What if 1,000 security experts analyze my app’s vulnerabilities?

  • subject: Creating a safe and pleasant game culture using the bug bounty platform
  • Lecturer: Youngho Lee – Samsung SDS (Hacking Zone) / Vice President
  • Presentation area: security
  • Lecture time: 2021.11.17 (Thu) 17:00 ~ 17:50
  • Lecture Summary: He explained the bug bounty, a global security check method, and introduced Korea’s security culture and the in-house venture ‘Hacking Zone’.

  • ■ Who will protect my castle? – With a few mercenaries?

    The title of ‘Small President’ means that he is the department head of Samsung’s in-house venture. Samsung SDS’s Vice President Lee Young-ho is operating a bug bounty platform called ‘Hacking Zone’. Young-ho Lee, CEO, started by explaining what a bug bounty is and introduced Korea’s security culture and ‘hacking zone’.

    “You might be thinking, “Why do you come to a game show and talk about security that isn’t funny? I prepared a lecture to make it interesting to hear about security. The topic I’m going to talk about today is about the bug bounty platform. To make it easier to explain, let’s use an analogy. There is a huge castle. The castle is an application or game you made. The monarch needed someone to protect the castle. He hired a few mercenaries and ordered them to guard the castle.”

    “However, it was difficult for a small number of mercenaries to protect such a large castle. The mercenaries compromised to protect only the weakest gate. This is the problem with the existing security check. A small number of mercenaries cannot hope for perfect security. If you look at statistics, the average number of people who go into security check is 1.5. They check it for three days. Can you find all vulnerabilities in your game or application? Absolutely not. They check based on legal obligations. Your game is Weekly and monthly patches will be made, but it is impossible to check the contents of these patches every time. The cost is also high. The cost of using them per month is on average 10 million won.”

    “The castle seemed safe. However, a citizen discovered a weakness in the wall and reported to the castle lord that there was a crack in the wall. However, the security chief guarding the gate was scolded. Why are you looking for a weakness and what did you do with this weakness? After that, citizens did not report any vulnerabilities they found in the wall. The vulnerabilities began to increase. Eventually, the castle collapsed. Are you listening to the informants? The game gradually changes, and the hacking technology develops. Weaknesses are natural. It’s important to listen to them or not.”

    ■ Bug Bounty! – Compliments and rewards for reporting defects

    “Bug bounty is to give praise and rewards to citizens without heeding citizens’ reports of defects. More citizens report defects and actions that create a flawless wall. Rewards reporters of vulnerabilities in company products and services The bug bounty system is to quickly, easily, and quickly discover many vulnerabilities and perform real-time inspections.”

    “The informants are more than 1,000 security experts. Hundreds of people participate in the inspection at the same time for one game or application. Reports a large number of vulnerabilities in a variety of ways without restrictions on manpower, manpower, or scope. The first average report starts on average 10 minutes after the start of the inspection It is carried out 24 hours a day, 365 days a year. The more critical vulnerabilities are, the more compensation is given, and the inspection cost is reduced by 50% compared to the previous one because no invalid compensation is given. There is no choice but to come up with a platform that will take over the whole process.”

    “The platform takes care of all the bug bounty process and serves as a link between various companies and these security experts. A lot of companies are already using the bug bounty platform. Bug bounty is very It is growing into a universal system.”

    ■ Korean security culture – Very conservative, requires special procedures

    “However, Korea needed a little exception. Korea’s security culture was unusual. Although some of the world’s leading companies already use the bug bounty system, Korea’s security culture was very conservative. Looking for vulnerabilities? What if I make a bug in the app? What if I steal the source code? What if I spread the word about the vulnerability? Even though a bug bounty was needed in Korea, a conservative security culture was not easily opened.”

    “So a new process was needed. Our Hacking Zone strengthened the security expert’s identification, electronic signature, and vulnerability encryption in the existing process. When the bug bounty platform is registered in the Hacking Zone platform, it will only participate after identity and electronic signature. The digital signature history is managed based on the block chain, and the reported vulnerability database is securely encrypted. However, there were still companies that were uneasy. Still, there were concerns that some of the participants could have an accident.”

    “So we created a slightly more secure feature. In the existing platform, security experts could participate in any program. We added a private bug bounty here. Only those with verified identities and skills who are good at finding vulnerabilities in the field can apply for bugs. We made it possible to participate in the bounty. We added a more special function to it. How about checking a fake last name that replicated the real one? Then we could find a more obvious vulnerability. There is no worry about an accident, and the check effect is very high. Even in the conservative Korean security culture, attacking virtual castles was an acceptable line. Hacking Zone provides all bug bounty participants with VDI, a device that can enter the virtual environment.”

    “Can you say that the security of the games and apps you run is perfect? ​​Participating in the bug bounty can prove perfection. Are you saying it’s not enough? Participating in the bug bounty can fill the gap.”