One year after launching their private bug bounty program on HackerOne, we sat down with financial services provider Saxo Bank’s CISO, Mads Syska Hasling, to get his insights and learnings from 12 months with a bug bounty program. Read on to see how Saxo Bank thinks about digital security as a non-negotiable for their customers and partners, how bug bounty fits into the broader security program, and advice to other CISOs and stakeholders on leveraging hacker-powered security.
Q: Tell us a bit about yourself.
I’m Mads Syska Hasling, CISO at Saxo Bank. I run the first-line security organization in Saxo Bank, covering Information and Cyber Security Risk management, Fraud Management, Security Operations Center, Security Architecture, and R&D, Information Security Assurance, and Security Testing/Tiger Teaming.
Q: Why is cybersecurity important to Saxo Bank?
Saxo Bank is a financial services provider giving both direct customers and partners access to the global financial markets. Saxo is truly a digital company with all our customer services being highly digitalized. We are, therefore, highly dependent on being able to deliver secure and robust services to our customers – they rightfully expect it and we want it to set us apart.
Q: What do you and your teams like about hacker-powered security?
Security is the responsibility of everyone at Saxo Bank. Ensuring the whole organization feels empowered to build a secure product and service means the security team is seen as a collaborative business unit, supporting staff in their work rather than seen as slowing things down. Our bug bounty program epitomizes this culture of collaboration by asking for outside help in finding and fixing vulnerabilities we otherwise wouldn’t know about. Getting into that “hacker mindset” is really important; most people don’t start with: “I wonder how can I break this?” but that’s what the cybercriminals are thinking.
Q: What’s the biggest lesson learned in the first year of your bug bounty program?
That some bugs can survive many years of traditional security testing…
Q: Has hacker-powered security helped you make improvements to the SDLC?
Hacker-powered security is definitely a part of modern SDLC, knowing what vulnerabilities exist in products means developers are in a better position to look for common weaknesses before code is pushed to production. Hacker-powered security helps us as we continuously strive to improve our DevSecOps processes.
Q: How do you demonstrate the success of your bug bounty program?
The bug bounty program is one of many elements and does not stand alone in my reports to the board or other key stakeholders. We very closely monitor the engagement of program’s hackers, including what functions they test and how long they spend testing our applications. Our advice to hackers coming to the program is to look deep in the applications or search for errors in the business logic, as this is what we really want to see more of.
Q: Any advice for other CISOs planning to start a bug bounty program?
Having more eyes and creative mindsets to help you reduce risk is never a bad thing, I advise other CISOs to be brave enough to recognize they have weaknesses and to ask for help finding them.
Q: What are the next steps for hacker-powered security at Saxo Bank?
Our long-term vision is to have a public bug bounty program! As we run our platforms and services as SaaS, we release new features and functionalities almost daily so having that continuous testing is key. I’d like to see hackers return each time and go deeper every time.
Q: Anything else you’d like to share?
Nothing comes for free. You have to work with the findings to get them fixed – this requires a lot of internal stakeholder management, so keep that in mind.