For the casual observer of information security, it may look like everyone is after the next one-off vulnerability and not trying to affect actual change upon larger problems. While there are certainly exceptions to this which should be celebrated (such as OWASP), these have been typically few and far between. Meet-up groups (ISSA, city-sec, etc.) are great, too, but don't often impact much in the grander sense of information security. Just over the past few months, though, there have been some interesting initiatives that are taking off and improving information security in remarkable ways beyond the daily break-fix security lifestyle.
While not a brand new initiative, Bugcrowd is certainly picking up some steam after their recent seed round netting $1.6M in investment. Whereas traditional application security assessment involves perhaps a few qualified attackers, Bugcrowd helps organizations allow for hundreds of attackers to assess the security of a given web site at one time. By providing monetary and CPE incentives for participants doing the assessment, Bugcrowd can provide the client with perhaps better assurances than a normal firm can that their app will be looked at very closely and from many angles. By changing the inherent business model of such business, this can help the market ensure firms are putting more effort into their testing and also give a safe, ethical, and legal way for an aspiring penetration tester (or similar) to cut their teeth.
I am the Cavalry
We're still seeing vendors across various spaces such as home automation, medical device manufacturing, and automobiles taking a rather weak stance on information security best practices. Meanwhile, we have security researchers who are working to prevent catastrophic issues across these areas having their hands tied or just not being supported in their efforts to protect the greater good. That is where a new effort by the community, led by Nicholas Percoco and Josh Corman, called "I am the Cavalry" comes in. While actionable aspects are still in the works, their overall mission statement is straight forward, "preserving security research through the demonstration of public good". There are many, many ethical and civically-minded security researchers who spend their time trying to help and not hurt -- this group has the potential to give a united face to that goal.
Google's OSS Rewards Program
Bug bounties are not unique. However, Google is raising the bar for bounty programs everywhere by not just focusing on their own direct software but also the pieces of software which no doubt contribute to their environments from the open-source community. Google completely embodies this sense that things are going bigger picture with the following quote: "So we decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug." By giving money for not only finding issues in software but also proactively securing software before problems start popping-up, we're all going to be benefited whether as a Google user or otherwise. With the reach of the projects they are currently providing funding for (with more on the way) real impact could be seen.
Hot on the heels of the very successful crowd-funded bounty for hacking Apple's new Touch ID (istouchidhackedyet.com), a new bounty called IsTrueCryptAuditedYet? has been started by Kenn White and Matthew Green. The goal of this bounty may not be as sexy to the media as getting around Apple's latest biometric feature, but it's a very important step to the many folks utilizing TrueCrypt for data security. While many people use such cryptographic software (open-source and closed), rarely is there a coordinated front to handle security and legal assessment in a meaningful way. While this method may not be practical to do for every piece of software, because of the use and importance of TrueCrypt it certainly will provide value to many who rely on it and hopefully allow it to grow an even larger community of users.
Each of these initiatives don't claim they are going to solve every problem we have, but they do have a goal that will ultimately either benefit a large amount of people or help to change the portion of this community they are focused on. Each of the people, companies, and teams behind these goals should be applauded and helped as able by the rest of us. We're in an exciting time for this community and the momentum we gain now could pay hugely for not only our careers but truly make an impact for everyone.