Can Enterprises Crowdsource Security Testing of their Websites?
Posted by: Lucius Lobo On July 26, 2011 04:30 PM
The rate at which external websites are being hacked demonstrates the lack of an effective defensive mechanism in enterprises. Cyber laws were created to safeguard against script kiddies from hacking into websites and defacing them. These laws scared away much of the early warning system that could have been in place. Hacking for fun is vastly different from hacking for profit.
What if enterprises pay to individuals who hacked and privately disclosed flaws? Would that be an effective option to find web flaws? Or would it lead to anarchy and mayhem. Such programs have been in use by product vendors, but not by enterprises.
1. High quality testing
2. Frequent testing
3. Keeps the Security and IT teams on their toes
4. Reduces the motivation to hack for profit
5. Value for money as payment will be outcome based
1. Affects site performance
2. Reduces the effectiveness of cyber laws
3. Encourages script kiddies
4. May not be practical to implement
On the whole, I believe a crowd sourcing approach will be a net positive. It will motivate the good guys more than the laws deter the bad guys.
I must add a disclaimer to this blog. These are a thoughts and not a recommendation. The key lies in the practicality and legality of the method used for implementation.
(*) symbol is mandatory field
Post a Comment