With every passing year, security becomes a bigger and bigger issue for many enterprises, especially as the number of data breaches inches up and attacks (such as ransomware) cripple tech infrastructure. And with all that attention, bug bounties (whether in the form of contests or payouts) are becoming more important (and more lucrative) for those with the skills to find code flaws.
On Jan. 28, for example, Google published a report that revealed the company paid out $6.5 million in bug bounties in 2019—a record for the search giant.
In addition to expanding payouts, bug bounty competitions are also delving into new areas. In January, for the first time, the Pwn2Own competition in Miami focused on finding vulnerabilities in industrial control systems, which included one team demonstrating a distributed denial of service (DDoS) attack against a Triangle Microworks SCADA Data Gateway.
Over the course of three days, the Zero Day Initiative, which oversees the Pwn2Own competition, paid out $250,000 in prizes for ICS vulnerabilities.
Not to be outdone, the Cloud Native Computing Foundation announced in January that it would host a bug bounty program for Kubernetes, the container orchestration system developed by Google, for the first time. The payouts for vulnerabilities will run from $100 to $10,000.
Cybersecurity Skills are Key to Bug Bounties
As these bug bounty contests (and the payouts that come with them) continue to expand into different areas, coding and developer skills remain important, but it also helps to develop a strong understanding of the systems and architectures before attempting these types of vulnerability-hunting programs, suggested Jack Mannino, CEO of nVisium, an application security provider based in Virginia.
According to Burning Glass, which collects and analyzes millions of job postings from across the country, here are the key skills that anyone needs to break into cybersecurity; obviously, many of these come into play when it comes to hunting down bugs:
“Being able to code is essential for building tools and attacks on the fly to identify issues that require digging deeper,” Mannino told Dice. “Often, vulnerabilities that cannot be easily detected by common tools remain undetected for the longest time. Having the ability to craft custom attacks and exploits will set you apart from the pack. Taking the time to understand the fundamentals and internals of the technology you’re focused on is important.”
Automate When You Can
When it comes to improving bug-bounty skills, keeping up with the current trends, such as the security arena’s newfound interest in industrial control systems, is important.
For developers and would-be hunters, speeding up the process is also recommended, said Ben Sadeghipour, head of hacker operations at HackerOne. For instance, knowing how to automate certain tasks can now play a bigger big role in bug bounties. Successful hackers have shifted to more automation to identify new assets or features in an application, Sadeghipour added.
“It’s automation and the ability to keep up with trends. If you can automate your smaller tasks, you will have the ability to work at a faster speed and also focus on tasks with higher impact,” Sadeghipour said. “Keeping up with the trends is important because it helps you find unique bugs that are new to most developers or engineers. For instance, if you study new research on newly found vulnerabilities in a popular product or app, you will have a higher chance of finding it.”
As Sadeghipour notes, knowing scripting languages such as Python and Bash help, but good bug hunters are the most familiar with the fundamentals of the application that they are trying to hack.
“Hackers should understand the fundamentals of whatever they decide to hack on,” Sadeghipour said. “If you are a web app hacker, you should understand what goes on behind the scenes for a website to run. It’s way easier to break something once you have a better understanding of how it works.”