100 Conversations with Start-up Security Leaders

1. Why are run-of-the-mill, traditional pentests not delivering effective results?

Time and time again, I speak to disappointed security practitioners who run one, or sometimes several, penetration tests with traditional suppliers. These engagements don’t suit their needs — from long lead times for scheduling, shallow results that don’t find the most critical flaws, and a final report delivered weeks later.

This approach is increasingly unsuitable for many organizations as agile development practices have become the norm. Traditional pentesting often can’t mitigate risk in line with release cycles. Modern organizations have adopted continuous software releases, but The 2022 Attack Resistance Report found only 1 in 3 applications are tested and assessed more than once a year. A report delivered six weeks after the launch of a new beta system, which has seen hundreds of continuous releases since the testing window began, may be of limited use.

2. As my business undergoes digital transformation, how can continuous application security testing help maintain security visibility?

If you have fewer than four security personnel within your organization, you’re not alone. Of my first 100 conversations with start-up and scale-up companies, only one had a dedicated security team of five people or more. Whether your DevOps team is regularly spinning up Kubernetes clusters or your marketing team is creating microsites, it’s extremely difficult to maintain visibility and secure all your digital assets.

The majority of our customers reach out to me because they want help building stronger security teams and processes rather than the other way around. This tells me the demand is there for solutions like bug bounty programs and that utilizing a global talent pool of hackers is quickly becoming the norm for the forward-thinking security leaders of our time.

3. How does my security team maximize efficiency and productivity?

On average, HackerOne’s global team of analysts works around the clock to process 3,000 vulnerability reports per week. Some of our most active public customers receive between 100-200 valid vulnerability reports per quarter. This might sound like an overwhelming volume of information, but with the help of our highly-skilled professional triage team, we take the weight off the shoulders of your internal security teams and help them focus on fixing vulnerabilities, not validating them.

The majority of scale-up security leaders I speak with tell me this support saves valuable time on vulnerability management that is instead directed toward building their actual product. If time is money, developer time is gold. 

4. How do we utilize ethical hackers and monitor their access to our network?

While many cybersecurity leaders recognize the value of working with hackers before we’ve even begun a conversation, it is still common to see hesitation within organizations at large.

Legal and PR teams can balk at the idea of inviting hackers to test your defenses. However, even the most risk-averse organizations, including the DoD and Goldman Sachs, recognize that it’s more of a risk not to ask hackers to help. And hackers want to do good in the world. We’ve surveyed our hacker community for years to understand why they hack. The majority of hackers are pursuing job opportunities — 59% are looking to build skills and gain experience to advance their careers in cybersecurity. Forty-six percent want to help protect users and defend organizations against malicious attacks. Not only are hackers passionately motivated, but they also find vulnerabilities that traditional tools miss. 

However, for organizations that need the strictest control and guarantees, HackerOne provides a number of options: programs can limit access exclusively to our Clear hackers, who are fully security vetted and background checked. The HackerOne Gateway service provides numerous controls to maintain oversight of a hacker’s activity.

5. How do we integrate security earlier into our development lifecycle?

“Shifting Left” describes development practices and workflows designed to find and remove vulnerabilities earlier in the Software Development Lifecycle (SDLC). Everyone knows that finding vulnerabilities and bugs in code as early as possible saves money in developer time, customer impact, and avoiding service downtime.

But, despite the rising popularity of shifting left in cybersecurity, I still get questions about the need to find vulnerabilities in production-level systems if automated scanners can find them earlier.

Although you should absolutely implement good security scanners for your code to mitigate known types and classes of vulnerabilities, what scanners currently exist that can find complex, chained exploits at the human-layer logic of your business? Only human creativity can find novel vulnerabilities in your code. No training data can teach the best machine learning algorithms how to do this. See this publicly-disclosed exploitation a hacker found on Snapchat only earlier this year.

HackerOne: Your Security Testing Partner 

From my first 100 conversations with organizations about HackerOne, I have found that security leaders are increasingly open to adopting crowdsourced hacking services to help them enable business transformation for their organizations.  HackerOne’s Attack Resistance Platform lowers your organization’s threat exposure across its entire attack surface. Your bug bounty, Attack Surface Management, and Pentest as a Service (PTaaS) solutions are centralized under a single platform and enhanced by adversarial testing performed by hackers.  

Your organization is embracing transformation, but how much of your attack surface is exposed to cybercrime? Contact the team at HackerOne today to learn how your organization can become faster than cybercrime.