On this week’s episode of Security Nation, we’re delighted to be joined by Katie Moussouris, CEO and Founder of Luta Security. A pioneer in security architecture, she offers a masterclass in vulnerability coordination, from vuln disclosure and bug bounties to creating sustainable vulnerability management, and more.

Taking foundational corporate values seriously: The origins of Luta Security

To many, Katie Moussouris needs no introduction. Of her myriad cybersecurity accomplishments, including a stint at Microsoft, she is perhaps best known for creating Hack the Pentagon, the first bug bounty program launched by the U.S. Department of Defense. Following that, she founded Luta Security, and in the roughly four years since, the organization has enjoyed organic growth with no outside investors—just a strong customer base.

One of the essential values guiding Luta’s development is combating pay inequity. Katie describes bringing a gender discrimination lawsuit against Microsoft as one of the proudest moments of her career. Though the outcome of the case has yet to be decided, her efforts draw praise from those who recognize that Luta strives to uphold the same standards of fairness and accountability for themselves. For instance, Katie recently insisted that Luta issue back pay after discovering an employee had been insufficiently compensated.

Along with efforts to champion pay and promotion reform, Katie rejects the gig economy mindset. For evidence that tech increasingly views workers as dispensable labor, just look to startup culture, where the idealistic corporate ethos sits uneasily alongside chronically underpaid workers and hiring managers who think nothing of firing them at whim. By contrast, Luta Security unwaveringly supports labor rights and mobility, ensuring contractors retain the right to convert to full-time employment at their job site—a policy that remains unchanged today.

Addressing misperceptions: Differentiating vuln disclosure from bug bounty programs

Shifting gears from policies to practices, Katie notes a common tendency in the security industry: conflating bug bounty programs with vulnerability management. In fact, the two differ, and those who fail to distinguish between them do so to their detriment. Properly understood, vulnerability disclosure programs do more than offer cash for particular bugs—they seek to establish processes to receive and remediate bugs, so as to address deeper security implications.

Katie argues as much in the (two!) ISO standards she developed. While vuln disclosure involves more than churning out a web form or email address, most companies needn’t invent them from whole cloth. What’s more, underscoring the difficulty of setting up an intake process proves unhelpful. It scares organizations away from the challenge, such that they never get around to actually performing triage—resolution creation, testing, release, and so on. The point is, developing intake processes isn’t a Herculean task. Implementation is.

Vuln disclosure goes so wrong because nobody ends up taking security seriously just because they happen to pay hackers. Companies focus on superficial fixes at the expense of deeper issues—favoring bug bounty Botox when really their cybersecurity health requires surgery.

Bug banning platforms may promise to scrub all the spam and only deliver high-quality bugs, but Katie reminds that you need skilled employees capable of dealing with those bugs. Likewise, larger software companies already taking in, say, hundreds of thousands of email messages may find the notion of putting up cash bizarre. Why bother with a bug bounty when you already have an existing intake funnel? Once again, the answer lies in finding the right people and directing a friendly set of eyes toward the problem.

The evolution of Zoom: A case study in maturity and sustainability

So, how important are bug bounty programs to overall vulnerability management? Katie actually advises customers to consider avoiding bug bounties in favor of more efficient security investments. The goal is ultimately a sustainable security posture, which means developing a secure, mature, and repeatable structure of the sort she helped the U.K. government roll out. She notes Luta Security doesn’t focus much on sales or marketing, preferring instead to stick to an established skill set.  

Perhaps the lack of sales and marketing hasn’t hurt them. Case in point: Eric Yuan, the CEO of Zoom, approached Luta about vuln disclosure. They kicked off a maturity assessment December—and then coronavirus hit. Overnight, Zoom’s popularity took off, growing from 10 million to 200 million active daily users. As Zoom became a global-scale company, their privacy concerns escalated, and they created an all-star team of third-party industry insiders to ease the burden. When Katie offered her assistance, they were eager to keep her on board to help address changing security and privacy expectations.

This just serves to reiterate that security is a journey, not a sprint. Companies don’t know how to perform security functions at the outset, and implementing appropriate measures is more than a 90-day affair. With Zoom, Katie notes she enjoys participating in the organization’s security program at such an exciting time in its evolution.

Listen to the full podcast

We would like to extend a big thank you to Katie for sharing her insights and expertise on sustainable vulnerability management with Rapid7 listeners. Check out the full podcast, and make sure you subscribe so you don’t miss out on future episodes of Security Nation.