CrowdSecWisdom #2

OffSec insights for CISOs

Welcome to the second edition of CrowdSecWisdom from YesWeHack – curating offensive security insights from our own blog and elsewhere for CISOs, security teams and security-conscious devs.

First up, the challenges of evaluating the validity of vulnerabilities submitted using large language models (LLMs) became quickly apparent when ChatGPT first lit up the internet in late 2022. According to a feature published in the New Scientist this week (paywalled), while ethical hackers are increasingly integrating bug-hunting AI tools into their workflows, there are concerns that, used without human oversight, they are simply becoming more sophisticated not at finding genuine bugs, but at ‘hallucinating’ vulnerabilities even more compellingly.

Meanwhile, an audience of security professionals and corporate decision-makers have been told that Bug Bounty Programs are typically 90% cheaper than traditional pentesting. The source for this statistic is an application security engineer from a Scandinavian financial services company, whose presentation at a YesWeHack event in Stockholm is the basis of our latest customer success story.  It’s packed with insights of considerable interest to anyone pondering launching, about to launch or already running a Bug Bounty Program.

Another arresting statistic is the fact that three quarters of smart-device vendors apparently still provide no means for security researchers to contact them. Hence the “world first” cybersecurity law for IoT devices that came into force in the UK recently. We have summarised a trio of security requirements prescribed by the PSTI Act and how a Vulnerability Disclosure Policy (VDP) can help you comply with one of them in a way most beneficial to the security of your digital assets.

Secure by design pledge

Across the Atlantic, Google, Microsoft and AWS are among dozens of organisations to sign a Secure by Design pledge that commits them to “demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products”.

Led by the US Cybersecurity and Infrastructure Agency (CISA), the voluntary initiative invites organisations to strive to achieve seven secure-by-design goals within a year of signing the pledge. The other commitments centre on the effective installation of security patches, avoiding default passwords, publishing a vulnerability disclosure policy (VDP) in line with best practices, increase use of multi-factor authentication (MFA), helping customers gather evidence of malicious intrusions and including accurate CWE and CPE fields in CVE records.

Katie Moussouris, who has helped the likes of Microsoft and the Pentagon build BBPs, has expressed alarm about a new EU regulation requiring private companies to report vulnerabilities to the government before they were patched.

“We've already seen what happens when vulnerability information leaks before defenders can defend themselves,” said Moussouris, founder and CEO of Luta Security, in an interview with The Record. Her concerns are not even allayed by the Cyber Resilience Act’s stipulation “that they don't want proof of concept code”.

London calling

Are you UK-based or visiting the country this month? YesWeHack is attending Infosecurity Europe, taking place in London between 4-6 June. A seven-strong team will field requests for swag and information about our Bug Bounty and vulnerability management platform from an expected audience of around 13,800 attendees.

A month later, between 5-7 July in Paris, we will also return to leHACK to do likewise, as well as run a Live Hacking Event for a customer whose identity will only be revealed on the morning of the event.

May was particularly busy on the events front, with YesWeHack attending Infosec In the City in Singapore, Nordic IT Security in Stockholm, BreizhCTF in Rennes and RSA Conference in San Francisco. We also ran some events for the benefits of customers/partners, including a hackathon to raise security awareness internally for Swedish betting giant ATG and a Bug Bounty Challenge for NUS students in Singapore (which is still underway).

BitK on TikTok

Just like in April, YesWeHack made a number of media appearances on popular French broadcasters in May. First, a security professional from the French ministry overseeing digital transformation across the government joined our COO on a prominent radio station to discuss its Bug Bounty program and crowdsourced security more generally.

Finally, with the US government poised to ban TikTok, our very own tech ambassador and ethical hacker, BitK, discussed how the social media app hoovers up personal data on national French national TV.

PS. Are you a bug hunter or do you have an interest in ethical hacking? Check out our ethical hacking-focused sister newsletter, Bug Bounty Bulletin – offering hunting advice, interviews with hunters and CTF-style challenges, among other things.

PPS. This isn’t the only way to keep track of YesWeHack content about industry trends, relevant legislative developments and live hacking events. You can also follow us on X/Twitter and LinkedIn.