Grammarly CISO Suha Can Discusses the Impact of Preemptive Security with HackerOne

The allure of generative AI and the importance of the basics.

While the advent of generative AI poses new challenges, it's important not to neglect the fundamentals. Implementing measures like MFA, phishing prevention, patching, and addressing misconfigurations should remain a focus. Grammarly has offered an AI-enabled product since before AI was a buzzword and has already launched its own generative AI product: GrammarlyGO. Many CISOs now have to think about how generative AI impacts cyber risk, but for companies that already live in the AI space, it has been easier to see through the buzz and stay true to their threat model.

• “Generative AI tools are new, but most of the existing fundamentals of cybersecurity haven’t changed. It can be easy to get distracted by the shiny thing, but an offensive security team should continue to do what they always do: finding issues in the core ways in which their systems are built and configured.” – Suha Can

Bug bounty helps validate - or invalidate - your security beliefs.

Are we really secure, or do we just feel secure because we’ve deployed controls? As a company’s security maturity increases, it becomes crucial to validate the effectiveness of security programs. This involves assessing factors such as time to remediation, continuous monitoring of security controls, and questioning assumptions. Grammarly views bug bounty as a systemic way to uncover flaws in its attack surface and a way to challenge its controls with unconventional testing methods.

• “Preemptive security is about working to disconfirm your beliefs. The first step is usually doing something like a pentest where you validate your security, but after that, you must start seeking invalidation of your controls. The underlying mantra is that by being humble and second-guessing yourself, you are actually able to be a much better guardian of customer data.” – Suha Can

Value to the board: “Seeing around corners.”

Building products securely requires asset inventory, cloud configuration scans, and static and dynamic analysis, but these measures alone are not sufficient. A combination of scalable and non-scalable security approaches is vital to ensure that all bases are covered and helps reassure your board of directors that you aren’t relying on any single control to keep your crown jewels safe. Grammarly works with HackerOne to catch what the scanners miss and to uncover blindspots in its attack surface - a mission that relies more on the creativity of hackers than on cutting-edge technology. 

• “The main value that I communicate to the board is that HackerOne helps us find out what we don't know and helps us see around corners. That resonates very well with the executive team at Grammarly. It’s not just that we fixed 15 new vulnerabilities this month; it’s typically a bigger conversation where I share anecdotes about how reports have led to more insights and investments.” – Suha Can

Value to the engineers: “Focus and prioritize.” 

Grammarly uses insights and trends from its bug bounty program and other preemptive security initiatives to focus its efforts. Grammarly’s security team conducts a weekly review of vulnerability reports from HackerOne and other preemptive security sources; it then initiates a deeper review of any assets or services with spikes in reports or the potential for variants of recent vulnerabilities. 

• “A vulnerability for a specific service may also apply to other services you have, or a slightly different attack on the same service could succeed. Those additional vulnerabilities aren’t in the report you receive from the hacker, but because you get that first report now you can investigate further and uncover any additional issues. This also leads to attack surface reduction and a ‘defense in depth’ style hardening across your systems.” – Suha Can

Measuring bug bounty program health.

Grammarly’s key indicator of bug bounty program health is the number of unique researchers submitting valid vulnerabilities every quarter. In a world where new bug bounty programs launch every day, maintaining hacker engagement is imperative. Grammarly’s HackerOne program has run for five years, and Grammarly keeps it fresh by adding new scope (like GrammarlyGO, Grammarly’s new generative AI product) and running promotions (like the $100k critical bounty that Grammarly debuted).

• “When I look at my board metrics, the main metric I convey to the board about the health of my bug bounty program is the number of unique researchers that have reported at least one vulnerability in a given quarter. The program is only as good as the engagement from researchers, and researchers can spend their time on any program.” – Suha Can

This conversation between Suha and Alex underscores the importance of a preemptive approach to cybersecurity. Embracing AI advancements while maintaining a strong foundation in fundamental security practices is paramount. At the same time, the power of bug bounty programs to validate (or invalidate) security measures by tapping into the perspective of an attacker is undeniable. As the cybersecurity landscape continues to evolve, we hope these insights provide guidance as you navigate this complex and ever-changing domain.