Wanted Hacked or Patched: Bug Bounties for Third Party Open-Source libraries

Presented by

Chujiao Ma, Senior Security R&D Engineer, Comcast

About this talk

Open-source software components (OSCs) are used in commercial software development across a slew of industry sectors from communications to finance. Because anyone can create open-source projects, there are no baseline security standards or requirements across the ecosystem. The owners or maintainers of the project may not have the resources or expertise to offer any security guarantees. The onus of evaluating the security of OSCs then falls on the users, i.e. software developers and associated institutions. Yet, a company may use hundreds to thousands of OSCs within their application. A security analysis of all OSCs may not be practical. In this talk, we discuss a targeted open-source bug bounty initiative that offers OSC users a proactive approach towards investigating the security of relevant components by crowdsourcing the discovery of security vulnerabilities to external security researchers. All without breaking the bank . We illustrate the process with a case study of bug bounty for JavaScript OSCs used at Comcast. Overall, we conclude that these bounty programs are a cost-effective and low effort solution to the hidden security risk of OSCs.

Related topics:

More from this channel

Upcoming talks (1)
On-demand talks (26)
Subscribers (2079)
The Executive Women's Forum on Information Security, Risk Management & Privacy is the largest member organization serving emerging leaders as well as the most prominent and influential female executives in the Information Security, Risk Management and Privacy industries. Website: www.ewf-usa.com