Armoring Processes in a Regulated Tropical River: La Miel River Case

DOI: https://doi.org/10.18359/rcin.7059
Keywords: Bug-Bounty, Penetration Testing (Pentesting), Information Security, Security Researchers
Abstract Authors Downloads References How to Cite

Abstract

At the beginning of the article, a summary of the contemporary challenges facing corporations regarding data protection is provided. Then an effective tactic for entities is exposed: the implementation of security audits and controlled intrusion exercises, focusing on the in-depth analysis of two of these: penetration testing (pentesting) and Bug-Bounty, with their definitions and their evolutions, such as their advantages and disadvantages. Finally, it is argued that Bug-Bounty cannot completely replace expert-led pentesting, and they can be seen as two complementary approaches that can help improve an organization’s security.

Author Biography

Jaime Andrés Restrepo-Gómez, Universidad de Manizales

Ingeniero de Sistemas y Telecomunicaciones. CEO DragonJAR, Magíster en Seguridad de la Información, Universidad de Manizales

Downloads

Download data is not yet available.

Support agencies:

bug-bounty, penetration test (pentest)

Author Biography

Jaime Andrés Restrepo-Gómez, Universidad de Manizales

Ingeniero de Sistemas y Telecomunicaciones. CEO DragonJAR, Magíster en Seguridad de la Información, Universidad de Manizales

References

S. Shah y B. M. Mehtre, “An overview of vulnerability assessment and penetration testing techniques”, Journal of Computer Virology and Hacking Techniques, vol. 11, no. 1, pp. 27-49, 2014.

U. Ravindran y R. V. Potukuchi, “A review on Web application vulnerability assessment and penetration testing”, Review of Computer Engineering Studies, vol. 9, no. 1, pp. 1-22, 2022.

L. Irwin, “Top 5 cyber security risks for businesses,” IT Governance UK Blog, 19 de jul. de 2022, [en línea], disponible en: https://www.itgovernance.co.uk/blog/top-5-cyber-security-risks-for-businesses. [Consultado: 19-Nov-2022].

Colombia Digital, 5 amenazas de ciberseguridad que en 2022 atacarán en Colombia, Corporación Colombia Digital, 26-ene-2022, [en línea], disponible en: https://colombiadigital.net/opinion/5-amenazas-de-ciberseguridad-que-en-2022-atacaran-en-colombia. [Consultado: 19-Nov-2022].

A. Mohan y D. G. Swaminathan, “Analysis of vulnerability assessment with penetration testing”, SSRN Electronic Journal, 2022.

S. Basu, “Difference between vulnerability assessment and penetration testing”, Astra Security Blog, 28-mar-2022, [en línea], disponible en: https://www.getastra.com/blog/security-audit/vulnerability-assessment-vs-penetration-testing/. [Consultado: 20-Nov-2022].

M. Finifter, D. Akhawe y D. Wagner, “An Empirical Study of Vulnerability Rewards Programs”, in 22nd USENIX Security Symposium (USENIX Security 13), Washington DC, USA, pp. 273-288, 2013.

D. R. McKinnel, T. Dargahi, A. Dehghantanha y K. K. R. Choo, “A systematic literature review and meta-analysis on artificial intelligence in penetration testing and Vulnerability Assessment”, Computers &

Electrical Engineering, vol. 75, pp. 175-188, 2019.

T. Wilhelm, Professional penetration testing creating and learning in a hacking lab, 2nd ed. Amsterdam: Syngress, an imprint of Elsevier, 2013.

L. Allen y K. Cardwell, Advanced penetration testing for highly secured environments: Employ the most advanced Pentesting techniques and tools to build highly secured systems and environments. Birmingham, UK:

Packt Publishing, 2016.

I. Soria-Guzmán (Ed.), F. Briones-Medina, E. Cabañes-Martínez, A. Miranda-Díaz, J.M. Serralde-Ruiz y G. Wolf-Izsaevich, Ética hacker, seguridad y vigilancia. CDMX: Universidad del Claustro de Sor Juana, 2016.

M. G. Jaatun, D. S. Cruzes, K. Bernsmed, I. A. Tøndel y L. Røstad, “Software security maturity in public organisations”, Lecture Notes in Computer Science, pp.120-138, 2015.

H. Fryer y E. Simperl, “Web science challenges in researching Bug Bounties,” in: Proceedings of the 2017 ACM on Web Science Conference, Troy, New York, USA, 2017.

S. Ditlea, “Rewriting the Bible in 0’s and 1’s”, Technology review, vol. 102, no. 5, pp. 66-70, 1999.

Google, “Hacking Google, Episode 4, Bug-Bounty”, YouTube, 3-oct-2022, [en línea], disponible en: https://www.youtube.com/watchv=IoXiXlCNoXg [Consultado: 27-Nov-2022].

Hunter & Ready Inc., “VRTX poster, catalog number 102782474”, Computer History Museum, 1983, [en línea], disponible en: https://www.computerhistory.org/collections/catalog/102782474 [Consultado: 29-Nov-2022].

J. Wachs, “Making markets for information security: the role of online platforms in Bug-Bounty programs”, arXiv preprint arXiv:2204. 06905, 2022.

J. O’Hare y L. A. Shepherd, “Proposal of a Novel Bug-Bounty Implementation Using Gamification”, arXiv preprint arXiv:2009. 10158, 2020.

A. Laszka, M. Zhao, A. Malbari y J. Grossklags, “The rules of Engagement for Bug-Bounty programs”, Financial Cryptography and Data Security, pp. 138-159, 2018.

P. García-Pérez, Bug-Bounty: de profesión “cazarre-compensas”. Móstoles, Madrid: ZeroxWord Computing, 2021.

O. Espino, “Bug-Bounty Collection: More than $$$$$ USD in rewards by legally hacking big companies”. Independiente, 2022.

J. Restrepo, “Lo que nadie te dijo antes de dedicarte al Bug-Bounty”, HackTheBox & RedTeamRD. 2020, [en línea], disponible en: https://www.youtube.com/watch?v=4SwV1TnkwJA [Consultado: 29-Nov-2022].

A. Laszka, M. Zhao y J. Grossklags, “Banishing misaligned incentives for validating reports in bug-bounty platforms”, Computer Security - ESORICS 2016, Heraklion, Creta, Grecia, pp. 161-178, 2016.

T. Walshe y A. C. Simpson, “Coordinated vulnerability disclosure programmer effectiveness: Issues and recommendations”, Computers & Security,vol. 123, p. 102936, 2022. https://doi.org/10.1016/j.cose.2022.102936.

H. Hata, M. Guo y M. A. Babar, “Understanding the Heterogeneity of Contributors in Bug-Bounty Programs”, in Proceedings of the 11th ACM/IEEE International Symposium on Empirical Software Engineering

and Measurement, Toronto, Ontario, Canada, pp. 223-228, 2017.

J. Peñalba, “The Worst Bug-Bounty Ever”, Rooted CON, 22-Ago-2017, [en línea], disponible en: https://www.youtube.com/watch?v=pf1TZn1YnXA [Consultado: 29-Nov-2022].

HackerOne, “The 2020 Hacker Report”, [en línea], 2020, disponible en: https://www.hackerone.com/sites/default/files/2020-04/the-2020-hacker-report.pdf [Consultado: 03-Dic-2022].

O. Akgul et al., “Bug hunters’ perspectives on the challenges and benefits of the Bug-Bounty”, in: 32nd USENIX Security Symposium (USENIX Security), Anaheim, California, USA, vol. 2301, 2023. https://doi.org/10.48550/arXiv.2301.04781.

S. Atefi, A. Sivagnanam, A. Ayman, J. Grossklags y A. Laszka, “The benefits of Vulnerability Discovery and Bug-Bounty programs: Case studies of chromium and firefox”, in: Proceedings of the ACM Web Conference 2023, Austin, Texas, USA, 2023. https://doi.org/10.1145/3543507.3583352.

A. Kuehn y M. Mueller, “Analyzing Bug-Bounty Programs: An Institutional Perspective on the Economics of Software Vulnerabilities”, TPRC Conference Paper, disponible en: https://ssrn.com/abstract=2418812,

O. Akgul, T. Eghtesad, A. Elazari, O. Gnawali, J. Grossklags, M. L. Mazurek, D. Votipka y A. Laszka, “Proposal of a Novel Bug-Bounty Implementation Using Gamification”, arXiv preprint arXiv:2301.04781,

L. Breidenbach, P. Daian, F. Tramèr y A. Juels, “Enter the Hydra: Towards Principled Bug Bounties and Exploit-Resistant Smart Contracts”, in: 27th USENIX Security Symposium (USENIX Security 18), Baltimore, Maryland, USA, pp. 1335-1352, 2018.

F. M. Teichmann y S. R. Boticiu, “An overview of the benefits, challenges, and legal aspects of penetration testing and red teaming”, International Cybersecurity Law Review, 2023. https://doi.org/10.1365/s43439-023-00100-2.

R. Böhme y M. Félegyházi, “Optimal Information Security Investment with penetration testing”, Lecture Notes in Computer Science, pp. 21-37, 2010.

Cobalt, “The State of Pentesting 2022”, 2022, [en línea], disponible en: https://www.cobalt.io/hubfs/State_of_Pentesting_2022.pdf. [Consultado: 07-Mar-2023].

A. Aibekova y V. Selvarajah, “Offensive security: Study on penetration testing attacks, methods, and their types”, 2022 IEEE International Conference on Distributed Computing and Electrical Circuits and Elec-

tronics (ICDCECE), Ballari, Karnataka, India, 2022. https://doi.org/10.1109/icdcece53908.2022.9792772.

M. Styles y T. Tryfonas, “Using penetration testing feedback to cultivate an atmosphere of proactive security amongst end‐users”, Information Management & Computer Security, vol. 17, no. 1, pp. 44-52, 2009.

S. Raj y N. K. Walia, “A study on Metasploit Framework: A pen-testing tool”, 2020 International Conference on Computational Performance Evaluation (ComPE), Jul. 2020. https://doi.org/10.1109/compe49325.2020.9200028.

S. S. Malladi y H. C. Subramanian, “Bug-Bounty programs for cybersecurity: Practices, issues, and recommendations”, IEEE Software, vol. 37, no. 1, pp. 31-39, Jan. 2020. https://doi.org/10.1109/ms.2018.2880508.

How to Cite
Restrepo-Gómez, J. A., & Correa-Ortiz, L. C. (2024). Armoring Processes in a Regulated Tropical River: La Miel River Case. Ciencia E Ingenieria Neogranadina, 34(1), 11–22. https://doi.org/10.18359/rcin.7059
Published
2024-06-30
Issue
Vol. 34 No. 1 (2024)
Section
ARTICLES

Altmetric

Crossref Cited-by logo
QR Code

Copyright (c) 2024 Ciencia e Ingenieria Neogranadina

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

Some similar items: