How Trustpilot Manages Risk by Working with Ethical Hackers
At our 2021 Security@ conference, we spoke with Stu Hirst, CISO at consumer review site Trustpilot. Trustpilot’s mission is to create an independent currency of trust between consumers and businesses, and cybersecurity plays a central role.
Trustpilot, a cloud-first company with little physical infrastructure, relies on external security testing to ensure its products are resilient to cyberattacks. During a Fireside Chat, Stu explained why he believes combining a continuous bug bounty program and point-in-time security assessments is the ideal solution to minimize cyber risk.
Below is a summary of the discussion.
Hackers Assess Real-World Product Risk
Most security testing engagements expose assets to a checklist of techniques. But when hackers run assessments, they also provide a more practical evaluation of how an asset will stand up to real cyberattacks. Trustpilot uses HackerOne Assessments to expose products to hackers’ creativity and expertise, which more accurately reflects real-world risk.
However, it’s not just the types of testing that are important. Organizations also need access to a broad range of testing skills. A common approach is to rotate testing providers to access a wider pool of expertise. This has an obvious benefit but also presents challenges, as providers typically have different processes and deliver vulnerability reports in different formats, making it hard to standardize remediation.
The HackerOne platform makes it easy to rotate hackers between engagements, ensuring Trustpilot’s products are exposed to a wide range of testing expertise. It also provides detailed, high-quality reports in a consistent format that integrates with Trustpilot’s security and development workflows.
Combining Continuous and Point-in-Time Assessments
An effective way to minimize risk is by combining ongoing testing with point-in-time testing. For Trustpilot, this means combining a public bug bounty program with frequent HackerOne Assessments.
Ongoing programs like bug bounty and Vulnerability Disclosure Programs allow hackers to be creative and use their expertise in ways that closely mimic bad actors, making it a simulation of real-world risk. Alternatively, for product and patch releases, Trustpilot needs a lot of testing completed within a short period. Assessments meet this need through intensive, tailored testing engagements that can be scheduled and completed quickly to support release timelines.
Maximizing the Value of Reported Vulnerabilities
While finding and fixing vulnerabilities is the main objective of any security testing program, it isn’t the only objective. Trustpilot maximizes the value of each reported vulnerability in several ways:
- Learning lessons. Studying vulnerability reports and trends helps Trustpilot’s security and engineering teams understand how issues creep in and where security controls are lacking. This information helps to improve internal processes and find vulnerabilities earlier in the development cycle.
- Informing training and culture. Trustpilot has a positive culture that focuses on collaboration between security and engineering, and on ongoing education. When the company identifies trends in vulnerability reports, it uses that information to improve training for both teams, helping to eliminate similar vulnerabilities from future code.
- Uncovering areas of risk. Hackers often delve into niche areas of the company’s technology stack and product range that may not be a current security testing focus. This helps to uncover security weaknesses in areas that might not have been targeted by time-bound assessments.
- Two-way communication. The HackerOne platform makes it easy for engineers to communicate with hackers to ask questions about reported vulnerabilities, discuss possible remediations, and request retests for fixed vulnerabilities.
Tips for Getting Started with Bug Bounty
Throughout the session, Stu highlighted the value of combining an ongoing bug bounty program with point-in-time assessments. After years of running public programs for multiple companies, Stu has some valuable recommendations for organizations looking to get started:
Learn from other organizations. Many organizations are open about how they structure and grow bug bounty programs. If you’re interested in starting your own, read their online program information and reach out to them personally if you have questions.
Start small. Set a small initial scope for your program—for example, target one product. Stu explains that a new bug bounty program usually finds more vulnerabilities than you expect, so starting with a broad scope can result in more reports than you can handle. By starting small, you’ll get quick results without overwhelming internal resources.
Keep refining. Continually refine the scope of your program in terms of which assets are included, the types of vulnerabilities you’ll pay for, and the techniques hackers are allowed to use. Over time, you’ll learn what you do and don’t want to be reported. The more you refine your program, the greater the program’s business value..
Learn from the experts. Stu recommends working with HackerOne’s program managers to build, refine, and grow your bug bounty program to ensure it meets your needs.
Hackers—The Best-Kept Secret
Hackers are the best-kept secret in cybersecurity. Learn how they can help your organization reduce cyber risk and prevent security breaches. Whatever your role or industry, Security@ has a virtual session to help you improve and refine your security program. Our roster of presenters included security leaders, industry experts, HackerOne customers, technical practitioners, and experienced hackers. Register here to watch the sessions on-demand.