Thursday, June 23, 2011
Can Enterprises Crowdsource Security Testing of their Websites?
The rate at which external websites are being hacked demonstrates the lack of an effective defensive mechanism in enterprises. Cyber laws were created to safeguard against script kiddies from hacking into websites and defacing them. These laws scared away much of the early warning system that could have been in place. Hacking for fun is vastly different from hacking for profit.
Would enterprises pay fees to individuals who hacked and privately disclosed flaws be an effective option to find web flaws? Or would it lead to anarchy and mayhem.
Such programs have been in use by product vendors, but not by enterprises.
1. High Quality Testing
2. Frequent Testing
3. Will keep security and IT team on their toes
4. Reduce the motivation to hack for profit
5. Value for money as payment will be outcome based.
1. Affect site performance
2. Reduce the effectiveness of the cyberlaws
3. Encourage script kiddies
4. May not be practical to implement
On the whole, I believe a crowd sourcing approach will be a net positive. It will motivate the good guys more that laws deter the bad guys.
I must add a disclaimer to this blog. These are a thoughts and not a recommendation. The key lies in the practicality and legality of the method used for implementation.