The Air Force paid out $123,000 to researchers who found vulnerabilities in the organization’s move to the cloud. Here’s why.
With nearly 70% of organizations moving business-critical applications to the cloud, cloud migration is sweeping the enterprise. This even holds true in government agencies, as the US Air Force began moving more than 100 apps to the cloud in late 2016, our sister site CNET reported.
SEE: Cloud providers 2019: A buyer’s guide (free PDF) (TechRepublic)
However, the rise of cloud technology also brings a slew of safety and security concerns. To test its cloud security strength, the Air Force called upon ethical hackers to engage in a bug bounty program, in which white hat hackers and researchers are paid out for finding security flaws in systems before cybercriminals do.
“While the CCE [Common Computing Environment] platform has a significant number of security measures in place, it was still important to test the environment from an external and internal perspective,” James Thomas, lead at Air Force Digital Service, told TechRepublic.
In partnership with Bugcrowd researchers, the Air Force’s bug bounty program uncovered 54 vulnerabilities in the cloud server. The payout over the course of the program totaled at $123,000, with the highest payout bringing in $20,000, according to Thomas.
“The most significant findings were vulnerabilities involved with researchers being able to access certain roles or configurations that they were not assigned to,” Thomas said. “Even though these vulnerabilities only existed within escalated privileges accounts, these submissions were immediately remedied and were great lessons learned for future development.’
The Digital Defense Service is also set to announce the extensive results of the bug bounty program on Thursday at the hacker conference Defcon in Las Vegas.
How to start a bug bounty program
While it may seem unusual to bring in outside individuals to try and hack your own systems, “the benefits that come with this type of testing far outweigh the risks,” Thomas said. “Bug bounties allow platform owners to strictly focus on the remediation and retest of their assets, instead of finding vulnerabilities themselves.”
When beginning the process of starting a bug bounty program, organizations must get buy-in early on, according to Grant McCracken, director of solutions at Bugcrowd.
“A successful program starts well before it goes live,” McCracken told TechRepublic. “Getting internal buy-in throughout the process, and especially from the top, is the best way to ensure all parties are aligned on the program goals and business needs—so that when the time comes to execute, all stakeholders are in agreement.”
Security measures shouldn’t stop when the bug bounty is over, Thomas added.
“No organization or technology is infallible. Many global companies utilize crowdsourced security to leverage the best and brightest beyond their companies or organizations to strengthen their software and services, and better secure proprietary and consumer data,” Thomas said.
For more, check out Top 5: Reasons you need a bug bounty program on TechRepublic.