Crowdsourced Security to protect public services and administrations

Public services have major digital security challenges. Crowdsourced security offers flexible, scalable and affordable solutions to address them.

Local authorities, hospitals, schools, postal services… So many administrations that handle large amounts of sensitive data on a daily basis, starting with citizens’ data. Digital security issues are crucial: since the risk is real, so is the responsibility.

But in the public sector as in the private one, it is not always easy to ensure security at all levels. Budgetary limitations, lack of qualified personnel, intrinsic complexities of the infrastructures, the obstacles are numerous.

If there is no cure for all ills, crowdsourced security offers solutions adapted to the challenges of public administrations in terms of:

• security
• funding
• scale
• implementation
• flexibility

Flexible and scalable security operations

Public services are as numerous as they are eclectic. It’s impossible to come up with a single security strategy for all of them. That said, collaborative security has the advantage of offering flexible and scalable solutions that can be adapted to almost any situation – municipalities, metropolitan areas, hospitals, transportation, water and sanitation utilities, etc.

Pentest as a Service: a gateway to the world of crowdsourced security

Let’s take the example of a municipality that needs to secure a critical application, developed internally or by an editor. For example, a software application for the filing of reports for the municipal police. A data theft would be catastrophic for the city, for image and public safety reasons.

Unfortunately, this municipality – like many others – has limited human resources and budget. Here, crowdsourced pentesting is an ideal and affordable solution. A small-scale penetration test allows the municipality:

• identify potentially critical vulnerabilities ;
• by easily mobilizing selected ethical hackers to test the application ;
• which allows to initiate a first contact between the technical teams of the municipality and the community of hunters ;
• all for a fixed and reasonable cost.

Once the municipality and its technical teams are familiar with the practice, it is possible to move up a gear with, for example, pentesting for architecture, infrastructure, remote access, etc. Here, the French city of Boulogne-Billancourt sets an example.

The example of smart cities and Boulogne-Billancourt

Smart cities offer many entry points for malicious individuals. It is therefore imperative to take preventive action. Under the leadership of its CIO Christophe Vergeron, Boulogne-Billancourt was one of the first cities in France to call on ethical hackers to secure its environments. Several operations have been carried out:

• An initial infrastructure pentest ensured that all ports that had been opened due to the pandemic – for telecommuting, for example – were not vulnerable;
• An application pentest tested a software that manages citizen data;
• Finally, an ethical hacker was sent on site to test the city’s public WiFi access.

Crowdsourced security was very interesting. Financially first, with the notion of bounties. You only pay if bugs are found – it encourages performance.

Secondly, there are no compromises. A traditional service provider will often adapt to the client’s request, directing the research or even the results according to the objectives. With ethical hackers, it is efficiency that counts. Vulnerabilities must be found, and they find them! The campaigns carried out in Boulogne have enabled us to identify several vulnerabilities, and then to correct them. In the end, it is the security of the citizens that has been reinforced. […]

Cybersecurity is not only about protecting systems and softwares, it is also about protecting citizens. A city has a duty to ensure digital security as it ensures the safety of people.

– Christophe Vergeron, Chief Information Officer at Boulogne-Billancourt

Bug Bounty: payment by results, an interesting business model for public administrations

Crowdsourced security allows for a progression of actions to be taken. Pentests allow public administrations to familiarize themselves with ethical hacking at their own pace. The most obvious vulnerabilities are identified for a fixed cost, and technical teams can take the time needed to remediate.

When a public service is mature enough regarding security, it can go to the next level: bug bounty.

In practical terms, bug bounty is a bug hunt, a challenge to ethical hackers. The interest of bug bounty for a public entity is twofold:

• The financial guarantee: No results = no expenses. An ethical hacker can only claim a reward if he finds an exploitable vulnerability.
• The guarantee of efficiency: This payment by results combined with the power of the number of hunters is what allows bug bounty to efficiently identify the most critical vulnerabilities.

The example of French local authorities: a mutualized bug bounty financed at 70% by public funding

Previously, we took the example of a city with Boulogne-Billancourt. Now, let’s zoom out a little and go to a larger scale.

In June 2022, a mutualized bug bounty was launched by French local authorities. About fifty elite Yogosha hackers were selected to test the fifteen most used softwares by the country’s cities. An administrative platform for day care registration, a queue management software…

This shared bug bounty operation has several advantages for local authorities:

• identify vulnerabilities in applications used by all cities in the country, and thus strengthen the digital security of citizens;
• benefit from the interesting economic model of bug bounty, with a logic of payment by results;
• incur a single expense thanks to the mutualization of the operation;
• benefit from a 70% financing by the government’s plan “France Relance”, with the support of the National Agency for Security and Information Systems (ANSSI).

If the example here concerns local authorities, the bug bounty and its mutualized form are applicable to any type of public administration.

Digitizing the security processes of public administrations

The benefits of crowdsourced security do not stop at pentesting, bug bounty and VDP. In addition to these programs, the Yogosha platform allows public administrations to:

• Digitize and simplify vulnerability management: vulnerabilities are notified in real time, vulnerability reports can be processed from A to Z from the platform, operations can be easily paused to manage the flow of reports and expenses, etc.
• Centralize all environments and their security issues in a single tool: applications, websites, APIs, third-party softwares… Everything can be tested. Centralizing all environments within the platform provides a macro view of the security of the administration. Monitoring and analytics dashboards help guide decision-making based on data.
• To coordinate and manage internal technical teams by taking advantage of the platform’s features: Yogosha allows to mobilize ethical hackers, but also to create groups of internal researchers. The different workspaces and their advanced management of rights and users allows to better organize tasks. The various integrations (Jira Server, Jira Cloud, Gitlab…) naturally incorporate collaborative security into the workflows of technical teams.

Supporting public services and their teams towards better digital security

You can’t expect a public administration to be as flexible as a start-up. Existing processes are often time-consuming, budgets are limited and cybersecurity talents are scarce. As a result, the same IT department may be responsible for all digital issues, including security. It is not always easy to conduct security operations, or to ensure that vulnerabilities are properly addressed.

Ease of access and implementation of processes is a major issue in the adoption of crowdsourced security. This is why support is one of our main missions.

Yogosha Managed Services are complete and scalable support solutions. We collaborate with the most prestigious consulting firms to set up customized action plans, from the construction phase to the remediation phase:

• needs analysis ;
• advice on the operations to carry out and the perimeters to test;
• community management of ethical hackers ;
• report triage and vulnerability reproduction;
• support for field teams;
• action and remediation plans…

In a nutshell, Yogosha and crowdsourced security allow public services to:

• strengthen digital security for citizens and the territory;
• identify vulnerabilities with flexible security operations that adapt to the maturity of each administration
• benefit from an interesting business model for public administrations and from potential public funding
• digitize existing security processes
• simplify vulnerability management
• to be accompanied towards a better global security with evolving and personalized action plans