How Hackers Can Strengthen Cloud Security for Applications
In this session at our 5th annual global cybersecurity conference, HackerOne’s Tim Matthews sat down with Josh Bressers, Tech Lead of Product Security at Elastic, to discuss cloud security for applications. They focused on the challenges around cloud security and the role of hacker-powered defensive efforts. Josh’s organization, Elastic, is the leading enterprise search company with expertise in building self-managed services for search, logging, security, and analytics use cases.
What Does the Rise of Cloud Mean?
According to Bressers, “It was easy to believe that your systems were secure in the past. They were behind a firewall. There were clear perimeter defenses. Maybe you even needed to be inside a physical building to gain access to your network.”
With the rise of the cloud, attack surface areas increased, and cyberattacks grew exponentially, meaning more significant risk. Did Bressers agree?
“Yes and no. I wonder if we weren't fooling ourselves before,” said Bressers, who hosts two podcasts, the Open Source Security Podcast, and HackerHistory.
“It's clear the attackers didn't get the memo that information was protected behind the firewall. I think the one advantage cloud gives you now is you can't pretend you have these defenses. Your system is sitting on the internet. People log into it. The cloud makes us more honest because you can't pretend to have some protection.”
This wide-ranging and engaging conversation between Bressers and HackerOne CMO Tim Matthews touched on several issues in the world of cloud security. But Bressers kept returning to one theme. Information security professionals always need to be ready for new threats.
“My life could be turned upside down by some unexpected exploit or attack,” he said. “It could be something that no one knows about today, but we're all going to know about tomorrow. You wake up in the morning, and it's like, 'I have no idea what will happen when I open my email box.’ But that's our life every day.”
How Working With Hackers Helps Elastic Face Unknowns and Improve Cybersecurity
It's why, when Matthews asked what vulnerabilities keep Bressers up at night, he struggled to respond with any specifics. What he worries about most is what he doesn't know.
“There's that quote from Donald Rumsfeld about how there's known knowns, known unknowns, and unknown unknowns. There's just a lot we don't know about our infrastructure and attackers.”
That said, Bressers said he does know one thing. “There's great value in working with organizations like HackerOne that are on the cutting edge of cybersecurity and have unique expertise in combating malicious attacks.”
Elastic open-source software is the behind-the-scenes engine powering search activity on thousands of corporate websites. The company has a wide array of products that, in turn, expand the potential attack surface.
Elastic’s Private HackerOne Bug Bounty Program
A few years ago, Elastic quietly began working with HackerOne to slowly ramp up a private bug bounty program to marshal the collective power of researchers to identify vulnerabilities. The results?
“HackerOne helps me sleep at night because I feel like some of those unknowns, these hackers are going to help me find them,” Bressers said. “It's been an amazing experience. HackerOne has been a great partner for us. We've been super, super happy.”
That partnership, which Elastic talked about publicly for the first time at Security@ 2021,, works well for several reasons. For one, hackers in the bug bounty program are very good at identifying security gaps. Also, the company culture at Elastic focuses on fixing problems, not placing blame. There’s no finger-pointing when a vulnerability is found. Bressers said, “I usually can’t even tell you what team is responsible for problems. But everyone is responsible for coming up with solutions.
“There's genuine excitement when an issue surfaces. One example was an incredibly subtle flaw in a node YAML processor uncovered by a bug bounty hunter. We were like, 'How did this get in there?'” Bressers recalled. “But we love that kind of stuff. We send these bugs to the developers, and 99% of the time, they say, 'Holy cow, how did they find this?' They're intrigued.”
Elastic even asks hackers to record videos where they demo the bug—a creative way to share vulnerability intelligence and useful as teachable moments to help the teams improve.
“That's really cool because now we have the connection from the developer back to the hacker. They’re working together. Working with HackerOne makes it even more powerful and worthwhile for our developers.”
How to Show the Value of Investing in Security Programs
Of course, one challenge for all infosec teams is showing leadership the value of investing in security efforts. Many organizations and departments see security as a cost center. Discussions about adding hacker-led security programs can be even more sensitive. Bressers said, “The key is putting the cost of hacks into perspective. Is it more cost-effective to put money into a bug bounty now or risk the fallout of a full-blown hack later?”
“You have to think about your business,” he said. “Where are you making your money? What happens if you have more vulnerability or less vulnerability? I don't necessarily think that there's an easy answer. But I think it's an easier conversation than it probably was five years ago when you talk about hackers, bug bounties, and all that stuff. It comes up in polite conversation on a pretty regular basis now.”
Positive Change in Cloud Security Industry-Wide
As for industry-wide cloud security, Bressers believes positive changes are coming. He believes that greater government regulation is on the horizon, although that could be a mixed blessing. With the addition of better security tooling and programs like HackerOne, he said, “It feels like the good guys are getting their act together.”
“It's easy to be downtrodden in this industry,” Bressers said. “But what gives me hope is I look at everything happening on the planet today. When it comes to security, I see lots of organizations and governments paying attention. In the past, there was often this attitude that there's nothing we can do. Let's just throw our hands in the air. I don't see that anymore, and that’s inspiring.”
Register here to watch this entire discussion and all of the Security@ presentations.