6

As some kind of a follow-up from my previous question - which was asked from the security researcher/penetration tester point of view:

(Thanks to Rory McCune for pointing this out) There seem to be a number of high profile sites like facebook and google who appear to openly allow security researchers to try to hack their site, as long as those disclose the findings responsibly. On the face of it, this seems like a generally good idea. Why hire people to do your penetration testing if some are willing to do it for free? (and the bad guys will do it whether you ask it or not).

However, what measures should a site already have in place before embarking on such seemingly risky endeavor? (or perhaps I am mistaken and it's not more risky than if you don't actively make such invitation). I am not particularly concerned with the legal aspects or how to deal with those reports, but rather the technical side of things. Could the same logic apply to smaller applications or websites as it does to the big guys? i.e. could publishing such a statement put your site at more risk than leaving it out?

Community
  • 1
Yoav Aner
  • 5,299
  • 3
  • 24
  • 37

2 Answers2

5

You should keep in mind sites like Google, Yahoo, Amazon have a couple (of thousand) of servers. They can afford to "open the doors" to everybody because, as M15K pointed, their resources are not limited.

There are a couple of reasons they might do be "open": 1. You can gather performance statistics. 2. You can test the system for stability (if server X goes down, server Y has to take over, etc) 3. Probably many more reasons I can't think of.

In small/medium/large companies you usually end up using Linux/Unix server, Apache, Nginx, LigHTTP, Jetty, MySQL, PostgreSQL, Oracle and etc. Sites like Google(giant) create their own platform and their own software solutions - web servers, databases, proxy forwarders and etc. So leaving "the door open" for the public actually helps them to constantly improve their security and platforms because every "hacker" in the world will try bringing them down. A few of them will succeed and usually they end up working for the company or receive a satisfying number in their bank accounts :)

In my opinion it's not safe for you to "open" everything if the company you're working for is not creating most of the software solutions from scratch (web servers, databases and whatever else your company needs). Even then it's a bit risky especially if you're managing sensitive data.

i.e. could publishing such a statement put your site at more risk than leaving it out?
It doesn't matter if you say "We'll not sue you if you tell us where the breach is". If somebody wants to hack you - he'll try doing it whether the statement is there or not. But if it's there it may sound more like you're inviting them in. So probably you'll get more hackers trying to hack your server.

However, what measures should a site already have in place before embarking on such seemingly risky endeavor?
You will need to figure out a logging mechanism, or monitor the actions that are being made on the site and server. Also a full backup of the site/server is a must.

Generally I wouldn't recommend leaving the server "open" especially if it handles sensitive information like credit cards, payments, medical information for patients and etc. It's better for you to hire a team of hackers with a proper contract. Otherwise you're risking all that information going in public.

I can't go in more details as this topic is HUGE and there are many things you need to consider before going "public":

  1. Do you have the money to do that?
  2. Do you have the resources? (servers, security teams and etc)
  3. How far can you limit the damages a hacker can make to your system? I.E. If a hacker hacks into your server what access will he have ? Will he be able to connect to your database and retrieve/store/update data? Is your data encrypted ? Will he be able to decrypt it? (and so on)
  4. Can your security team find how a hacker exploited your system?
  5. Does your security team have the skills to fix problems that may occur ?
  6. Probably many more questions that you need to ask and answer before you decide.
tftd
  • 361
  • 1
  • 8
  • Thanks for putting time into this. The recommendations make sense. However, I don't see how this is any different from the security controls you should have in place *anyway* (whether or not you 'invite' people to hack your site). The invitation simply encourages white-hats / security researchers to help you out. How does this alone change your risk profile?? – Yoav Aner Apr 04 '12 at 14:12
  • Your invitation may be accepted as a challenge or provocation. This can trigger more hackers than usual. And if that happens you may end up hacked by many different hackers at the same time. Which will become really hard for your security team to monitor. The other major problem is that you can't rely on hackers willingness to submit real reports or to report at all. :) – tftd Apr 12 '12 at 16:46
  • Well, it then depends how this invitation is constructed. As far as I could see most sites that do have some kind of an open invitation do word it very carefully. Something along the lines of 'if you do manage to hack us, and tell us nicely and quietly, we won't sue you'. This, to some extent, can even act as a deterrent! – Yoav Aner Apr 12 '12 at 18:17
3

I believe this is a question or practice best done once you have thoroughly vetted your site with your own internal practices. Remember, what is good for facebook and google may not be good for you.

They have redundant systems and can afford a system to go down for a little while, it's even baked in to their business continuity plan. I would hazard to guess that most other businesses who have their web servers crash is all hands on deck.

I can't imagine very many positive scenarios in declaring open season on you're front door will result in something useful. But let's say you do, and you do get some positive feedback. Are you and your security team in a position to remediate those vulnerabilities?

M15K
  • 1,182
  • 6
  • 7
  • Thanks. See comment above. Are you saying that by publishing this statement on the site I'm at more risk than if I didn't? The bad guys (which I have to worry about anyway), will try to hack me regardless of any open invitation (or lack of). – Yoav Aner Apr 04 '12 at 14:15