Guest post by Jan Spitalnik, CTO of subscription video on demand service, Showmax
Maintaining a video streaming service across the whole of Africa is challenge enough, without the added pressure to secure customer data and protect the security of our shows and movies. Asking people to find ways to breach our systems can be painful, and sometimes humbling, but it’s ultimately the best way to ensure security.
Our reputation is everything
Africa may have by and large leapfrogged fixed-line connectivity and gone straight to mobile but online payments are still far from the norm and often viewed with suspicion. That means our first challenge is gaining customer trust and, once gained, we want to hold onto it and maintain it. With legislation like GDPR and various local privacy laws becoming the norm everywhere we operate, we are incredibly aware of the significant penalties for exposing customer data.
On the other side, our business relies on studios having confidence in our ability to protect the security of their flagship TV shows and movies. In this kind of environment, where a breach could be fatal for the company, proper security testing is vital and this is where our bug bounty program comes in.
Preparing for an attack we never imagined
Our bug bounty program means we have people testing our security and devising attacks that we hadn’t thought of and that couldn’t be predicted. Actively inviting people to find ways to break our systems can be painful and at times humbling, but we know it’s in our best interest to have this layer of scrutiny in our security strategy. We refine it all the time - we want people to examine our website, mobile and TV apps but, if they find something on an ancillary site that they believe has significant value, we will take a look at that too. In the three years the program has been running, we’ve continued to refine the list of vulnerabilities we’re looking for and rewarding for. Broadly, we want to know about vulnerabilities where bad actors could gain access to user data, studio content or cause service downtime. We’re currently looking to hear about authentication issues, PCI non-compliant data sharing, access to internal data, SQL injection and cross-site scripting. Brute forcing of user passwords, however, we handle ourselves.
During the course of the program, we’ve had a number of near misses. One example is when a hacker uncovered a massive reputational risk bug, whereby rogue emails could appear to come from the Showmax domain but wouldn’t get picked up by spam filters. There was also a potential, though fortunately never exposed, risk where a payment system could be fooled to get access to our service. Overall, over the past three years, we have paid out more than $30,000 in bounties for over 130 valid vulnerabilities. We pride ourselves in our speed to resolution - it usually takes just a couple of hours from report to resolution. Speedy resolution helps security by ensuring the bug is fixed before it can be exploited by anyone else, but it also has the added benefit of strengthening our relationship with the hacker community. Our hackers recognise that our program will respond and pay out in good time, meaning they keep coming back to hack for us.
Growing bug bounties
As our customer base grows and we expand geographically, we are increasing the scope of our bug bounty program with additional devices and functionality. We’re constantly surprised and pleased with the HackerOne community of hackers. I’d recommend to anyone thinking about their offensive security to engage with hackers as the attacks we see simulated are often ones we never would have considered, and the potential damage to the service and company reputation would far outweigh the cost of a managed bug bounty program.
Making sure that you set hacker expectations, and meet them through speedy resolution time, will ensure that relationships with your hackers stay positive and keep them coming back. I’d also recommend being transparent with the process to resolution and honour the researcher's part in the process with thanks or bonuses for stand-out work.
For anyone who wants to find out more about how they can help us secure Africa’s leading streaming service, you can visit our program page at https://tech.showmax.com/security or our HackerOne program page https://hackerone.com/showmax.