This blog is authored by Lt. Stephen Cunningham, U.S. Air Force and James “JT” Thomas, Air Force Digital Service.
In 2016, the Defense Digital Service launched Hack the Pentagon, the first bug bounty program in the history of the federal government. Since kicking off, the program has engaged ethical hackers and leading security researchers across the globe to help the DOD identify and remedy thousands of security vulnerabilities.
In October 2018, the U.S. Air Force was looking to test the Common Computing Environment (CCE) and its configurations. While the CCE platform has a significant number of security measures in place, it was still important to test the environment from an external and internal perspective — so we tapped Bugcrowd and its trusted Crowd of security researchers.
We had recently established the CCE to provide an enterprise-wide cloud environment to support current and future cloud-hosted applications. Comprised of both Amazon Web Services and Microsoft Azure commercial cloud platforms, CCE has been a huge priority for the Air Force senior leadership, with a plan on migrating more than 100 Air Force applications to the environment.
Prior to this, we were running an on-prem data center, but needed to be more efficient and secure, so we moved those applications to the cloud. Then, the Air Force decided to start centralizing some of those efforts, working with other offices to get their applications to the cloud.
Due to the high importance and impact, running a crowdsourced security assessment against the infrastructure played a key part in validating and strengthening the security of this new model the Air Force was pushing. We needed to test, “Are we actually as secure as we think we are?”
Bugcrowd’s first bug bounty engagement with the DOD ran in coordination with the CCE Program Office at Hanscom Air Force Base from March to June 2019. With the help of Bugcrowd, we completed the program in six different phases each with a different focus:
- Source code analysis
- Amazon Web Services environment testing
- Microsoft Azure environment testing
- Black box network-authentication assessment
- Social engineering engagement
- Air Force portal testing
Through the assessment, security researchers found 54 vulnerabilities — the most significant findings were vulnerabilities involved with researchers being able to access certain roles or configurations that they were not assigned to. Even though these vulnerabilities only existed within escalated privileges accounts and within virtual private clouds, these submissions were immediately remedied and were great lessons learned for future development. In sum, we were able to pay out more than $123,000 in rewards, with $20,000 being the top prize.
Looking back at the assessment, one of the things that really stood out with Bugcrowd, was the team’s compliance mindset in actually going out and testing the boundaries — not just being satisfied with what the check list said. We secured a lot of bright minds to go out and test the limits, and share great feedback on where the security actually sits.
Additionally, we saw great value from focused testing and researcher grants. There are pieces of the CCE software that just aren’t all that cool to hack on, so Bugcrowd being able to dedicate resources to go pound on focused areas that we know are critical, was invaluable. The feedback loops we put in place, including retesting to make sure each vulnerability was fixed, were integral to our success — we use time-to-remediation and retesting success as key measurements for ourselves.
Security is foundational to everything we do in IT. For instance, if I’m a service provider to other missions in the Air Force and my system fails to be secure, that means someone else’s mission fails. From day one, we sign up to be a stable and secure hosting platform for these missions, because they’re trusting us to display DoD power outward. That’s why we’ve always been focused on security. To make sure we are on the forefront of this, we push the boundaries with initiatives like the crowdsourced security testing with Bugcrowd, as well as working on some of our own internal tooling and education to keep pushing forward.
Learn more about how the U.S. Government uses crowdsourced security to keep data safe in Bugcrowd’s new Government & Defense Cybersecurity spotlight report.