White Hat Security this week announced a partnership with Bugcrowd through which vulnerabilities discovered by certified ethical hackers that paid bounties can be integrated within a larger set of integrated DevSecOps processes.
Setu Kulkarni, vice president of corporate strategy for White Hat Security, said the alliance marks the first time a provider of application testing tools and services has partnered with an online crowdsourcing service for contracting cybersecurity professionals. This approach means vulnerabilities discovered by cybersecurity contractors working on a gig economy model can be fed back to a service that continuously scans for application vulnerabilities on a 24/7 basis, he said. Information about those vulnerabilities is then fed back by cybersecurity teams employing White Hat Sentinel tools and services to developers building applications.
Bugcrowd is one of several online services that allows cybersecurity experts to participate in a “gig economy” driven by vendors and IT organizations that offer bounties for finding vulnerabilities. Those vulnerabilities are now being added to the list of vulnerabilities that White Hat Security tools offers as part of a managed service it provides.
Kulkarni said such alliances should result in greater cross-pollination of knowledge and skills between freelance cybersecurity professionals and the team of cybersecurity professionals who work full-time for White Hat Security. For example, Bugcrowd can provide access to elite researchers with specialized skills associated with complex attack surfaces such as application programming interfaces (APIs) or internet of things (IoT) deployments.
Obviously, it’s still early days when it comes to implementing best DevSecOps processes. It isclear developers are taking more responsibility for implementing cybersecurity polices and controls within their applications. But those policies need to be informed by policies defined by cybersecurity professionals capable of analyzing the business risks any vulnerability represents given the number of known cybersecurity threats. Unfortunately, most of the applications running in a production environment have one or more known vulnerabilities simply because no one is quite sure what version of a library or component might be running where. Worse yet, flawed patch management processes make updating those libraries and components a complex task that doesn’t always get addressed in a timely manner.
Solving that problem doesn’t necessarily require cybersecurity professionals to participate in the development of every application. Rather, it requires organizations to create a closed-loop approach in which information about new vulnerabilities gets fed directly into the continuous integration/continuous development (CI/CD) process. There are simply not enough cybersecurity professionals who can participate in every scrum meeting a developer team holds over the course of the application development cycle.
The biggest immediate issue, however, may be in closing the divide between developers and cybersecurity teams. Developers prefer to work with tools that expose an AI. Most cybersecurity teams today employ tools that sport graphical user interfaces that developers have little interest in mastering. Cybersecurity teams need to find a way to share vulnerability data via APIs that developers will want to consume within the context of a DevOps processes.