In response to the news that pen testers have discovered mega vulnerabilities in car-hire service Uber which allowed them to identify individual drivers and passengers download their travel history, Lane Thames, Security Research and Software Development Engineer at Tripwire commented below.
Lane Thames, Security Research and Software Development Engineer at Tripwire:
“Finding multiple vulnerabilities in a product is not surprising. Developing secure software is difficult, even for seasoned programmers who understand security concepts. Unfortunately, our training and educational ecosystem is failing, in general, to properly train and educate technologists about the fundamentals of cybersecurity. The bulk of our human resources in the industry who are or will be developing our computerized technologies of today and the future are not being prepared for a future where cybersecurity issues will impact most of the technology that we use for our day to day activities: the vulnerability discoveries found in Uber are perfect examples. A system such as Uber should be designed, from inception, with high levels of security in order to protect the company and its customers. Uber, along with many other companies, are realizing that building secure systems is very hard, even for security conscious developers. As a result, bug bounty programs are becoming more prominent within the software industry. Bug bounty programs open the doors and allow ethical hackers an opportunity to put their skills to work for profit. On the flip side, companies minimize their costs because payment for service is only required for those who find vulnerabilities within the scope of the program. At the same time, their products can be made more secure. This is a major win-win for both the ethical hacker and the company sponsoring the bug bounty.”