White hat hackers submit vulnerabilities in the vulnerability public testing platform , Reported by the manufacturer and arrested by the police , After a period of fermentation , Finally, there was a big debate . The focus of the argument is on “ Unauthorized penetration testing ” Whether the first mock exam should continue or not .
Supporters believe that , This model has alerted enterprises or institutions that ignore safety , Attract more information security enthusiasts to join the ranks of white hat , It has brought innovation to the security situation of the whole society . The opposition believes that , This model encourages the randomness and irresponsibility of testing and breaking into other people's information systems , Even black hat can the first mock exam to protect themselves in the form of white hat while illegally earning money , And the hardest argument to refute is , The act is suspected to be illegal .
In this paper , The author tries to put aside the details of various arguments in the debate , And from the three facts that have happened, we can deduce the possible future trends , See the essence through the phenomenon , In order to arouse our deep thinking , Instead of falling into a fruitless argument .
The first fact ： The rise of dark clouds
In the past two years , Through the exposure of major loopholes , The influence of dark clouds is rising rapidly . But have you considered why ？ Why, after the exposure of many influential loopholes , Dark clouds can still stand ？
In fact, many people know the answer , Loopholes in major information systems endanger the whole society , Uncovering is better than covering health , In addition to the general promotion of network security awareness of the whole society , It's a powerful invisible force supporting the dark clouds .
The second fact ： Party A's attitude
This is also a well-known fact in the industry , Companies or institutions that are exposed to vulnerabilities , The attitude towards foreign personnel participating in penetration testing is also gradually changing , This change has undoubtedly brought great value to the whole security industry and the whole society . But there are still some people whose thoughts have not changed , Especially the state-owned enterprises in important industries or fields , The crowd testing mode is even more difficult for them to cross the thunder pool .
The third fact ： The Pentagon crowd test
1400 White hat was invited to take part in the penetration test against the Pentagon , And check out 100 Multiple vulnerabilities , This is the open attitude of the highest U.S. Defense Agency towards crowd testing .
A conclusion can be drawn from the above three facts ： Vulnerability crowd testing is a real security requirement , Is an effective security solution . The current crowd testing model in China is still in its infancy , There is likely to be great potential for development in the future .
I believe most people will not object to this conclusion , In fact, the focus of the debate is “ Unauthorized penetration testing ”, As for whether or not to disclose loopholes or the way of disclosure is based on this , Because the premise of obtaining authorization is that both parties should reach an agreement on the disclosure of vulnerabilities , And unauthorized vulnerability disclosure initiative , It's obviously in the hands of the person who found the leak , Whether you choose to publish on a platform , Or personal release .
The above is the basic statement of the current situation of China's vulnerability crowd testing , Now let's think deeply ：
In the history of human civilization , Any innovation will be doubted and greatly hindered by traditional ideas . Actually , There is no absolute right or wrong between the two sides . It's not that innovation means right , Conservative means reactionary . and , Innovation often means treason , Even against the law . Conservative means protecting existing interests , Maintaining stability and harmony .
The conflict between the two is always inevitable , The key is whether innovation brings more value than destruction , Is it just a “ utopia ”, Is it just a “ Utopia ”, Whether it has been verified by time and practice . And there are laws to follow , A reasonable conservative side , And it shouldn't be buttoned up “ Block innovation ” The hat of . Maintain the existing laws and order , The non extreme idea of guaranteeing vested interests , In any case, it should not be criticized too much .
The problem is , What should we do ？
It's acquiescence in all kinds of “ Unauthorized penetration testing + Loopholes are open ” The harassment and pain brought to the enterprise by the new model , Or to be in line with international standards or to wave the sword of law , Force it into compliance ？ Either the former or the latter , We can't ignore the current situation of Chinese characteristics , Can't bypass the domestic information security awareness is generally weak , The fact that network security laws and regulations are not perfect .
you 're right ,“ Penetration testing of any system without authorization is strictly prohibited ” It's just the default rule of international open source security testing organization or foreign security industry , China's laws are not so detailed .
you 're right , Crowd testing must obtain the authorization of the tested party, which is a challenge for both parties , Very good test code of conduct . But we know that , Before the emergence of crowd testing mode, what was the domestic security situation like , After the lid is removed , Is the value far greater than its destructive power ？
you 're right , The unauthorized crowd testing model has really troubled and hurt some enterprises , And to some extent connived at the bad behavior of some unscrupulous hackers . But in China, the awareness of information security is generally weak , The crowd testing model is still in its infancy , Many conservative enterprises are generally in a wait-and-see and skeptical attitude today , To reject this security model which has brought far-reaching significance and great value , Whether it is thoughtless and radical ？
At the end of the Qing Dynasty , When the Americans recommended the new train to Empress Dowager Cixi , The old Buddha replied like this ：
Sedan chair is better , It's safe and comfortable .