by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : November and December 2016
18 November/December 2016 FCW.COM Cybersecurity ing in DOD’s pilot “Hack the Pentagon” bug bounty program, which invited vetted members of the public to rum- mage around five media-related DOD websites with the goal of uncovering security problems. Beginning April 18, DOD asked 1,410 security researchers who had registered for the challenge on the HackerOne plat- form to find vulnerabilities at defense. gov, dodlive.mil, dvidshub.net, myafn. net and dimoc.mil. DOD officials spelled out the terms and conditions under which the activi- ties could be conducted and explicitly stated that hackers would not be pros- ecuted if they stayed within the given parameters. Bounty hunters would be awarded cash amounts based on the severity of the bugs they found. Litchfield won the top payout of $15,000. The lowest amount awarded was $100. Defense Secretary Ash Carter declared the program a success: Ulti- mately, 252 hackers submitted at least one vulnerability each, and 117 received payouts. The Pentagon promptly fixed all the uncovered bugs. “Through this pilot, we found a cost-effective way to supplement and support what our dedicated people do every day to defend our systems and networks, and we’ve done it securely, and we’ve done it effectively,” Carter said at a June event announcing the results of the program. It went so well that DOD asked its IT managers to examine all the other areas that could benefit from a bug bounty security checkup. Officials also plan to change DOD contracts to require ven- dors to submit their products to bug bounty security checks in some instanc- es. And officials will issue a responsible bug disclosure policy to enable security researchers to report bugs without fear of prosecution. In addition, DOD announced on Oct. 20 that it had contracted with Hack- erOne, a bug bounty management com- pany, and Synack, a firm that provides crowdsourced security testing and intel- ligence, to enable DOD components to easily launch their own versions of Hack the Pentagon-style challenges. All in all, it’s a huge pivot for DOD’s top-down culture. And as the pilot pro- gram made clear, Defense agencies will have to change further so that bug boun- ties will successfully scale. A bounty of work Crowdsourcing a security checkup sounds fairly straightforward, but two of the architects of DOD’s program said a lot of organizational work is involved. “It’s not just a matter of throwing up an email online and seeing what hap- pens,” said Katie Moussouris, founder and CEO of Luta Security. She created Microsoft’s first bug bounty program and helped set up DOD’s Hack the Pentagon program. “You have to pre- pare, and most organizations are not prepared.” Agencies must consider the resourc- es they have before they embark on a similar program, said Lisa Wiswell, the Defense Digital Service’s digital secu- rity lead. Those with mission-critical public- facing websites should consider adding bug bounty programs to their existing security and penetration testing proce- dures, but they should also consider hir- ing a contractor to manage the process. Among other things, that approach frees up internal technology staffers to focus on squashing the bugs. For example, DOD received 1,189 bug reports in the Hack the Pentagon pilot, of which only 138 qualified for payouts. Someone had to cull through those reports and verify which ones were valid and which were duplicates. “The amount of work that people would have had to do to cull through that, to make sure that those reports were robust and to make sure that we could act on them would have created more [of a problematic workload] than would have helped,” Wiswell said. “By paying a contractor, you’ve outsourced a tremendous amount of the work, and you’ve allowed the people who know In its pilot bug bounty program, DOD worked with HackerOne to have more than 1,400 security researchers explore five media-related DOD websites looking for security problems. 1216fcw_016-021.indd 18 11/7/16 11:06 AM
January and February 2017