Google Bug Hunters Uncover New Vulnerabilities
A team of software security experts have uncovered eight new vulnerabilities in a number of popular Google cloud-based products. The announcement of the new vulnerabilities was made at a "Hack in the Box" security conference in Amsterdam.
The team claimed to have discovered more than 100 other unnamed bugs in recent months, but did not elaborate. They highlighted details of their work in their Hack in the Box presentation. All of the eight vulnerabilities mentioned had been fixed by the company ahead of the announcement. Blogger, Analytics, Calendar, Feedburner, and Picnik were among the products containing the problems.
Bug hunters are typically security researchers or specialists who ferret out vulnerabilities using a variety of methods. Discovering bugs can provide both cash rewards, as well as credit and credibility in the software and security communities. Other companies including Facebook and Mozilla have bug bounty programs to get people to find and report such problems.
Innovative Methods to Improve Software Quality and Security
An InfoWorld article elaborated on the cross-site scripting (XSS) problems uncovered by the bug hunters. The research team claimed in their presentation that XSS issues are among the most commonly found vulnerabilities.
The bug bounty incentive program helps improve product quality. Software with weak or inadequate security protection puts both software publishers and software users at risk. Software security risk is a well known problem. Verizon's Data Breach Investigation Report found that more than one billion records have been compromised over the last 8 years. Many were due to hackers using known software vulnerabilities that could, and should, have been caught but were not.
The Web Application Security Research program, in essence uses both outsourcing and crowdsourcing models to recruit willing members of a global audience of users to perform continuing testing, and it only pays for problems discovered.
The program is a cost-efficient method of finding quality problems. Software quality assurance (SQA) programs typically require teams of full-time testers and engineers, along with the costs of benefits, space, tools and equipment. Google's program helps the company to have a larger development team and a leaner SQA team by outsourcing.
It is a smart use of resources and a lesson that midsize companies can learn from. Not every company could or should execute the same exact bug hunting programs used by Google, Facebook, or Mozilla. Their models, however, are interesting and provide innovative approaches and strategies that could be adapted by midsize organizations in their quest for better, more secure software applications and systems and ultimately, happier and more protected clients.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.