This is where ethical hackers come in. During a recent panel at Infosecurity Europe, we heard from security professionals at Zoom and Salesforce, as well as hacker Tom Anthony, about the cybersecurity challenges organizations face and hackers’ critical role in addressing those challenges. Here’s what we learned.
What Are the Challenges?
The drive for new releases and deployments pushes teams to produce at incredibly high speeds. As a result, teams increasingly bring in automated tools to reduce the time spent on critical tasks and boost productivity. However, those tools must be secure, and security teams only have so much time to thoroughly test and vet new integrations.
Organizations are rapidly increasing the pace at which they release new and more diverse products as they see greater diversification of use cases, as Zoom saw during the pandemic when teaching and medicine went online. Teams dedicated to ensuring deployments are secure must work smart to keep pace. In the case of Zoom, this means evolving the security program to set up long-term success with various teams focused on securing a rapid release cycle, covering everything from crypto to bug bounty.
Speed has been an overarching theme of challenges in security environments — faster deployments, faster task completion, faster growth. Another challenge: cybercriminals thrive in an environment where things move fast. A newly released product is fertile ground for attackers. With the increasing demand for quick releases with limited resources, organizations can easily make mistakes, and bad actors can stealthily exploit them.
How Do Ethical Hackers Address Security Challenges?
1. Secure Business Development and Growth
Mergers, acquisitions, and other growth initiatives are critical business strategies, but they are also dangerous sources of security vulnerabilities. While your security team holds down the internal fort, it can be challenging to allocate resources to vet the security of partner organizations.
For Seema and her team at Salesforce,
“As we make acquisitions, we partner with HackerOne and trusted hackers to gain a solid understanding of our adjusted security posture. Our go-live checklist for new acquisitions includes running targeted campaigns with world-class hackers to find issues with newly acquired products.”
2. Supplement Existing Security Teams
Even with the largest, most experienced security team, there will always be more vulnerabilities that need expert attention. When leveraged properly through bug bounty programs, the hacker community can function as an extension of your team, as they do with Zoom.
Since 2019, Zoom has worked with approximately 900 hackers, 300 of which have submitted valid vulnerabilities for the Zoom team to remediate. Zoom has paid out over $7 million in bug bounties.
“It’s a substantial investment, but the returns are worth it,” says Michael. “We harness world-class talent to find real-world solutions before it’s a real-world problem.”
3. Address Untargeted Scopes
As we’ve mentioned, keeping up with the pace of development is a perpetual challenge for security teams — and things aren’t slowing down. There’s a significant difference between targeting specific, identified vulnerabilities and tackling an untargeted scope. Going in without a clear target is often necessary to catch unidentified vulnerabilities but is much more time-consuming for security researchers. As hacker Tom Anthony explains, “With pentesting, you have someone come in with certain core competencies and work through a checklist on a specific scope. With bug bounty, you have this huge, untargeted scope that hackers are looking at.”
How Do You Assess Your Bug Bounty Program?
While every organization has different goals, there are some universal methods by which any organization can assess its bug bounty programs.
Return on Investment (ROI)
Whether paying bug bounties or bringing on more full-time security researchers, CISOs and their teams need to showcase the ROI of cybersecurity initiatives. Based on the volume of vulnerabilities identified and bounties paid, the ROI of tapping into the hacker community is substantial. For Seema and her team at Salesforce, it’s a no-brainer: “From an ROI perspective, bug bounty is one of the most effective programs in our security strategy.”
Vulnerability data is also critical to evaluating the success of a bug bounty program and actioning mitigation protocols. For Michael at Zoom, “We use bug bounty data to identify systemic challenges and repeated vulnerabilities and then build threat models for engineers. We measure vulnerabilities, comply with standards, and report on incidents.” Every piece of vulnerability data helps the Zoom team assess how to remediate and mitigate moving forward.
Zoom also uses powerful vulnerability scoring criteria to ensure strategic prioritization of bounties. Michael explains, “Our Vulnerability Impact Scoring System (VISS) feeds our bug bounty payouts, and we prioritize payments for vulnerabilities that really matter to us; we want hackers focused on critical vulnerabilities, so we orient payouts based on the most critical bugs.”
Salesforce also puts specific emphasis on the severity of vulnerabilities. According to Seema, “The findings from the program help enhance our preventative security efforts from the inside out. Our engineering team reviews each report, prioritizes according to the severity, and uses the data to better understand and protect against malicious hackers.”
Another essential factor in bug bounty program success is the engagement and attraction of hackers in your program. At Salesforce, Seema and her team “measure researcher engagement and consistently evaluate how they can continue to iterate on and improve our program to grow and retain their community of researchers.”
From Tom’s perspective as a hacker, he looks for a few different things.
“When I’m looking at a new program, I will look at the metrics in terms of time to triage and bounty and to what degree the program is hitting those metrics.”
He also recommends organizations explore both public and private programs. Tom says, “You will have a large number of researchers finding low-level vulnerabilities in a public program, while a private program allows you to have an elite group of hackers really digging in and finding those critical vulnerabilities.”
Make the Most of Your Bug Bounty Program
Ethical hackers play a critical role in assisting security teams and managing vulnerabilities. It’s paramount that organizations not only see the value of the hacker community for their security initiatives but also engage that community effectively with strategies that are most beneficial to everyone. Contact the team at HackerOne to ensure you’re getting the most out of your bug bounty program, or get started with a new, leading program today.