Are we at risk for not allowing white hats into web web apps?
Joris Evers at CNET has a good article up on whether we are all at risk because supposed white hats are afraid of potential legal prosecution for hacking into web apps without permission. Jeremiah Grossman of White Hat Security (and a past guest on our podcast) is quoted as saying that: "We're losing the Good Samaritan aspect of security". He uses the gun law analogy that if we make it illegal to find vulnerabilities in web sites, only bad guys will find them. Sort of like if it is illegal to own guns, than only bad guys will own guns. I disagree with the gun analogy and I disagree with Jeremiah on this one. I just think there is too much room for abuse to allow condone people hacking into web sites. Who really knows what their motives are.
Evers brings up the case of Eric McCarty who hacked into USC's online application system. Many who support the idea of White Hats being allowed to hack in originally were sympathetic to McCarty's plight. Further investigation revealed however that McCarty may not have had the "good sumaritan" motives driving his actions. In fact there may even have been elements of spite and revenge there. So I think that it is too much to trust the motives of anyone hacking into a web app and it needs to be illegal without permission
This also brought up a conversation I had with Thomas Ptacek on our podcast a couple of weeks ago. Most every web app being sold and used by the enterprise is now being subject to 3rd party audits by companies such as Matasano and White Hat Security. I think that is a good thing and see nothing wrong with such investigation and certification being done with permission in a paid engagement like that. When you have people hacking in for no reason other than their good will though, I have a problem with everyones motives being the same.