Cybersecurity is paradoxical: Information sharing is as imperative as staying mum about what preventative tools a business has in place.
Transparency in cybersecurity comes in many forms, including information sharing, software accountability, or incident response and disclosures. Finding the sweet spot between too little and too much transparency is an everyday challenge.
Too much, or at least widespread, transparency for cybersecurity fixes can backfire on victims. When Bitdefender disclosed a flaw in DarkSide ransomware, the gang's operators swiftly remediated it, according to a May ProPublica article. By publicly disclosing the finding, Bitdefender tipped off DarkSide.
Two security researchers found the decryptor before Bitdefender did, ProPublica said. The pair did not publicly disclose their finding but worked behind the scenes aiding targets of the ransomware. Bitdefender's issue arose from how the decryptor was shared, not that it was shared.
The cybersecurity community has good intentions and benefits from information sharing. But when reactionary or ego-based decisions are made, the value of transparency is tarnished. Companies always have to question when too much transparency is too much of a good thing.
"Openness and transparency is a friend of security, not a foe," said Marten Mickos, CEO of HackerOne, during a virtual Q&A Monday. "Of course, the bad guys, the criminals, will see that they will counteract the counter reaction," which makes transparency seem like the wrong move.
Ransomware doesn't inherently pose a unique threat to transparency, though. Bitdefender's published finding is another lesson in how companies are inadequately defending themselves.
"We had just one company who figured out that vulnerability" in the ransomware, Mickos said. "Why didn't we have 300 groups who all arrived at that conclusion? That would have allowed us to act much faster."
When one criminal group can cause mass destruction — consider the actors behind SolarWinds — collaboration across industries and sectors is essential.
For Mickos, it's basic math: "When you share information in the long run, the good will always win because you share it in every instance of sharing goes to one-thousand people and one person can cause harm."
"But the one-thousand people who are on the good side can cause even more positive change," Mickos said.
Where transparency is appropriate
HackerOne is updating its Internet Bug Bounty program to address software supply chain security issues, as companies are more frequently engaging in vulnerability disclosure programs. However, the identification and disclosure of vulnerabilities is changing as hackers target more business-oriented flaws, according to Tanner "cache-money" Emek, professional white hat hacker, during the webcast.
"You can't really scan the code and fix those; there are no automated scanners," because it's chaining components together to weaken what a company cares about the most," Emek said. If Emek can find something that's commonly misunderstood — such as authentication flow — he'll "usually look at a bunch of different companies and bounty programs that implement that."
Because it's common for many developers to implement shortcuts, sharing vulnerabilities is beneficial across organizations. Part of this process begins in open source, where companies recycle code.
"I think it starts from recognizing that securing any piece of software is an incredible feat of engineering and challenging for anyone," said Alex Rice, co-founder and CTO of HackerOne, during the Q&A. "It's not fair to say that open source is any harder than any other piece of software, it's just got a different set of challenges than securing normal software."
Most of the vulnerabilities uncovered in open source codebases have been around for at least two years, a 2021 Synopsys report found. Open source is unique in that "everybody knows about every single mistake that you made. If that were true for every piece of enterprise software, I guarantee you open source would look a lot more secure," said Rice.
This is an issue the Biden administration is attempting to resolve with a more formalized implementation of a software bill of materials for federal government contractors. The administration expects developers to use open source, but with the knowledge that the code is up to date and capable of a timely response to vulnerability discoveries.
Supply chain compromises come back to misplace trust in vendors because detection and response is still at an immature level, according to Rice.