We recently sat down with Wendy Ng, Principal Cloud Security Architect at OneWeb, to talk about their experience with their private HackerOne bug bounty program. Wendy shared OneWeb’s approach to fortifying their cloud and application security and why the organization believes the expertise of hackers can best protect the valuable assets under their purview. Read this Q&A to hear why OneWeb considers the hacker community key to safeguarding the systems that support LEO satellites.
Tell us who you are.
Hi, I’m Wendy Ng, OneWeb's Principal Cloud Security Architect and part of the Shared Services team that supports and protects every part of our organization, its infrastructure, assets, partners, and customers. With a background in infrastructure and cloud security, I’m a trained scientist with a doctorate in Medical Genetics from the University of Oxford. That training and focus on collaboration have influenced my desire to share knowledge and experience with the community as part of my career in cybersecurity.
Having written over 70 blogs, including an article for the Cloud Security Alliance, I’ve also had the privilege of sharing experiences and observations from the industry at conferences, including keynotes at Blackhat and the Financial Times Live webinar series. I am very much a technophile: I believe science and technology will help to propel progress and development.
Why is cyber resilience so crucial to OneWeb?
We are a satellite telecommunications company specializing in using low Earth orbit (LEO) satellites for egalitarian broadband connectivity in the hardest-to-reach places on Earth. Despite the criticality of the internet for our digitized way of life, access can be patchy or non-existent for large areas of the globe. And even in developed nations such as the U.S. and U.K., there are areas where reliable, fast, and affordable broadband connectivity is not available.
Given the importance of the internet as the infrastructure that handles some of our most sensitive information and critical activities, safeguarding the systems that support our solution is critical for OneWeb. With the Shared Services team’s decades of practical experience in protecting organizations against cybersecurity attacks, we’re also pragmatists and understand that controls need to be proportional to stakeholder requirements.
We strongly believe in “Security through Transparency” rather than the legacy “Security through Obscurity” approach. For this reason, we started a Vulnerability Disclosure Program (VDP) with HackerOne in July 2021, moving on to a private bug bounty program in March 2022. We aim to make our program fully public in the near future.
Tell us about your digital online services.
In addition to being a technology-focused satellite communications company, we’re also a modern digitized organization with cutting-edge business and operational systems. Aligned with OneWeb’s ‘Cloud First’ approach and to better support the business, these services and systems are available online, which helps support usability but significantly increases the attack surface for the organization and our stakeholders.
As a business, we adhere to the principle of Secure by Design. However, no practice, pattern, standard, or principle is perfect. The community of specialist hackers through the HackerOne program has been invaluable in securing our assets and driving behavioral change across development and delivery teams at OneWeb.
Tell us about a time a hacker helped you spot and fix a vulnerability trend.
OneWeb is a cloud-first organization, and where possible, our preference is to leverage SaaS offerings for ease of use and minimize management overhead. One disadvantage of SaaS offerings is that performing specific pentesting is not usually possible. With the HackerOne program, however, we have been able to include a level of assurance, even on third-party systems, thanks to specialists in the community.
One example of excellent work from a community member involves identifying a crucial reflected XSS vulnerability in a SaaS product under the oneweb.net production system. OneWeb’s internal development team submitted a report to the SaaS vendor, who released a patch for all of their customers (a vulnerability assigned a CVE with a 6.3 CVSS score for the potential release of customer information). As a result, our bug bounty program directly improved the security of a major vendor’s SaaS product.
How have hackers helped you harden your attack surface?
The HackerOne community has been thorough, professional, responsive, and keen to deep-dive and help us explore issues! Reports from them have been detailed, often with step-by-step guides and videos demonstrating the vulnerabilities they identified.
One significant finding identified information that was accessible in a manner we didn't approve. This finding helped us improve select information management and governance processes, introduce new monitoring and detection capabilities, and harden the attack surface as a result.
How do you recommend using vulnerability insights to train internal teams?
Three key activities need to happen once a HackerOne report is submitted:
- Fully triage and understand the finding, confirm its validity, and (where risk warrants) assign remedial action to the appropriate team;
- Work with the team concerned and the HackerOne community member to resolve the issue (and retest afterward); and
- Look to introduce processes, procedures, patterns, or controls that will reduce the likelihood of similar vulnerabilities in the future.
Unfortunately, many organizations fail to tackle the third step, which is arguably the most important!
How do you report on the value of working with hackers?
Where possible, in executive reporting, we highlight the financial, reputational, or business damage that could arise from an identified vulnerability remaining active – in some cases, the business value of HackerOne community findings has far exceeded our entire annual bug bounty budget! We group these savings into three categories:
- Resource savings for our internal team that doesn’t have to spend time threat hunting.
- Financial savings, in terms of reducing costly third-party penetration testing.
- Avoiding fines or customer reparation due to vulnerabilities that might be found too late.
Generally, every valid report submitted by the HackerOne community reduces our attack surface and informs and trains internal teams in secure development and information handling practices.
Further, we are in the process of growing an internal Red Team. Still, the force multiplier available to us through the HackerOne program allows that team to focus more on internal systems and assets that are not exposed to the internet, ultimately providing resource savings for that team.
What advice would you give to others planning to start a bug bounty program?
Our strongest advice is “don’t rush.” It’s easy to get excited about the immense value the HackerOne community provides and send too many invitations to a private program or open the program to the public before you are ready to handle the increase in workload.
Our approach has worked well. We started with a Vulnerability Disclosure Program (no bounties, but an opportunity to tackle the low-hanging fruit), then moved on to a private bug bounty once we believed our internal teams were ready to handle triage and remediation.
No matter how secure you believe you are, be prepared for some surprises. Do not assume the workload from HackerOne reports will be light, and remember that working on false positives and valid findings takes time and effort.
Our final piece of advice: ensure your Legal team is fully on board with your program before you start – you will be interacting daily with a community of hackers, a concept that takes some getting used to 😊.
What’s the biggest lesson you’ve learned from hackers?
The main lesson OneWeb has learned is that vulnerabilities and information exposures are found quickly. It is no longer the case that you can get away with exposing something vulnerable for a few hours and hope nobody notices! This reinforces our push to ensure security testing, vulnerability analysis, and security QA is embedded in every delivery pipeline.
Anything else you’d like to share?
To get the greatest value from your bug bounty program, it’s crucial to be open, communicative, and friendly with the hacker community. Through transparency, generosity, and good communication, we have built a group of trusted, expert hackers that invest their time to understand our business and the value of specific assets to our organization. These efforts have resulted in more focused reports and some initial triage done for us!
Remember, the HackerOne community is not just in this for the cash; they are keen to make the internet, and the world, a safer place.
Click here for more information about bug bounty programs.
Click here if you are a hacker interested in joining OneWeb’s bug bounty program.