Bug Bounty: the business enabler of any DevSecOps toolchain
September 17, 2020
DevSecOps is about finding ways to integrate security practices into development and operations processes and tooling. The methodology is relevant to organisations creating their own applications as well as to those acquiring software. Security and risk management professionals need to adapt practices to leverage DevSecOps full benefits. The opportunity to do so matches the challenge—today’s fast-paced digital transformation needs strategies and tools that practitioners can integrate and automate within DevOps.
For frictionless integration of security to happen, tooling is paramount. The ability to integrate and automate various development, security, and operations processes is at the core of a successful DevSecOps implementation. As maturity differs between organisations, appropriate technology is of the essence. Below, we focus on tools our bug bounty platform natively includes thus making it the “sec” part of the DevSecOps toolchain.
DevSecOps: Integrating security from idea to continuous delivery
DevSecOps is integrating security in development and operations. Protecting applications the DevSecOps way best works with a bug bounty.
Security testing for quick and easy remediation
Challenge: The traditional security practice of generating and emailing vulnerability reports in document form will not scale in a DevSecOps pipeline.
Solution: Our experience shows that bug bounty provides effortless integration of security reports in the pre-existing DevOps toolkit.
Security testing is a necessary practice as part of an overall security program. The best practice is to implement security testing during development and in both the preproduction and production environments. The security testing in each of these phases varies in complexity and goals, directly involving several roles and teams.
Such a complex interaction and iteration model requires security testing tooling, which produces results that are usable for quick and easy remediation. Also, the report format is homogeneous—a tremendous advantage as it prevents ambiguity, thus streamlining communication across roles. The YesWeHack bug bounty platform comes with these features:
✅ The quality of the findings and that of the suggested remediation is key to adoption by non-security teams.
As a bug bounty program manager, you receive real-time notifications of new submissions. You can then evaluate the report. Our forms enable hunters to provide a fine-tuned description of the vulnerability they are reporting.
✅ Once the vulnerability is accepted as “valid” by the bug bounty program manager, a ticket is created. From there on, each step of the vulnerability management lifecycle is thus logged. For internal and compliance purposes, you have actual proof of identification and remediation for each vulnerability.
✅ Proofs of concept (POCs) are critical in demonstrating the exploitability of vulnerability, thus specifying its anticipated impact on your environment. Often, hunters include a POC in their report. Requesting one is also possible during the vulnerability evaluation phase.
✅ Ease of configuration and effective integration with the existing SDLC toolchain:
When updating a report, select the status “Ask for integration” to transform the report in a backlog ticket in your internal system (JIRA, GitLab, GitHub).
- The bug bounty virtuous cycle of security testing avoids providing inaccurate results to development teams. Thus, developers focus on fixing each vulnerability instead of wasting time to determine whether it is real or not.
- The smooth inclusion of accurate vulnerability reports to the organisation’s toolchain creates no friction between application and security teams. Likewise, delays are significantly reduced, thus favouring security adoption by different business lines.
- Each vulnerability report comes with a carefully evaluated CVSS score and a priority estimate. These criteria enable smooth prioritisation of fix urgency.
- A bug bounty program relies on a virtually limitless talent pool. Thus, no security skills or capacity gap looms at the horizon.
- Whenever a vulnerability is reported, our hunters include technical specifics that a SOC benefits from in further log inspection. Indeed, when encountering a hunter’s reconnaissance and exploration activity, did the SOC team got an alert? Such a virtuous feedback loop helps defenders enrich and fine-tune their tools and use cases continuously.
Operational remediation practice aligns with business logic
Challenge: Digital assets (e.g. web applications) require continuous protection. More often than not, however, business logic does not permit for DevSecOps to patch production in due time.
Solution: Our experience shows that bug-bounty-powered vulnerability identification in runtime scenarios best works with virtual patching.
Vulnerability-free design and development-phase security testing are critical yet insufficient. Thankfully, runtime mitigation using WAF, WAAP or RASP exists: enter the so-called virtual patching. This remediation approach temporarily or permanently mitigates specific loopholes.
In a nutshell, a virtual patch is a rule or a set of rules, deployed in the WAF, WAAP or RASP mentioned above, that diminishes a specific vulnerability in software without changing the underlying codebase. Typically, virtual patching comes in handy when in need of an urgent fix. At the same time, a long-term remediation solution is developed. Thus, this type of fix implements a security policy enforcement layer and allows Ops to keep a system running until a complete fix passes tests and approval.
Vulnerability reduction is our bread and butter. So, the YesWeHack bug bounty platform comes with native features to ensure that weaknesses get a fix and that it does not break the system:
✅ After a vulnerability report is evaluated, you can get a virtual patch with the click of a button. Our partner Rohde & Schwartz provides one swiftly.
… and after.
In patching we trust.
✅ Whenever the fix is available, the bug bounty program manager can integrate it and provide it for security testing to the hunter having initially identified the vulnerability. Naturally, those changes are reflected in the backlog.
✅ Whatever the type of patch you deploy, all actions are logged. That sort of ‘changelog’ may be incredibly precious in environments with strong compliance pressure. Kiss goodbye them tedious Excel sheets!
👍 Should the test pass, you can push next in the DevSecOps pipeline.
- By leveraging virtual patching solutions, implementing an effective temporary solution that prevents attacks on a known vulnerability is possible and easily accessible.
- A ghost with no respite, legacy applications haunt every member of the DevSecOps team. When legacy uses a web interface, a popular database back end or a component whose source code is unavailable or difficult to modify, we all know a disaster is in the making. Virtual patching is especially useful here as it is an optimal and cost-effective way of addressing vulnerabilities.
- Deployments of outsourced or off-the-shelf software (especially where original source code is unavailable or the supplier is too long to patch) are similar to legacy. Virtual patching comes in handy here too, addressing any security gaps with little effort.
- Through the YesWeHack bug bounty platform, a patch that you have requested—virtual as well as originating from the development team—also gets verified to ensure it prevents the exploitability of the vulnerability.
- Since patch requests, tests and acceptance are tracked as they happen, you need no extra effort to maintain visibility over the security level of the application portfolio.
Powering DevSecOps with bug bounty: more treats in store
DevSecOps implies a profound change in the software industry’s culture. Achieving a harmonious interaction between seemingly contrarian positions is no simple feat. Even though design- and development-stage vulnerability inspection grow in adoption, these approaches exclude runtime security needs, where technical mechanisms external to code are at work. Currently, the bulk of the software security industry relies on occasional inspections such as the yearly penetration testing or compliance assessments. Thus, annual occurrences and end-of-cycle inspection are of little help: they create waste, delay learning, slow down overall delivery and fail to reflect realistic threats.
At YesWeHack, our bread and butter are reducing the number of existing vulnerabilities as a way to mitigate risk sustainably. It so comes as no surprise that our work and the tools we develop aim to smoothen the often-challenging interface between Security and Development. Today, a significant part of organisations is at the planning stage of putting “waterfall” behind in favour of an agile approach that integrates security throughout the entire product lifecycle.
As showcased above, bug bounty goes beyond vulnerability identification alone and natively embarks the whole vulnerability management lifecycle toolchain. A growing number of our clients are embedding those tools in their CI/CD; so, we have decided to dedicate an article to how we help them embed security therein. Stay tuned 😉