How Card.com Is Securing Itself and Its Users With Open Source
Finding and fixing bugs is a lot easier when the bug-finding process is crowdsourced and the underlying technology is open source.Finding and fixing bugs is always a challenging task, but it's a task that prepaid card vendor Card.com is making easier by leveraging crowdsourcing for its bug-funding efforts. Part of the Card.com platform is built on top of open-source technology, including the Drupal content management system, which is a key component in enabling Card.com to more easily fix bugs that are found. Greg Knaddison, Card.com's director of engineering, explained to eWEEK that his company has been using the Bugcrowd security vulnerability crowdsourcing technology in a bid to accelerate its efforts at finding bugs. Bugcrowd is a managed service that helps organizations crowdsource their bug-finding efforts. Knaddison said that before engaging with Bugcrowd, Card.com was not getting as many bugs reported to it by security researchers as it had hoped. With Bugcrowd, Knaddison said that Card.com has been able to get an increase in both the volume and quality of bug reports that it receives. The way it works is that Bugcrowd has its own community of security researchers that reaches a wider audience than Card.com could reach on its own. While Bugcrowd manages the bug-tracking platform, Card.com currently is responsible for understanding, validating and fixing the reported security issues, according to Knaddison. Bugcrowd does have a service to help organizations validate issues, though Knaddison said it's not something that Card.com is currently using. Some organizations choose to use Web Application Firewall (WAF) technology to implement network layer protections for application vulnerabilities, but that's not the path that Card.com is taking. Bug fixes for Card.com could well have a much broader impact than just the Card.com site, since the open-source Drupal content management is used as the content management system.
"We're heavily involved in Drupal. I'm a member of the Drupal security team and the former lead of the team for over two years," Knaddison said. "So it's an area where we have a fair amount of expertise and depth, and we feel that our situation is best served by fixing vulnerabilities directly in the software itself."