Hackathon Exposes Big Brand Security Vulnerabilities
Recent cybersecurity news reported that a few major companies and software vendors were reporting they had been breached. We were surprised this story hadn’t been at the top of many feeds because the companies seemed so notable. We then discovered that the software and hardware in question had been hacked as part of a hacking competition called the Tianfu Cup held in China (meaning the vulnerabilities exploited would be disclosed to the companies and patched). Let’s hope they followed through on that intention.
The underlying mentality of a hacking competition focuses on testing existing technology to discover holes and allow companies to patch them. Hacking competitions assume that the technologies used daily by millions of people are vulnerable to breaches. And they’re right. Most major competitions see contestants successfully breach a startling number of devices and operating systems. These competitions have grown to include not just mainstream devices but also unexpected hardware. For example, pwn2own included a range of printers and speakers in addition to mobile phones, routers, and NAS devices.
While we applaud the use of these contestants’ talents to discover and patch vulnerabilities, we must ask whether there is a better way to approach cybersecurity. Would it be possible to find a solution that doesn’t allow loopholes for hackers to exploit, or will hacking competitions be permanently necessary for companies to check their systems? This is the age-old question. Can we just develop better, more secure code out of the box? The IT industry has vastly evolved from a cascading waterfall project management and development framework to the supposedly better, faster, agile framework.
Now, DevOps are becoming the new norm to address better more secure coding the first time. It appears that regardless of how code is assembled in any framework, someone finds a way to exploit a hole in its security. So, bring on the games. Hackathons, competitions, and the like serve several purposes. First, young talent is given a platform to demonstrate their skills and earn a lucrative position on a high-profile security team in an extremely challenging and competitive workforce. Second, companies are given the opportunity to submit their tech as targets for exploitation, giving them great insight not only into their code but how their tech might be susceptible in a live real-world, practical environment. It is a win-win for both groups but creates one problem: How do you secure the results from these competitions to ensure that tomorrow every hacking group on the planet isn’t “out there” searching for all the new tech to exploit?
This has been the dilemma for demonstrating, showing, and sharing the exploits and vulnerabilities and is what led to the term “Zero-Day.” Once the exploit or vulnerability is known, you have zero days to find that tech on your network and secure it, before someone else tries. As fun, enlightening, and necessary as these events are, they lead to the sad truth. Waterfall, Agile, and DevOps frameworks all continue to fail to deliver better secure code and software out of the box after nearly 30-40 years of trying. However, there is a way to prevent your organization from becoming the target after the “games are over.” Reach out if you’d like to learn more.