Capture the Flag and Bug Bounties: New Trends in Data Security

How do you improve data security? Facebook thinks that making programmers better at identifying and preventing security flaws is a key part of the answer. That’s what it moved to do this week by open-sourcing its Capture the Flag (CTF) platform for hosting security competitions.

CTF allows organizations to host games that test participants’ security skills. The competitions ask questions about security and coding best practices and reward players who answer them correctly.

Facebook has run its own CTF competitions for several years. But by making the platform open source on GitHub, Facebook says it aims to “make security education easier and more accessible, especially for students.”

Data Security: The Human Factor

To be sure, the open-sourcing of CTF is not exactly a revolutionary move. A game that asks players IT security questions is not the most rigorous way to learn how to mitigate security vulnerabilities. It’s not as if winning a CTF competition certifies one as an elite hacker.

Still, Facebook’s decision highlights a larger trend in data security, which aims to make programmers smarter when it comes to security. CTF is a sign that Facebook sees improving the expertise of coders as a major part of the answer to software security vulnerabilities.

That’s significant because the traditional approach to security has been to rely on software tools to secure programs that may be poorly coded. Encryption algorithms, security scanners, access control lists and the like are supposed to prevent unauthorized access to data, even if it is stored on platforms that are imperfectly coded.

Security tools certainly aren’t going way. But there’s an increasing emphasis on improving the security of software code itself, rather than relying on external security layers to prevent attacks. Facebook’s CTF platform is designed to help programmers avoid placing security vulnerabilities in their programs in the first place.

Bug bounty programs, which have also emerged as a popular trend in recent years, serve a similar purpose. They reward programmers who find mistakes in other people’s code that could lead to data breaches or other problems. Like CTF, bug bounties increase reliance on human expertise, as opposed to automated security software, in order to secure data.

Not all companies are buying into this new trend. Most notable is Apple, which has famously chosen not to participate in bug bounty programs. But the recent iPhone hacking kerfuffle, which ended with third party programmers apparently defeating Apple’s encryption scheme after the company prominently refused to cooperate with U.S. authorities seeking access to encrypted iPhone data, suggests that placing too much faith in code may be a mistake. Even at Apple, programmers are not as smart as they may like to think when it comes to security, and honing their skills is a crucial component of assuring data privacy.