Jedox’s Journey with HackerOne: A Q&A with CTO, Vladislav Maličević

Vladislav Maličević is the Chief Technology Officer at Jedox, a leading global provider of cloud-based enterprise performance management solutions for Financial Planning and Analysis. Jedox prioritizes system security and keeps a laser-sharp focus on product quality. Securing their software, and ensuring best-in-class cybersecurity safeguards for customers, is a priority for Jedox’s security and development teams. 

After seeing success with HackerOne pentests, Jedox transitioned their own Vulnerability Disclosure Program (VDP) to a private, HackerOne managed bug bounty program in 2021. Vulnerabilities are verified by the HackerOne triage team and shared with the Jedox internal ticketing system through an API that tracks the current status of each stage until the issue is resolved and retested.

We asked Vladislav about the value hackers are adding to Jedox’s cloud security strategy. 

Q: How have security researchers* helped you reduce risk in the cloud? 

All Jedox users share a common global cloud infrastructure, so for the bug bounty, we used generic traditional attack scenarios and some with specific characteristics unique to Jedox. One example of a vulnerability was a potential account take-over introduced by code change. We also found issues with the mobile API and bypassing the firewall rate limit. These two high-rated vulnerabilities, which were skipped during internal tests, were found and fixed on time before we rolled out this change to production because the bug bounty surfaced them, making Jedox more secure for our customers.

Q: Tell us a bit about your cloud strategy. What are your security concerns regarding cloud adoption and deployment?

Jedox’s customer base and cloud infrastructure are global, and we’re innovating and adding new components and services to our platform every day, which means changes are constant. This creates a wide potential attack surface for malicious actors. Security and privacy are our highest priority and are baked into the lifecycle of our platform starting with architecture and development, through build and testing, and ending with deployment and configuration.

Q: In what ways has your attack surface hardened as a result of working with security researchers?

Jedox developers adhere to the principles of the Open Web Application Security Project (OWASP). Collaborating with security researchers has allowed us to have "fresh eyes" on our infrastructure. The feedback has helped identify potential problems to help reduce our attack surface, harden the platform, and further improve customer experience.

Q: How do security researchers help you when developing new products or software?

Automated scanning is insufficient for identifying the most critical vulnerabilities. Although scanners identify vulnerable software components, misconfigurations, and minor flaws, specialized security researchers can investigate much deeper. By introducing different scopes over time, researchers have the opportunity to challenge the entire stack of technology in use. Overall, these global security researchers are improving overall product quality and reliability. 

Q: Do you have to adhere to specific compliance regulations or other requirements? 

Jedox has SOC 2 and SOC 3 attestation, and we’re using the ISO27002 best practices as we go through the full ISO27001 certification procedure. To provide customers with the most advanced and reliable Enterprise Performance Management software, we have successfully implemented an Information Security Management System according to ISO2700x Standards. This internal management system, procedures, and training measures are regularly reviewed and certified by an external auditing authority as part of our annual ISO27001 and ISO9001 audits.

Q: What advice would you give to other organizations looking at using security researchers to secure their cloud assets?

Develop a structured plan for scoping your bounty program and be precise on the current challenges and the assets in the scope. This can evolve over time, making your program more effective and providing the best possible experience for the researcher participating. The hacking community is supportive and collaborative so spend time getting to know them and join events to expand your knowledge and experience. 

Q: What are some ways security researchers helped you reduce business risk or spot vulnerability trends throughout your SDLC? 

A HackerOne researcher helped us check and run attack simulations on all possible weak points and attack vectors within our cloud storage policy, where a malicious actor could try to access the system, and extract data. This enabled us to reduce business risk, reduce vulnerabilities, and have confidence in the security of our product.

Q: How do you recommend working with security researchers to discover vulnerabilities, recommended fixes, and test in cloud environments? 

Even with all the benefits of using the cloud, cloud environments are complex. Therefore, Jedox provides a cloud environment to HackerOne researchers that is similar to our customer environments, which helps us identify any issues that real customers may experience. Jedox is a platform consisting of multiple services, and each component has its own API. With increasing dependence on APIs, attackers can find common ways to exploit any insecurities in them for malicious activities.

Q: What will long-term success look like for HackerOne programs at Jedox?

Our goal is to drive expansion of the HackerOne program to integrate the professional validation and external quality assurance on our processes. Our teams are creating specific new challenges and have a clear vision on where to leverage the know-how of the security researchers to support the Jedox Product roadmap.

Q: Anything else you’d like to share with us? 

We really appreciate the work put into our program and identifying potential issues. The exchange with the HackerOne security community has been a great experience, and we are expanding our program and planning to increase bounties in the future.

--

To learn more about the benefits of a bug bounty program, check out HackerOne Bounty