Hacker News new | ask | show | jobs
by swframe 4091 days ago
Like other serious business flaws (e.g. the GM key ignition bug), companies weigh the risks and can conclude that it is cheaper to respond the problem than to fix it proactively. As a result, should the government require businesses with sensitive data to implement bug bounties?
1 comments
smt88 4091 days ago
> As a result, should the government require businesses with sensitive data to implement bug bounties?

No. They should go further. We should have a law, similar to Sarbanes-Oxley, that forces companies to undergo a security audit every year.

Otherwise, we're going to be in an endless cycle, where companies refuse to invest in security, a huge breach occurs, and everyone suffers.

The current system does not incentivize investments in security because they hurt the bottom line and have no tangible, immediate value to shareholders. That's a dangerous situation.

link
icebraining 4091 days ago
Having read about multiple "security audits" done by under the PCI-DSS and similar mandates, my faith in their effectiveness is pretty low. This is an (admittedly extreme) example: http://serverfault.com/questions/293217/our-security-auditor...

I'd rather see some security standards (updated yearly or so) and heavy fines and reimbursements after an hack (not necessarily malicious - proof of concept published by a white hacker would do), if the security was lax. Triple them if the company hid the fact that they had been hacked.

link
smt88 4090 days ago
It's just impossible to avoid being hacked. If you're a big enough target, someone on the bleeding edge is going to have the desire and ability to get you. What if you're hacked because of a secret NSA backdoor installed in some firmware?

Fining companies heavily for being hacked is like fining someone for being rained on. Except, in this case, the rain is pretty much a guarantee, and the person knows that, and when they get rained on, their customers get screwed. So you fine them for not having an umbrella.

An audit doesn't necessarily need to be done the way it has before. It could even just be a bug bounty hackathon, like the big browsers do.

If whitehats had a ton of easy-to-find work to do, there'd probably also be fewer blackhats.

link
icebraining 4090 days ago
It seems you missed the "(...) if the security was lax" part.
link
jacquesm 4090 days ago
The only thing that will do is kill a ton of small time websites.
link
smt88 4090 days ago
Are you familiar with Sarbanes-Oxley? It only applies to publicly-traded companies. It hasn't killed any of them yet, unless of course they were actually committing fraud.

If security audits were to become mandatory, they would only apply to companies of a certain size.

link