Why firms need bug bounty programmes to mitigate risks

We are all going digital, from the mom and pop shops trying their hand at e-commerce to the blue chips inject some fresh blood into ways of work that may have grown stale and rigid over the years. Digital traverses both online and mobile with the two being inextricably intertwined.

Web portals, platforms and mobile apps are becoming the default touchpoints for thousands of consumers with the brands and services that they love.

Having worked with both large firms and SMEs building their digital touchpoints, there is one part of our development cycle that always see numerous review meetings with clients unable to immediately grasp the value and cost thereof. This phase I fondly refer to as “break time”.

Digital systems are a living environments and they must be continuously stress tested beyond that which is documented in the user acceptance document and checked off the statement of work. This is primary because the User Acceptance Testing and Statement of Work are fashioned to confirm that the system behaves as it should under correct circumstances and usage.

This works out well until someone decides to use your system in a slightly different way and is then able to circumvent safe guards, gain unauthorised access to resources or compromise services. The two guarantees that any honest software development firm can never give is that of 100 per cent security and zero bugs, even large operations such as Google, Uber, Facebook and others that are backed by an army of engineers.

Best practice as adopted by these large operations serving millions and one that should find a home in corporate Kenya and across all those who build and offer platforms for use by businesses and individuals, is to have a well-documented and well-funded bug bounty programme.

At its most basic this takes the form of a platform or system provider acknowledging that they cannot cover all bases and invite security researchers, certified ethical hackers, engineers and other DevOps professionals to try break the system and identify loopholes and risk areas that may compromise operations or degrade services.

There is a process that is followed to allow for the logging of findings and filtering the noise that is bound to be present from false positives and out of scope issues. There is a publicly declared purse that is used to compensate successful individuals and teams that help identify issues fortify services.

It is unfortunate that in Kenya, many companies are pushing out digital products while hiding behind a thin veil of security by obscurity, sometimes caused by tight budgets or poor procurement choices that sell the assumption that infrastructure and systems are rock solid to the point of being immune to even zero day vulnerabilities.

It is time to put your money where your app is.

Mr Njihia is CEO of Symbiotic. Email: @mbuguanjihia.