Sorry for the day delay in the blog posting…truth be told, my attorney just received my official USPTO trademark certification yesterday, and I was just reveling in that. As mentioned, it took me two years to get it. Anyways, if you haven’t noticed, a bulk of my writing has been on Biometric Technology. Essentially, this is a proof positive way of confirming one’s identity based on either their unique physiological and/or behavioral traits.
In fact, I have already written three books on this, so in the future, I will be creating more posts on Biometrics. This technology is a great way to add an extra layer of security for your business, whether it is on the outside or the inside, and even for using it as a great way to replace your hundreds of passwords.
Speaking of adding extra layers of Security, it is always important to keep testing them on a regular basis to make sure that there are no hidden holes or vulnerabilities in them. This is where the role of Penetration Testing takes place. In fact, this is an entire branch of Cybersecurity, and has a plethora of opportunities in it. There are also even tons of certs you can get in this field as well. I will be writing more articles on Penetration Testing (also known as “Pen Testing”) in the future.
Essentially, this is where you hire an outside organization or a trusted third party to use the appropriate tools and methodologies to simulate real word attacks on your defense perimeters in order to discover these unknown holes or vulnerabilities. After the test or tests are conducted (they are usually pretty lengthy, depending upon your needs and requirements), you usually get a written report summarizing the tests that have been done, the results, and the various strategies that you can use to fill up these hidden gaps and holes.
But, you can also hire Pen Testers on a freelance basis, if cost is an issue to you (but be careful with this-it’s always best to conduct a background check on these kinds of hires). This is what exactly Netflix is now doing. According to a recent news report, the company has hired numerous of these kinds of Pen Testers in a so called “bug bounty” program. For each unknown vulnerability that is discovered, the company is willing to pay up to $15,000. Now, that’s A LOT of money.
However, Netflix is not just hiring anybody willy nilly. These Pen Testers have to be actually registered with the company, and even have a specialized cert to go along with their level of experience. A lot of stuff is being tested this time around which includes the Netflix.com (their website), as well as of their mobile apps on both the Android and the iOS platforms, which is accessed by some 120 million Netflix users.
Netflix actually launched this “bug bounty” program back in 2013, but since 2016, outsourced this program to a third party called “Bugcrowd”. At the start, Netflix only had about 100 Pen Testers, now they have well over 700+. Many other businesses and corporations offer such “bug bounty” programs, but what makes Netflix so special that it draws such a huge crowd?
According to Casey Ellis, the CTO at Bugcrowd: “What’s unique about Netflix and makes this program so exciting is the enormous amount of traffic that the company transmits around the globe. That traffic is now being protected by the broader white hat community.” (SOURCE: https://threatpost.com/netflix-opens-public-bug-bounty-program-with-15k-payout-cap/130630/).
But, these Pen Testers do not have complete, free reign over the assets at Netflix. There are certain restrictions in place, such as not having the ability to access customer and employee information/data, not pre releasing any form of Netflix content that is currently in beta version. Also included in this mix are Netflix device client applications and any other 3rd party websites not owned or managed by Netflix.
Pen Testing is actually a very exciting field, and there is a lot that goes into being a Pen Tester. A lot of the tools are now automated, but there is still a lot of attention that needs to be paid to detail and also making sure that there are no errors or glitches that occur in the process. I will be writing a lot more about this in the future, so stay tuned. In the mean time, if you want to see detailed articles and whitepapers, go to: resources.infosecinstitute.com. Type in “Penetration Testing” in the query box (which is at the top of the website), you will have a ton of stuff that comes up.