CARD.com recently finished their campaign to help test Drupal 2FA authentication with their bug bounty program, which helped secure not only CARD.com, but the open-source Drupal community as well.
We discussed the results with Greg Knaddison, Director of Engineering, and Matt Chapman, Sr. Open Source Platforms Engineer, at CARD.com. Greg is also an advisory board member (volunteer) with the Drupal Association. Learn more about CARD.com's Bugcrowd story and why they chose to run their bug bounty through Bugcrowd.
Q: Why did CARD.com decide to help test Drupal’s 2FA authentication with a bug bounty?
We wanted to get a 2FA solution for our own use. There was a start-point for doing 2FA in Drupal that had been built by Acquia. We decided to take this opportunity to improve the existing 2FA solution, so that it would be ready to be deployed on Drupal.org. As we worked on improving the UX and adding features one question remained: how do we gain confidence that the module is secure? Based on our previous success with Bugcrowd we felt it would be a great fit for some focused testing in a bounty.
We also knew that 2FA for drupal.org would be a huge improvement. The site currently uses simple username and password authentication. If we could secure administrator accounts with a second factor that will help reduce the likelihood of drupal.org getting hacked.
Q: Running a bounty in partnership with open-source software -- does it provide an effective way for companies to secure their products?
Absolutely. The 2FA module for Drupal is already seeing adoption on sites other than ours. The more users, the more likely people will contribute improvements that we get to benefit from. Much of the work we did on UX was based on bugs identified when members of Drupal’s community tested out the module.
Getting a third-party to audit code for security can be expensive and provides very little additional assurances; just like programmers can make mistakes, so can auditors.
By sharing security tools with an open-source community, companies can get real confidence. The "auditors" of the code are not just neutral service providers; they are fellow users of the software, with a real stake in making sure that it is secure for everyone.
Q: What type of results did you receive?
We built a capture-the-flag style site where the password for the admin user was just “admin” and we told the whole world about it. This was a bit of promotional effort to add some sizzle to the bounty. The most valuable issues we received actually came from people who inspected the code, but at least one or two of them were from people trying out the module on the site. None of the issues would allow an immediate break-in, but they definitely showed some weaknesses in the module and protocol that we hadn’t considered. The most serious issues are now fixed and we have more confidence in the module.
Interested in trialling the effectiveness of a bug bounty and receiving better testing results like CARD.com? Get the slides and video about Flex - Our crowdsourced pen test.