A quarter of a million for the "beetle": Microsoft is beginning an active struggle with bugs
The second half of July turned out to be generous with Microsoft's anti-bug news. July 21, it became aware of the launch of a cloud platform for searching for vulnerabilities, and on July 26, company representatives announced a new stage of the incentive program - the corporation is ready to pay up to $ 250,000 for bugs found.
/ Pixabay / VISHNU_KV / CC
The cloud vulnerability search solution was launched based on the Microsoft Security Risk Detection service. Previously known as Project Springfield, it is designed to detect critical security errors in software fuzzing. Microsoft used this technology to find critical errors in Windows and Office.
')
In 2016, in addition to Springfield, the project had an unofficial name - “bug detector for a million”. It was reported that he helped Microsoft to identify serious vulnerabilities, which were estimated at approximately $ 1 million. Now the application is preparing for a mass release on the Azure platform.
The basis of the new cloud service is artificial intelligence, which is used to find bugs in the software before its release. He designs scenarios on a “what if” model in order to narrow the number of likely sources of critical errors during the stress test of the client code.
AI-service is able to identify weaknesses of the program before the preliminary launch, so that developers can prepare the necessary patches and be fully armed in case of an attack.
According to Microsoft researcher David Molnar (David Molnar), this tool is suitable for companies that create software themselves, modify off-the-shelf software, or offer open source licenses.
The topic of AI platforms for detecting bugs actively “pops up” in discussions about promising technologies. For example, in 2016 Mike Walker (Mike Walker), a researcher at the Office of Advanced Research Projects of the US Department of Defense, presented his vision of the future of computer security. The results of the Grand Cyber ​​Challenge DARPA, in his opinion, proved that artificial intelligence is capable of finding and correcting errors on its own.
The finalist of the competition in question was the computer security software developer GrammaTech. In fact, the test required teams to develop an application to search for vulnerabilities that could be used by competitors.
Less than a week after showing their cloud service, Microsoft announced an expansion of the reward program for finding vulnerabilities (bug bounty) in Windows products. The amount of remuneration varies from $ 500 to $ 250,000 for bugs in various software.
The corporation proposes to focus on vulnerabilities in products such as Windows Insider Preview, Hyper-V, Windows Defender Application Guard and Microsoft Edge.
Incentive programs are popular with other technology companies: Facebook, Google, Mozilla, Yandex, etc. For example, here are the conditions for hunting for mistakes in Yandex. This practice allows attracting a large number of participants motivated by the award to the search for potential vulnerabilities.
People willingly connect to the identification of bugs, and for someone it becomes a profitable occupation. For example, a startup HackerOne, which allows any company to use the services of hackers to break into its security system, earned more than $ 7 million in the market in the first four years. HackerOne's clients include Slack, Twitter, Yahoo and Uber.
Despite impressive awards, incentive programs are beneficial for large companies. The found vulnerabilities help them strengthen protection and save on future losses from cyber attacks.
Speaking of potential losses. According to Kaspersky Lab data from 2016, on average one incident costs a large enterprise $ 861,000. For small and medium-sized businesses, the security vulnerability is $ 86,500 per attack.
In addition to direct losses from cyber threats, vulnerabilities sometimes have unpredictable negative consequences. For example, in 2016 the American regulator fined 12 financial companies for $ 14.4 million for shortcomings of cyber security systems. And Yahoo lost $ 100 million due to outbreaks of hacker attacks.
In 2013, a report was presented by researchers at the University of California, who argued that paying rewards to independent security enthusiasts for finding bugs is more profitable than hiring employees to do the same job. The document reviewed the Google and Mozilla vulnerability promotion programs for Chrome and Firefox browsers. In the period from 2010 to 2013, Google paid for the errors found $ 580 thousand, and Mozilla - $ 570 thousand.
In addition to the obvious benefits, bug bounty helps to find talented employees. During a briefing at the July Cybersecurity Black Hat USA 2017 conference in Las Vegas, Salesforce disclosed that it had paid more than $ 2 million to detect bugs since 2015. One of the strongest participants in the Salesforce program was a 16-year-old student from Argentina. His activity was appreciated in the company, and he and his family moved to San Francisco to help the Salesforce security department.
As mentioned above, before becoming a mass product, Security Risk Detection was a tool for Microsoft internal use. Nevertheless, along with him, the corporation has resorted to crowdsourcing. Does this mean that artificial intelligence is not able to perform the function of a bug tracker?
David Molnar himself from Microsoft assigns to auto service the role of an additional assistant to developers.
David Brumley, co-founder of ForAllSecure, a security software developer, says the computer will take time to replace a person. The reason is that artificial intelligence does not have a creative approach that is characteristic of cybercriminals. The program is able to act on a pattern, even while studying in the process, but to identify all possible vulnerabilities, it should be 100% consider the human factor.
Simon Crosby (Simon Crosby), Technical Director of Bromium, responsible for security solutions, has a similar idea. He shared the following thought with Hewlett Packard Enterprise: “What AI can really do is view the huge amounts of data that we get from all types of systems, and identify anomalous behavior [...]. Therefore, artificial intelligence, as a rule, comes in analytics issues.
The recently popular topic of robotization of workplaces forces one to think that artificial intelligence is more effective than human intelligence, including in the issue of cyber security. Thus, according to a recent survey by the training company Udemy, 43% of American workers are concerned that they will lose their jobs due to the development of AI. But according to forecasts , by 2021, 3.5 million security professionals will be hired around the world. So, corporations are not yet ready to give up human labor in this area.
Anyway, the ways of hacking are improving and acquiring new forms. So, in July, a security breach was discovered in a widely used library known as gSOAP. Millions of IoT devices, such as video surveillance cameras, have become the target of remote attacks. According to some reports, the gSOAP library has been downloaded over a million times. The active participation of the developer community should play an important role in the timely detection of such problem areas in the field of global security and their elimination.
PS A few more materials from our blog on the topic of information security:
/ Pixabay / VISHNU_KV / CCArtificial Intelligence on guard of safety
The cloud vulnerability search solution was launched based on the Microsoft Security Risk Detection service. Previously known as Project Springfield, it is designed to detect critical security errors in software fuzzing. Microsoft used this technology to find critical errors in Windows and Office.
')
In 2016, in addition to Springfield, the project had an unofficial name - “bug detector for a million”. It was reported that he helped Microsoft to identify serious vulnerabilities, which were estimated at approximately $ 1 million. Now the application is preparing for a mass release on the Azure platform.
The basis of the new cloud service is artificial intelligence, which is used to find bugs in the software before its release. He designs scenarios on a “what if” model in order to narrow the number of likely sources of critical errors during the stress test of the client code.
AI-service is able to identify weaknesses of the program before the preliminary launch, so that developers can prepare the necessary patches and be fully armed in case of an attack.
According to Microsoft researcher David Molnar (David Molnar), this tool is suitable for companies that create software themselves, modify off-the-shelf software, or offer open source licenses.
The topic of AI platforms for detecting bugs actively “pops up” in discussions about promising technologies. For example, in 2016 Mike Walker (Mike Walker), a researcher at the Office of Advanced Research Projects of the US Department of Defense, presented his vision of the future of computer security. The results of the Grand Cyber ​​Challenge DARPA, in his opinion, proved that artificial intelligence is capable of finding and correcting errors on its own.
The finalist of the competition in question was the computer security software developer GrammaTech. In fact, the test required teams to develop an application to search for vulnerabilities that could be used by competitors.
A quarter million for attentiveness
Less than a week after showing their cloud service, Microsoft announced an expansion of the reward program for finding vulnerabilities (bug bounty) in Windows products. The amount of remuneration varies from $ 500 to $ 250,000 for bugs in various software.
The corporation proposes to focus on vulnerabilities in products such as Windows Insider Preview, Hyper-V, Windows Defender Application Guard and Microsoft Edge.
The participants who have discovered vulnerabilities in the Hyper-V hardware visualization system can claim a maximum reward of $ 250,000. This year Kaspersky Lab warned about a number of serious vulnerabilities of Hyper-V. However, unfortunately, Russian companies and developers will not be able to participate in this program.
Incentive programs are popular with other technology companies: Facebook, Google, Mozilla, Yandex, etc. For example, here are the conditions for hunting for mistakes in Yandex. This practice allows attracting a large number of participants motivated by the award to the search for potential vulnerabilities.
People willingly connect to the identification of bugs, and for someone it becomes a profitable occupation. For example, a startup HackerOne, which allows any company to use the services of hackers to break into its security system, earned more than $ 7 million in the market in the first four years. HackerOne's clients include Slack, Twitter, Yahoo and Uber.
Despite impressive awards, incentive programs are beneficial for large companies. The found vulnerabilities help them strengthen protection and save on future losses from cyber attacks.
Speaking of potential losses. According to Kaspersky Lab data from 2016, on average one incident costs a large enterprise $ 861,000. For small and medium-sized businesses, the security vulnerability is $ 86,500 per attack.
In addition to direct losses from cyber threats, vulnerabilities sometimes have unpredictable negative consequences. For example, in 2016 the American regulator fined 12 financial companies for $ 14.4 million for shortcomings of cyber security systems. And Yahoo lost $ 100 million due to outbreaks of hacker attacks.
In 2013, a report was presented by researchers at the University of California, who argued that paying rewards to independent security enthusiasts for finding bugs is more profitable than hiring employees to do the same job. The document reviewed the Google and Mozilla vulnerability promotion programs for Chrome and Firefox browsers. In the period from 2010 to 2013, Google paid for the errors found $ 580 thousand, and Mozilla - $ 570 thousand.
In addition to the obvious benefits, bug bounty helps to find talented employees. During a briefing at the July Cybersecurity Black Hat USA 2017 conference in Las Vegas, Salesforce disclosed that it had paid more than $ 2 million to detect bugs since 2015. One of the strongest participants in the Salesforce program was a 16-year-old student from Argentina. His activity was appreciated in the company, and he and his family moved to San Francisco to help the Salesforce security department.
Human or artificial intelligence?
As mentioned above, before becoming a mass product, Security Risk Detection was a tool for Microsoft internal use. Nevertheless, along with him, the corporation has resorted to crowdsourcing. Does this mean that artificial intelligence is not able to perform the function of a bug tracker?
David Molnar himself from Microsoft assigns to auto service the role of an additional assistant to developers.
David Brumley, co-founder of ForAllSecure, a security software developer, says the computer will take time to replace a person. The reason is that artificial intelligence does not have a creative approach that is characteristic of cybercriminals. The program is able to act on a pattern, even while studying in the process, but to identify all possible vulnerabilities, it should be 100% consider the human factor.
Simon Crosby (Simon Crosby), Technical Director of Bromium, responsible for security solutions, has a similar idea. He shared the following thought with Hewlett Packard Enterprise: “What AI can really do is view the huge amounts of data that we get from all types of systems, and identify anomalous behavior [...]. Therefore, artificial intelligence, as a rule, comes in analytics issues.
The recently popular topic of robotization of workplaces forces one to think that artificial intelligence is more effective than human intelligence, including in the issue of cyber security. Thus, according to a recent survey by the training company Udemy, 43% of American workers are concerned that they will lose their jobs due to the development of AI. But according to forecasts , by 2021, 3.5 million security professionals will be hired around the world. So, corporations are not yet ready to give up human labor in this area.
Anyway, the ways of hacking are improving and acquiring new forms. So, in July, a security breach was discovered in a widely used library known as gSOAP. Millions of IoT devices, such as video surveillance cameras, have become the target of remote attacks. According to some reports, the gSOAP library has been downloaded over a million times. The active participation of the developer community should play an important role in the timely detection of such problem areas in the field of global security and their elimination.
PS A few more materials from our blog on the topic of information security:
Source: https://habr.com/ru/post/334552/
All Articles