By: John Baker, Solutions Engineering Manager and Bug Bounty Advisor for HackerOne
Taking a stereotypical image of a hacker in a dark room wearing a hoodie, it’s not the darkness that we fear, it’s what’s in the dark. We fear what we cannot see. With the negative stigma that has historically surrounded the term “hacker”, it’s easy to see why some organisations are concerned when it comes to adopting hacker-powered security.
The good news is that the perception of the term ‘hacker’ has been changing, especially in recent years, with the rise of bug bounty programs and ethical hacking. Some of the best hackers today are security engineers and professionals in the InfoSec industry who are also hacking for good in their free time so that companies can improve their security posture. This incredibly talented community stands ready to serve the security teams in modern organisations. What started in the darkest underbelly of the internet has turned into a force for good, first as a respectable hobby and as something that talented people could do on the side. But now it is so much more than that — it’s a professional calling: hackers, pentesters and security researchers who are trusted and respected and providing a valuable service for us all.
In a poll conducted by HackerOne, we asked CISOs to share the top 3 challenges they face when it comes to adopting hacker-powered security. I presented this data in a recent HackerOne webinar session. Their top concerns are highlighted below.
1. Lack of Resources
Specifically, there are not enough resources to find vulnerabilities before the bad guys and protect their brand:
- 83% of CISOs see security vulnerabilities as a significant threat to their organisation
- 45% of CISOs admit pen-testing does not provide sufficient results to keep up in the face of development. Only 12% believe that pen-test is sufficient.
- 64% of CISO say that the pace of development in their organisation outstrips the security team’s resources. This number is expected to grow especially if Agile and DevOps practices continue to be implemented without the corresponding changes to security practices.
There is a limit to how many security professionals an organisation can hire on the team. However, when you garner the power of the hacker community, it immediately brings more eyes to your assets. HackerOne has the largest number of registered hackers in history – over 800,000 – and that number is constantly growing and expanding into new countries around the globe. Every 5 minutes, a hacker reports a vulnerability on the HackerOne platform. In 77% of our programs, hackers find the first vulnerability in less than 24 hours after the initial launch.
In addition, several HackerOne customers have detailed how implementing hacker powered security saved them an average of almost US$400,000 over a period of 3 years — reducing internal security and application development efforts. A big reason for this is because bug bounty programs take a pay for results approach instead of pay for effort model. In this way, efforts are not duplicated just for the sake of compliance reporting.
2. Lack of Trust
We understand that embracing hackers is a daunting prospect. CISOs and IT professionals have a harder time trusting remote hackers as compared to the pen-test surveyors that they hire on-site in their office.
- 57% of CISOs would rather accept the risks of security vulnerabilities than to invite unknown hackers to fix them.
- Only 26% of CISOs are willing to accept bug submissions from the entire hacking community.
- 54% of CISOs would not be comfortable accepting bug submissions from hackers with a criminal past.
Again, the fear where this lies is the unknown. If you receive a vulnerability report today through email or LinkedIn or Twitter, you may wonder — who is the sender? It’s just an email address, usually associated with a Gmail account. Maybe the English language isn’t perfect. Then you wonder, how seriously should I take this?
HackerOne provides a streamlined process and platform for organisations to connect with ethical hackers looking to hack for good. In fact, 28% of hackers on HackerOne’s platform say that their main motivation in hacking is to do good in the world. It’s not all about the money, although that sure does help, but hackers have helped to resolve over 150,000 vulnerabilities for our customers, and 79% of HackerOne’s customers run private bug bounty programs that allow organisations to have tight control over specifically which hackers they can invite to participate.
Even though the perception is different, many of our hackers are security consultants by day, and may very well be the same person on the other side of the connection. We all know that putting a property on the internet will result in thousands of attacks, regardless of whether a bug bounty program is inviting it or otherwise. Daily data breaches and vulnerabilities exploited are not uncommon in the news.
HackerOne also provides a hacktivity feed in which you can see these incredible hacker profiles. You can see who else they worked for, the bugs that they have submitted to date (if public), feedback from existing customers, and even their individual hacker performance stats.
The bottom-line is that vulnerabilities exist and hackers are looking for them anyway, so it’s better to harness the power of white hat hackers before the bad actors exploit them.
Another top concern from CISOs is that organisations are slowing down the flow instead of removing obstacles and adapting to the modern SDLC. Security teams are worried about introducing new vulnerabilities and increasing their risk, resulting in innovation being stifled.
Security disrupts the flow, it provides negative feedback and it never seems to learn. We have new bugs all the time and this rate is only increasing as more organisations move to implement agile software development and DevOps.
- 86% of CISOs say software projects are stifled due to fears of inevitable security issues
- 48% of CISOs say their organisation spends too much time fixing security issues in code. If security issues are found sooner in the development life cycle, they take less time to fix.
This is where having a bug bounty program helps. HackerOne fits security into innovation. It’s a growth mindset. Data from bug bounty programs can help organisations identify the problems and understand how they secure and future-proof digital assets further down the line.
With bug bounty, testing is continuous, ongoing and mirrors the SDLC. Data from bug bounty programs can help aid innovation, speed up processes, and give development teams a better handle on what vulnerabilities are likely to be introduced; therefore speeding up successful delivery rather than slowing it down.
To summarise, hacker-powered security enables continuous testing while keeping pace with continuous development in a cost-efficient way. Hackers can find vulnerabilities before the bad guys do and protect your brand. The sooner vulnerabilities are found, the easier they are to fix. That is why companies like Spotify and Shopify are using hacker-powered security to help aid innovation and inform development teams on what vulnerabilities are likely to be introduced. There is no faster way to find vulnerabilities than working with hackers.