Report Highlights Realities in Vulnerability Testing

Absolutely all software and hardware has vulnerabilities. Absolutely nothing is 100% secure. It's never a matter of whether there are bugs - it's a matter of finding them and remediating them. And as application development and computing infrastructure become more complex, the potential for security vulnerabilities multiplies.

Our computing devices are more interconnected than ever before. These days, your enterprise probably has a cloud network to augment or replace your on-premises network. The Internet of Things (IoT) is rapidly expanding, existing in not only a growing range of consumer goods, but also in specialized industrial, scientific, and medical equipment.

The number of computers you directly and indirectly interact with today is greater than the number of computers you interacted with a decade ago, and much greater than the number of computers you interacted with before that.

The need for penetration testers and other sorts of WhiteHat hackers is greater than ever and only increasing. Yes, vulnerability scanning software and debuggers are very useful, but we also need human beings to find vulnerabilities.

So, the findings of Bugcrowd’s latest report offer valuable information about a group of people that computer technology industries greatly need. In order for more people to enter the security testing field, and in order to support people who are already in the field, we need to know who they are, how they think, and how they got there.

For Bugcrowd’s Inside the Mind of a Hacker 2019 report (gated), over 750 members of their global WhiteHat hacker and pentester community were surveyed between June and October 2018. Here are the findings that I found to be the most interesting.

PenTesters: By the Numbers

Who are security testers, typically speaking? They’re mainly young men. 91.6% of respondents identified as male, 4% as female, and 3.7% said they preferred to not answer. Wow, there are almost as many people not disclosing their gender as there are people who identify as female in the industry. I personally know a couple of openly nonbinary people in computing. It would be nice if future surveys included a category for them.

As I previously mentioned, security testers are generally quite young. 71.5% of respondents say that they're in the 18-29 age group. 5.3% are younger than 18, 22.4% are 30 to 44, and a mere 0.7% are 45 to 59. So relative to security testers, as a 35-year-old woman, I am older and more feminine.

I think it's great that many young people are getting into security testing, but how can we retain WhiteHat hackers and pen testers through their thirties, forties, fifties, and beyond? I think the field would be healthier with a greater age group balance. If ten years from now, most security testers are still under 30, that should raise some alarm, as it might indicate that ethical hackers and bug testers are becoming burned out.

Bugcrowd sees the need that I see for greater diversity amongst WhiteHats. The report states:

“We need people with different backgrounds and perspectives because the adversaries we are trying to protect against, (threat actors, cyber attackers, ‘the bad guys’) also have a wide variety of backgrounds and experiences. This is one of the main reasons the crowdsourced model has been so successful. The wider variety of people and experience we have defending our data, the better our chances of coming out on top.”

The Career of a WhiteHat Hacker

I have often been asked if engaging in BlackHat hacking like Kevin Mitnick or Michael Calce is a reliable way of having a respectable WhiteHat career, as they do now. I really don’t think so. Mitnick and Calce were both lucky and they both engaged in cyberattacks in the 1990s, but they faced brutal prison time before they became free to pursue great jobs. I think if someone now tries cyber-attacking the way Mitnick and Calce used to, they’d see prison without fame and respectable careers afterwards.

Do you want to be a great WhiteHat hacker when you grow up, kids? I suggest you look for bugs in an honest and ethical way and report those bugs to developers and vendors.

There’s a great balance of education levels amongst WhiteHats, as 10.5% of respondents say they've only completed some high school, 8.5% just have their high school diploma, 17.9% have just some post-secondary (meaning after high school education of all kinds), 38.3% have an undergraduate college diploma, 6.5% have attended just some graduate school, and 18.5% actually have graduate degrees. Those degrees may or may not be relevant to IT or computer science.

The variety of education levels makes sense when you consider how people get into security testing professionally. 81% say that bug hunting helped get them into cybersecurity in the first place, 43% learned to hack through online resources, and 41% are self-taught. College and university cybersecurity programs are improving, but still it's very common for someone's cybersecurity education to start outside of school. Hopefully employers recognize that and can accept applicants who don't have college degrees if they can demonstrate equivalent know-how.

Hunting Bugs For a Living

It seems that security testers are highly motivated to hunt for bugs. 50% of the hacker community says that they go bug hunting even when they’re not at their paid jobs, and 66% say that they spend up to ten hours per week looking for bugs. Maybe that’s partly because the average payout for a vulnerability discovery is $783 and the average yearly payouts of the top 50 hackers is $145,000 USD with over 600 valid submissions.

But money isn't the only motivating factor, as respondents indicated they had more than one motivation for bug hunting: 64% do it for the challenge, 61% seek professional development, 57% do it for the education, 51% want to make the Internet and other technologies safer, and 51% do it for fun. Why not, eh?

People skills may be an overlooked requirement when it comes to being a successful ethical hacker. 35% of respondents say they collaborate with other hackers and 50% expect to collaborate more in the next year. Most surprisingly, more than 20% aspire to become Chief Information Security Officers at large tech companies.

I hypothesize that if we can encourage a greater diversity of demographic groups to get into ethical hacking, the motivations for bug hunting may increase, and so may the necessary people skills. And ultimately, that’ll make all of our computer technology more secure.