back to article Before you high-five yourselves for setting up that bug bounty, you've got the staff in place to actually deal with security, right?

Bug-bounty pioneer Katie Moussouris has urged companies to hire the necessary staff to handle vulnerability disclosures before diving headlong into handing out rewards. Likening the process to digestion, the CEO of Luta Security said many companies launch bounty programs without the ability to properly process bug reports and …

  1. John Smith 19 Gold badge
    Unhappy

    "we need to make it so it is not just patching all the time."

    Indeed.

    Bug bounty --> software bug --> fix software bug.

    So f**king what?

    Why is that bug there? Wrong parameter? Why did the developer think it needed that parameter? How many other developers think the same?

    Now instead of finding 1 bug, you've found a dozen in your code base.

    For free.

    That's the bit that PHB's should like.

  2. Venerable and Fragrant Wind of Change
    Alert

    She's missing the most fundamental step

    I like "Bug bounties make more money the less secure you are." But that already assumes you have the expertise to sort the wheat from the chaff: real bugs from bounty-hunters reporting non-issues.

    In at least some open source communities, we have to go one further than that. The developers have that expertise, but as volunteers we really don't want to spend our precious time going through a lot of spurious reports attracted by bug bounties. So when someone sponsors a bug bounty programme on our software, we ask that they take the bug reports and pre-screen them, so that only reports that appear at least credible will make it through to us. Of course people can still report to us directly, but then that's outside the bug bounty programme.

    1. MarkItZer0

      Re: She's missing the most fundamental step

      It doesn't assume that. She's referring to managed bug bounty programmes where Hacker One, Bugcrowd et al, triage the incoming issues. More real issues means more money made by the bug management platform.

  3. chuBb.
    Meh

    Security by PR

    Why am i not surprised that you need to tell businesses to hire sec people to implement and if worth salt catch before publishing the most braindead of blunders at least??

    Bug bounties have always seemed as much an offshoring excercise wrapped up in PR/community outreach as anything to do with real security for the vast majority of examples, sure you have the argument that it provides an alternative to selling on hacker hangouts, but i sriously doubt the integrity of the "researcher" if that was viable course of action for them.

    Or is it just managment getting booted into idiot mode and failing to follow the metaphors, because computers, As i doubt any of them would struggle with the concept of having a perimeter fence being patrolled, inspected and maintained by people on the inside, and not only relying on people on the outside alerting to them of any holes in their fence...

  4. LDS Silver badge

    "jobs labeled as "entry level" often ask for years of experience and arbitrary certifications"

    Blame "head hunters" for that. They don't have any clue about the people skill they need to look for, so ask for years of experience and look for certifications on Google so they don't have to perform their real job.

    1. Anonymous Coward
      Anonymous Coward

      Re: "jobs labeled as "entry level" often ask for years of experience and arbitrary certifications"

      Blame "head hunters" for that.

      In my experience, recruiters just provide what they are asked for but do not set the parameters. As someone who is in the midst of upgrading certs to meet current job requirements, I can confidently say that in the case of US government jobs, the recruiter or contracting company is definitely not responsible for setting those guideline. I will also confirm that it has led to a dearth of "qualified" applicants. Most people in this industry working infosec jobs work at least two at a time.

      I will also say the certs I am being asked to obtain are marginally connected to the job I do. To me, it looks like the same companies with a vested interest in maintaining the horrible battery of tests that our school children have to endure are looking to expand into other fields - with much the same outcomes.

  5. Anonymous Coward
    Anonymous Coward

    Job Postings

    Personally, I find the job listings out there a little insulting.

    As the article states, asking for years of experience and calling the role "entry level" or "junior" is a little offensive.

    The pay is also crap in most cases, I've seen ads demanding a CISSP cert and 10 years experience for under £30k, that's a joke.

    People employing infosec people need to realise, you're not paying for the time we spend at the office, you're paying for the 10+ years it took to acquire the skills and the money saved not having to mop up a breaches, ransomware and other miscellaneous nasties you want to avoid.

    It takes a long time to develop a good set of skills and keen instinct for infosec work as most of the skills come from experience.

    Paying your infosec folks well will save you untold amounts of money in damages, remediation and lost revenue. Not to mention, it will increase the confidence of your potential customers.

    Hiring an infosec person, chucking them in a corner and paying them well will never be a waste of money.

    1. vulture65537

      Re: Job Postings

      > Hiring an infosec person, chucking them in a corner and paying them well will never be a waste of money.

      That's exactly a waste of money as you missed out the part where you should take their advice.

  6. DCFusor Silver badge

    Bad design

    I wonder how many bugs are actually cases where the design itself was basically flawed (rhetorical).

    Then the symptom du jour is patched if the user is lucky, leaving all the other designed in holes intact, and maybe breaking something else in the bargain.

    Because that unwillingness to pay, and hire really-competent people isn't just an after the fact issue. And giving those people time to do a good design and red-team it on whiteboard is expensive too. At first, that is.

    Otherwise you wind up with an endless series of patches (think Adobe or MS) - and still have issues.

    But that's cheaper per month...so MBA's go for it, all PHBs do. It's not that they're crazy, exactly, but this is a friction point between what should be, what can be (the money guys get impatient or only have so much), and what IS.

    This actually isn't a new phenomenon, or limited to IT, much less the infosec subset.

  7. Kevin McMurtrie Silver badge

    Like gambling - slight chance of a short-term win but no chance of a long-term win

    I have briefly worked at places with chronically insecure code. Nobody wanted to budget money for better coders, nobody wanted to spend time on training, and nobody would spend time replacing bad designs that can never work. I could teach people how to make code clean and secure but that too was seen as a waste of time. Copy and paste from Stack Overflow as fast as possible. It's a mentality of the upper management: Be first to market, have the most features, have the most customers, show success, and cash out. Slow and steady growth wouldn't be success in their minds so future catastrophes aren't worth spending any time on. Even a large company with long-term plans may have areas with only short-term goals.

  8. rcxb Bronze badge

    In what has become a running joke of sorts in the infosec community, jobs labeled as "entry level" often ask for years of experience and arbitrary certifications. This not only leaves businesses short-staffed, but excludes a potentially massive pool of smart folks retraining or wishing to retrain from other industries

    That's typical across all of IT, and other skilled industries as well (like doctors). NOBODY wants to hire the fresh, untried kid. Everybody wants some other company to train them and break them in. And it's not actually helpful, because every company wants somewhat different skills and has different needs and cultures.

    Everyone wants to get the experienced pros, but at entry-level wages. So they have unfilled vacancies, lots of turnover, and pathological liars who know HR isn't actually going to put in the work to check their background. The companies who are actually willing to hire entry-level people and do a bit of training, have no shortage of staff, keep salary costs low, have plenty of skilled people, and those people tend to be loyal and stay around much longer.

  9. John Smith 19 Gold badge
    Unhappy

    PHB "But if you train them, they'll only leave."

    Which makes perfect sense.

    If you're a psychopath with no loyalty to anyone or anything but yourself.

    OTOH Normal people tend to have some loyalty to organizations that value them enough to improve their skills. It's important that those be useful skills and they should be recognized in their pay. The upside (from management PoV) is that the pay rise may not be as generous as in companies which are basically bribing you to join them from elsewhere (possibly because their management are a bunch of s**ts and staff turnover is very high, always a red flag)

    It's surprisingly easy to retain staff if you a) Pay reasonably for the skill set b)Give them access to training help them move up c) Don't act like an Ahole manager. Beyond that "Better the devil you know" will stop people looking elsewhere. Especially if they have already experience how much worse other managements can be.

    The "IT staff shortage" is really code for "Most companies have managers who can't do all three of these together."

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019