have a go at legacy systems and sometimes it gives the necessary push to have these systems decommissioned or patched.
Dr. Christian Folini: Okay. Could I conclude that you are really economically driven when you’re going to look that you expect to find vulnerabilities? And Tobi is probably more where the contract says he has to be looking, could you say so?
Raphaël Arrouas: I’m not uniquely economically driven. Because I also, for example, I also want to invest time, particularly in European bounty programs and in Swiss bounty programs, because that’s where I live, obviously. So, in a sense, there is also a choice what programs we want to hunt on, and I really like working in Swiss programs, for example.
Dr. Christian Folini: So you could be working for Apple, where there is probably more competition, but also more fame. But you choose to also work on smaller Swiss programs, where there is less international fame, because you think it’s the right thing to do and it’s nice to talk to locals.
Raphaël Arrouas: Yes, absolutely. I think it’s important. It’s important also for our reputation here in Switzerland. And I really appreciate helping local companies. For example, last time I reported a vulnerability that was not on a bug bounty program. I ordered pizza on a website, and it had a Remote Command Execution vulnerability. So, I just helped the company, I did not exploit it. I just found it by watching the website and then just reported the vulnerability to the company.
Dr. Christian Folini: It looked vulnerable.
Raphaël Arrouas: It looked really vulnerable.
Dr. Christian Folini: And it was not the ananas on the pizza.
Raphaël Arrouas: No. No, I really want to help local companies and it’s very interesting, because the bug bounty offer has started to grow in Switzerland as well.
Dr. Christian Folini: Yeah, I think there are now really popping up.
Tobias Ospelt: I will also want to pick up your point about us not being able to choose. I also think that’s the wrong view on penetration testing, because with a good penetration test, you usually get this people in early and you say like, “Look, we have the idea to test this.” But they will tell you “Well, have you thought about this interface? Have you thought about legacy systems? Have you thought about this and that?”, and then you probably set the scope. So there’s a lot of risk modelling.
Dr. Christian Folini: So, scope is a conversation for a pentesting company and with bounty hunting it is much more given?
Raphaël Arrouas: It can be a conversation as well, because sometimes you get a good relationship with the program owners. And so, they are more confident to increase the scope, because there is some kind of trust relationship that has been going on.
Dr. Christian Folini: So, the longer you work together, the more you have mutual trust…
Raphaël Arrouas: And what programs usually do they start with a small scope, and then they increase the scope until they have all of his infrastructure in the scope. So, I would say that the scope grows as well.
Dr. Christian Folini: Yes, that makes a lot of sense, I guess. I mean, you try this out, you get growing confidence. And then you give them more access and more permissions. Yes, good. But coming back to tooling questions. So, you hack away with Curl or…?
Tobias Ospelt: Yes, I’m working with curl or I mean, obviously, when you use HTTP, anything HP related, you come across Burp, right?
Dr. Christian Folini: Okay, that is your tool of choice?
Tobias Ospelt: For web stuff or for web connections, let’s put it that way, yes. But I mean, in our field, everything can be important, so at least one scripting language and so on. We write a lot of Python tools. We have our own tools as well.
Dr. Christian Folini: Okay, so that is then a specialty of your company, these tools?
Tobias Ospelt: Yes. But we usually publish them. I think in the penetration testing world, it’s very good that people work together and publish and write blog posts and to share their tools…
Dr. Christian Folini: That sounds very open source.
Tobias Ospelt: Yes. In most parts, I would say the old hacker culture of sharing knowledge is still present. Because we don’t rely on the bugs to be only found by us, right? I think that’s one good thing about penetration testing, that we don’t have to hide our tools or our knowledge, so nobody else can cash in bugs.
Raphaël Arrouas: It depends on penetration testing companies. All companies do this, so it’s a good thing if you do it, of course.
Dr. Christian Folini: What tools are you using?
Raphaël Arrouas: I’m using quite the same arsenal. I’m using mostly Burp Suite. I do mostly manual analysis, because I don’t want to break anything. It really depends. But most of the time, I’m doing manual analysis with Burp Suite and other tools that I can develop.
Dr. Christian Folini: So, it’s not like you run a scanner, you go drink a coffee or two, and then you come back, and then you have five findings, and then you dig deeper?
Raphaël Arrouas: Well, everyone has his own methods.
Dr. Christian Folini: Yes, but what is yours?
Raphaël Arrouas: So usually it’s funny, because after a few years in information security, you get a feeling that a website is pretty safe or not safe at all. And so, you’re going to focus on the website first, that is not safe at all. It’s true that it can seem like you’re cherry picking, but in the end, all the vulnerabilities will probably be found. And also, it’s important to find the easier of vulnerabilities first, because those are the ones that are the most likely to be exploited by attackers in real life conditions. So, I mean, you can call this cherry picking, or you can call this you focus on what’s exploitable easily first, and then you dig deeper…
Dr. Christian Folini: That’s a more positive way of framing it. But, that’s good. And then you do manual analysis. And then as you move on…, okay.
I mean, you don’t have to provide a comprehensive view. And I think that is a difference between people are asking you Tobi “Find us everything here”. And you, Raphaël, kind of have to find more or less.
Tobias Ospelt: Yes, but it’s also very interesting. I mean, we get customers from all kinds of industries. So, we have medical devices, we have car entertainment systems, we have ATMs, we have everything really that is somehow connected or hackable. So, you can do tools in all of these areas and get results. Burp is just one of the very generic ones, right? And I think this generalization of a pentester is also something good because it broadens your view. You have to think about different angles as well and you cannot always pick on just your major topic. But from a tooling perspective, because he asked about it, we also have our internal tools of course, but we always get them to a certain state and release them. For example, one of our tools just recently showed us that in a modern iOS application, there was RC2 decryption going on with a 40 bit key, which is ancient.
Dr. Christian Folini: That sounds a bit old school.
Tobias Ospelt: And then that sparked my interest and I thought “Why is this happening?” And right before that there was a 3DES decryption. And then I found out well, this is basically just the PKCS 12 standard that says the PKCS 5 standard says that PBE 1 specifies the different encryption schemes. And while the default one is still 3DES for the private key, and RC2 for the certificate.
Dr. Christian Folini: So, in that particular case, would they just apply the standard without thinking twice? Or were they even obliged to do it?
Tobias Ospelt: They were just using the PKCS 12, which everybody is using to store keys. And I think in penetration testing what’s really cool when you get these new topics is that you have to think about new things and maybe write your own tools and it sparks a lot of research.
Dr. Christian Folini: Yes, that’s making it so interesting. It always drives you to find all this stuff.
Tobias Ospelt: That’s also why I did all the research about Java keystores. And there was all sparked by a customer project, because they use this kind of format and exploited it.
Dr. Christian Folini: It’s cool. Do you Raphaël get the time to do this thorough research at all? Or are new scopes continue pushing you “come here” or calling you “This is new, come test us, test us!”
Raphaël Arrouas: In fact, bug bounty hunting is also used a lot by academics. Academics researchers invest a lot of time in bug bounty hunting. For example, they work full time as teachers in the universities and then they can apply their research in bug bounty hunting. They cannot necessarily have a penetration testing job, but during the weekend, they spend time doing some research. Also, I’ve done research, I’ve had time to dedicate myself to research since I’m not bound by any contract or things like that. So, I can always take time for myself and sometimes find zero-days in scopes that are in bug bounty programs. For example, with the Swisscom bug bounty programs, they accept zero-days and I found quite a few of them while working on their program, and it was worthwhile. So, I would say that it does not prevent you from researching, but rather the opposite.
Dr. Christian Folini: Okay. But my impression was, as a freelancer (I’m also more or less working as a freelancer) and outside of bug bounty program it’s just you’re your own boss, that’s nice, but you also have to be your own boss and telling to yourself “Hey, now get to work!” and it’s not this funny feeling that you’ll sleep in your hammock and you hack away and by nine o’clock in the morning you are a millionaire already. And it’s not such a happy life, isn’t it? You can work for weeks I suppose, without cashing in at all, because they are going back to you “No, it’s double”, “Somebody has reported this already”, or “We’re not going to fix it. It’s no vulnerability anyway” and that is tough.
Raphaël Arrouas: You need to stay motivated, of course. But I would say that I’ve been a bounty hunter now for a year and a half full time, it’s been nearly two years, and it’s been working out so far. I’ve done this more than several weeks. I would say that you need to stay focused, you need to stay organized. It’s really hard, sometimes you work at 5am, sometimes you work during the day, it really depends. But also this flexibility is quite good, because it helps me for example take care of my family, of my daughter or so.
Dr. Christian Folini: So, you would say it’s not for everybody to run this lifestyle. But when you’re able to be self-organized it can be really cool.
Raphaël Arrouas: Yes, surely. And it was a goal for me to be able to self-organize and it’s one of the reasons why I went into bounty hunting.
Dr. Christian Folini: Okay, I see that, interesting.
Here is a thought. I read up a report by Kate Missouris, where she said an entry level salary for a US penetration tester is around 100k. I think Swiss entry level penetration testers are making a lot less, whereas there are only a handful professional bug bounty hunters in Switzerland right now. So, I get the feeling this is a bit of a gold rush phase. New programs popping up but very few professional bug bounty hunters. And this is going to attract them in programs like this. They are going to attract people into bug bounty hunting. And in a year or two, the prices will come down and the gold rush is over. And you will be competing for relatively few programs if it doesn’t pan out. So, this is a gig economy where you have a good life now, but it could be really tough if you have a stronger competition.
Raphaël Arrouas: The statistics say that around only 4% of researchers earn more than $100,000 a year.
Dr. Christian Folini: And that’s what you have to make in Switzerland to be worthwhile, because you have to pay taxes, social security and and and….
Raphaël Arrouas: Yes, it’s quite a bad number, I would say. This is why there is so few of us, full time bounty hunters in Switzerland.
Dr. Christian Folini: And the costs of living are so high.
Raphaël Arrouas: Yes. But so far, it has worked out well for me. And I know that other bounty hunters also are doing well.
Dr. Christian Folini: So, how many of you are there in Switzerland? What do you what do you think there are?
Raphaël Arrouas: I would say we all like five or six. So, it’s not much.
Dr. Christian Folini: Definitely less than penetration testers. And even there, I mean, we have seen a huge development at penetration testing. I mean, when I entered the security industry, like 15-20 years ago, there were only a small handful of companies.
Tobias Ospelt: Yes, even 10 years ago, there were also only a handful I would say.
Dr. Christian Folini: Yes, and then they popped up. And now they all seem to get along nicely with each other. So, competition can not be so hard.
Tobias Ospelt: The market grows quicker than the competition.
Dr. Christian Folini: Yes, I see.
Raphaël Arrouas: But there is only six of us. Maybe it’s because it’s very hard to get over, let’s say $100,000 a year.
Dr. Christian Folini: Or it’s still very new in Switzerland.
Raphaël Arrouas: And it’s still very new, of course, yes.
Dr. Christian Folini: Let’s see how this develops.
Raphaël Arrouas: But it also means that the hunters, maybe they are battle hardened, I would say.
Dr. Christian Folini: There seems to be new professionals like you, who started as penetration testers. And you did not ride off from school claiming “I’ll be rich now”, because you have a lot of experience in what you’re doing.
Raphaël Arrouas: It’s the case of most bounty hunters. They do this professionally.
Dr. Christian Folini: …Because if you start out without the experience, you’re not cashing in.
Tobias Ospelt: I’m a little bit worried about that part. I think it’s a little bit of grey area of employment law, where I mean, you’re self-employed, right? But that also means you have to play by the rules. You have to pay that and social security and so on. So, you have to do that. Then you don’t get an unemployment coverage, I mean, you’re getting out of debt part. So, there is more risk in there, more risk in, I would say, a lot of areas.
Dr. Christian Folini: So, self-employment is not for everyone?
Tobias Ospelt: Self-employment is not for everyone.
Raphaël Arrouas: That is true. If I don’t succeed the I’d go back to the industry. Because there is quite a shortage in the security scene in Switzerland.
Dr. Christian Folini: Being in the security industry is nice anyway and nothing bad will really happen. That helps.
Tobias Ospelt: For you Christian and me that works out, but we are not talking about us, otherwise we wouldn’t be sitting here, right? I think rather there might be a long tail, specially internationally, I’m a little bit worried. I mean, the liberation of working without getting paid maybe is worrying for me.
Dr. Christian Folini: As long as that is works out for you that’s great.
Tobias Ospelt: I mean, there is this famous quote “it is a genious way of starting a business, especially because nobody is doing it” and it sounds like a bug bounty hunting has said it, but is actually an Uber driver in 2015 who said it. Because back then nobody was driving Uber and when you drove an Uber you could do 250k in the US.
Dr. Christian Folini: This time seems to be over now.
Tobias Ospelt: Yes exactly. No Uber Driver will repeat that [ quote ] nowadays.
Dr. Christian Folini: It’s an interesting analogy.
Tobias Ospelt: It’s a very open economic thing.
Dr. Christian Folini: Ok. Time is running quickly. Let’s see what we can cover, I mean, I have so many notes here.
Law in Switzerland, it’s the final question. I mean, we have the famous hacker paragraphs on 143, 44 of criminal law in Switzerland. I presume, this is not affecting you Tobi at all, because you’re in a contract relationship with a company, so you’re covered. For you Raphaël, you seem to be discovering remote code executions when you’re ordering pizza. And, are we entering a grey area here already? Are you affected by this?
Raphaël Arrouas: As long as you do not do the intrusion itself, then it’s not a grey area. But I’d say that yes, the Swiss law is insufficient when it comes to good faith security researchers.
Dr. Christian Folini: So good faith security researchers are not covered by the law?
Raphaël Arrouas: Absolutely, and it can be done by anybody, by developers, by system administrators… And I think that the law at this moment is more detrimental to the security posture of companies in Switzerland, then it helps them.
Dr. Christian Folini: Ok, because it prevents security research?
Raphaël Arrouas: Yes, some people might be deterred and it would be a good thing for example, if the notion of good faith was added to article 143 because there is this notion of good faith in Swiss law, for example in article 5 of the constitution or in article 23 of the Swiss civil code, and so it says that it can be presumed that people are acting in good faith if they have shown diligence in what they are doing.
Dr. Christian Folini: Ok, and in the criminal code around hacking, that is not there…
Raphaël Arrouas: That is not there.
Dr. Christian Folini: You are either a company or you are a criminal.
Raphaël Arrouas: Yes, if the company pursues a charge against you for intrusion, if you did the intrusion and it was in good faith and you did nothing and you have contacted the company and so on, well you can get into trouble. There is no restriction to this law. So, adding good faith in this law for research may help judges determine if the hacking was done in good faith or not. For example, if you have contacted let’s say the GovCert of Switzerland, if you have contacted the company and say “Okey, there is a problem here” and it would really help researchers work freely to improve security of Swiss companies.
Dr. Christian Folini: Okay, interesting. Raphaël said, it could be or it might be even bad for companies the way it is right now, and it is deterring for certain people doing this kind of research. Do you see this as well? I mean, you are teaching, Tobi… Does security industry or security research attract certain people or is it off putting for other ones maybe because of criminal code? How do you see that?
Tobias Ospelt: No, I think usually it is not very off putting nowadays because we have the bug bounty programs and people who were interested in it read about it.
Dr. Christian Folini: It is easier to do this kind of research now if you are interested.
Tobias Ospelt: Yes, I think most people just take the risk, let’s put it that way. But yes, the longer you do it or if you do it professionally, I would say it’s better to have a company around you or to have a contract. That is the diligence part. But then, I agree, we should probably change the law and in general make this a point because I’m not even sure, if my company would protect me when it comes to civil law. So, it can also be dangerous for pentesting. I think we have common sense among the judges here in Switzerland, I’m not that afraid, but..
Dr. Christian Folini: I think as long as everything is fine, is great. But when an accident happens, things can go really wrong.
Tobias Ospelt: Yes.
Dr. Christian Folini: Okay, I see that. Thank you guys, I think we need to come to the end of our program. Thank you my guests for being here, Tobias Ospelt from Pentragrid and Raphaël Arrouas, known as Xel among his peers.
Thank you very much for being here.
Our next Swiss Cyber Storm in a Nutshell: We are planning for the end of April, but you know in these times you never quite know. And then of course this year we are going to do a Cyber Storm conference. This will be on Tuesday, the 12th of October. No matter the pandemic, there is going to be a Cyber Storm.