Internet security breaches, this booming new market

by bold-lichterman

It’s no longer a secret: “all the websites of large French companies contain flaws”

According to a report published in recent days by the Wavestone firm, 100% of the sites in the Top 200 of large companies are vulnerable. What does that mean? Can we surf in peace? A priori, it is not the navigation that poses a problem. You will not be infected with malware the next time you visit a well-established site. Rest assured! IT development being an activity subject to common (and human!) Hazards

  • file deposit forms are often the easy entry point for malicious hackers looking for breach and data theft. Ditto for login modules and everything that surrounds the management of user sessions.

  • the trust placed in the users of its information system when submitting all types of forms is often the easy entry point for malicious hackers looking for an offense (use of a company resource) and / or data theft. (company data, personal data, etc.)

Is it an insoluble evil?

Large French companies are allocating increasingly large budgets to the protection of their data and their systems. The threat is taken seriously. This often requires internalizing a team of security experts and acquiring an ever-expanding arsenal of defenses and protection tools; security audits being one of these methods to spot existing security vulnerabilities.

But what is the point of fighting against hackers / cybercriminals who are constantly damaging your information systems?

We have to admit that the North Americans are once again several years ahead of the Europeans. They have long understood that instead of investing so heavily in the fight against cybercrime, it is better to reward ethical hackers for the help they could give them in this permanent quest to secure their information system. This has allowed the development of a whole new market where security-related bugs (vulnerabilities) become the object of financial transactions which all have a market price.

An interesting initiative from ANSSI

ANSSI is the national information systems security agency, a government agency dedicated to monitoring the various cyber-attacks perpetrated on French soil. It has just announced its desire to facilitate the reporting of security breaches, while ensuring the protection of ethical hackers who disclose them. Enough to advance reflection on the positive role played by the community of “White hats“. This was the announcement made during the recent SI Assises which took place in Monaco in recent days. An explanatory information guide should be distributed to “bug hunters” in order to provide them with the rules to follow and a legislative framework.

The emergence of “Bug Bounty” in France

This is a very recent phenomenon that offers an alternative to already existing projects in the United States where some start-ups have raised tens of millions of dollars to ensure the security of large American companies thanks to the community of “hackersBenevolent (or security experts). In France, for example, Orange was the very first CAC40 company to set up a so-called Bug Bounty. She carried out the experiment on the BountyFactory.io platform during the “Nuit du Hack” on July 2, 2016, an event that brings together more than 1,800 experts at Disneyland Paris each year. It was an opportunity to bring together lawyers and developers in order to follow in real time the reports of “BugIssued by vulnerability researchers and other participants in this large-scale competition.

The phenomenon is therefore growing

It must be said that such programs make it possible to bring out the most critical, never-before-discovered flaws, thanks to the collaboration of hundreds or even thousands of experts who can be distributed, thanks to the strength of the Internet, throughout the world . The diversity of analytical methodologies explains such efficiency. Here again a fairly strong parallel with the large teams of “QuantsWhich have invaded financial circles to develop new methodologies for understanding risk.

To protect yourself, it is better to be aware of your “vulnerabilities” rather than close your eyes and hope that no incident will ever arise. The digitization of intrusion tests is underway and French companies can now take advantage of it, for better protection. In ten years’ time, it is a market estimated at tens of billions of euros, just for Europe! This shows the magnitude of this ongoing cyber-revolution …

The risk associated with this financialization

Obviously, becoming aware of the number of vulnerabilities in your perimeter is not necessarily good news neither for your budget, nor on the fact that today the web has become an issue where it is no longer enough to code, but to integrate security from the design stage into a logic of defense of the data of its users. The Big data has become a fundamental trend, but it is still necessary to be able to properly protect this data. This is the primary risk of the new digital economy. The cost of “cyber-risk” insurance policies has seen an increase of + 200% from the main insurers recently due to the explosion in claims observed in recent years. For our national champions, this becomes an issue to be taken into consideration beyond even the financial impact.

A race for competence is now underway. And recruiting experts in-house is not easy. The best are indeed much better paid on the platforms of Bug Bounty and retain full flexibility in their schedules. Very difficult then to hire them. The emergence of a “white” market on these new platforms Crowdsecurity, as opposed to the “black” market hitherto concealed on the darknet and where vulnerabilities were sold for some millions of dollars, however, represents an opportunity for large groups as well as startups to forge a new relationship with the community of ethical experts.

Opportunities

Today, there is no longer any need to spend 50,000 euros on a security audit and to wait several weeks or even months to obtain a realistic assessment of its security. In a few clicks to register and for a budget that can start from a few thousand euros, it is possible to invite a first pool of identified experts ready to help within its scope. This type of more restricted program is called a “Private Bug Bounty“. It is particularly suitable for startups and during the first phase of securing any large group where very many flaws will be identified, since by definition the perimeter is often very wide, and therefore very exposed. This makes it possible to manage the increase in load and the correct processing of corrective patches. Because the goal is to benefit from a list of reports of “bugs“In just 48 hours thanks to the”gamification»Offered by the platforms to their members, then identify the most critical ones in order to correct them in a short time and thus significantly improve its security. The new generation canvas will be both more open and more secure!

yannick-robertYannick Robert is a French serial entrepreneur. After starting his career focused on banking and finance (he was a trader for Dresdner Kleinwort Wasserstein in London), Yannick Robert created his first company, Parisdamis.com, in 2008. In 2010, he created Mywittygames, a crowdfunding platform . He alternates entrepreneurial and employee experiences within various financial companies.

He is now at the head of 2Pi Capital, his own trading company, as well as of Boursif.com, a company specializing in analyzing performance on the Eurostoxx50 market. He is also a consultant.

Read also:

10 numbers that show companies are not protecting their data enough