Avast CISO Jaya Baloo asks Katie Moussouris, hacker and CEO at Luta Security, about her “Aha!” moments in the world of bug bounties
Hosted by Avast CISO Jaya Baloo, the Avast Hacker Archives (AHA) series showcases the valuable “Aha!” moments achieved by white hat hackers and researchers that changed the course of our digital world.
In Episode 2, Jaya interviews Katie Moussouris, founder and CEO of Luta Security. She specializes in helping businesses and governments work with hackers to better defend themselves from digital attacks.
Katie started with computers at age eight in her bedroom on a Commodore 64. She was the first female in her high school to take AP Computer Science and has continued to achieve many firsts in the hacking community. Katie is now an established pioneer and expert on bug bounty programs, vulnerability disclosure standards, handling processes and secure development, and a recognized cybersecurity public speaker.
In our episode, Katie tells the story of how a presentation she made at a grad-school symposium led to the first ever cash-incentivized bug bounty program for the Department of Defense called Hack the Pentagon.
While many companies come to Luta Security – beautifully named after the island in the Northern Marianas where Katie’s mother was born – ready to start a bug bounty program, she encourages them to first seriously consider investing in what they are doing to prevent and self-detect the bugs they want to hunt. She states that cash rewards aren’t always the best solution to solving a company’s digital security.
Katie and Jaya then discuss the Solarwinds supply chain case study. Katie describes how it’s getting more difficult to defend networks with so many pieces and vendors involved. She uses the term multi-party vulnerability coordination to describe studying and solving the vulnerability disclosure capabilities in the networks of many organizations that rely on each other across hardware and software supply chains.
Katie started Luta with a deep-seated sense of knowing that she could help companies and governments better understand what they don’t know, including what tools and talents they need. One of Luta’s first clients was the UK Government. She helped them not only create a vulnerability disclosure program, but also a maturity assessment capability so they could onboard different government agencies in an orderly fashion. This became especially important when the UK’s National Health Service had to roll out a Telehealth program virtually overnight at the start of the pandemic. Currently, the US government is set to release its own vulnerability disclosure program by March 1, 2021.
If Katie could have any wish granted in the cybersecurity industry, it would be that the deployment and implementation of security patches would have a faster and more effective operational process. One of the biggest problems isn’t that new patches aren’t being created fast enough, it’s that they aren’t being applied quickly and thoroughly to networks.
Closing out the episode, Katie raises the topic of gender and racial inequalities in the cybersecurity industry. In order to combat these societal inequalities and drive systemic change, she has founded her own foundation, the Pay Equity Now Foundation.
“Aha!” moments bring insight and understanding to a quickly changing world. We’re excited to be documenting them. Hear Katie discuss in detail the topics mentioned above as well as much more in our latest episode of Avast Hacker Archives:
Join in as Garry Kasparov discusses the intersection of rights and social media in the age of AI during an upcoming Reddit AMA session.
At this year's Collision conference, Avast CISO Jaya Baloo led a panel that explored several myths and misconceptions about tech abuse.