Organised bug hunts improve security, writes Brad Howarth.
Ever wanted to hack the Coles website or other software applications? The giant Australian retailer is not only inviting would-be hackers to find breaches in a number of its online assets, it will also pay them if they are successful.
Coles is one of a growing list of companies that are utilising bug bounty programs to augment their regular software security testing. Bug bounties are a form of penetration testing that call upon the skills of freelance computer security professionals to join organised bug hunts designed to uncover weaknesses in websites and online applications. Anyone who discovers a weakness is encouraged to discreetly inform the target organisation and is given a financial reward.
In the case of Coles, it is managing its bug bounty program through the Australian start-up Bugcrowd. According to CINToles' group general manager for IT, Conrad Harvey, Bugcrowd caught his attention during an investor session organised by the Startmate incubator program. Within 48 hours Coles had signed up, and its first bug bounty was launched the following Saturday.
Harvey said Bugcrowd gave Coles access to security testing skills that it could otherwise not reach, particularly in newer fields such as Android applications. Harvey said the service would also be used to help secure other customer-facing applications, and would act as an additional layer of security alongside Coles' existing protocols and procedures.
Bugcrowd's growing list of customers includes Rabobank, Bigcommerce and Google. It recruits security testers and manages the bug bounty program, ensuring that all parties are treated fairly.
Company co-founder Casey Ellis is currently in the US raising Bugcrowd's first round of capital. He said the company had taken off much faster than anticipated after he and business partner Serg Belokamen launched it late last year. He described Bugcrowd as bringing balance to the economic advantage possessed by "the bad guys".
"For companies like Coles or Google or Rabobank, every time they have to get their stuff tested they have to pay someone for their time, regardless of whether they find something or not," Ellis said. "When you look at the bad guys, there is a lot more of them, there is a lot more diversity in the skill set, but the economics are that they don't get paid until they find something and exploit it."
Numerous companies are now competing in the bug bounty market, including Melbourne-based Bugwolf. Founder Ash Conway said he also expected to announce several large client wins imminently.
Business security specialist Nick Ellsmore, who has worked as an advisor to Bugcrowd, estimated that the Australian market for penetration testing was worth about $300 million a year, and sees strong opportunities for new services.
"If you look at the size of the market and how it's being serviced, there is currently no company in that would have more than 10 per cent market share," Ellsmore said. "A lot of the work is being done by people who aren't specialists, and it's really an industry that calls out for a better solution."