Kayla Underkoffler
Lead Security Technologist

How VDP Aligns With Zero Trust

Government agency implementing Zero Trust with a VDP

The principles of Zero Trust are built on the truth that breaches will happen. External forces will make their way into internal systems. Zero Trust doesn’t therefore assume that everyone within the network is “safe.” Instead, Zero Trust is about building an architecture and environment that requires people and technology to regularly prove they are who they say they are and that they are authorized to be there. 

I understand the importance of Zero Trust but, personally, I’ve had a hard time bridging the gap between how the world of vulnerability disclosure and ethical hacking aligns with Zero Trust when trust is a critical component of vulnerability disclosure. Does a security practice built on trust still align with the principles of Zero Trust? 

Maintaining a "see something, say something" policy that empowers strangers to report vulnerabilities actually aligns perfectly with Zero Trust. When an organization establishes a vulnerability disclosure policy, they are saying, "While we put in the hard work to make sure our technology was built securely, we don’t TRUST that it will remain that way forever." In order to continuously check and validate that technology remains secure, we should engage with and depend upon the outside voices of experts. Enabling external testers to validate the continuous security of external-facing assets is a core component of Zero Trust, and establishing a Vulnerability Disclosure Program (VDP) is how you can accomplish this.

How to Apply Zero Trust Through VDP

The five core principles of Zero Trust are:

  • Identity
  • Devices
  • Networks
  • Applications and Workloads
  • Data

These pillars are covered in depth in the Zero Trust Maturity Model, created by CISA as a guide to achieve modernization efforts for any organization. Let’s focus on three different pillars where VDP shines as an asset to ensuring the intent of the pillar is met. 

1. Identity: Validating Access Management and Authentication

Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) is a weakness type, affecting hardware and software, that encompasses situations where data is exposed to a user or system that was not intended to interact with the data. The underlying technological issue that caused the exposure can come from many sources but the end result is that sensitive data is compromised. When we look at vulnerability reports on the HackerOne platform, there have been over 50,000 valid vulnerability reports from the hacking community where CWE-200 is linked as a component of the submission. Although validating access management and proper authentication are core principles within the Identity pillar, the number of reports that are still referencing exposure of sensitive information to an unauthorized user has actually increased by 12% over the past 12 weeks (since this blog’s publication date). The ongoing prevalence of CWE-200 demonstrates the requirement for continuous monitoring and testing for this type of weakness. 

2. Devices: Asset and Supply Chain Risk Management 

Best practice states that VDPs should be open for any and all assets, not specifically based on a set scope. This can lead to you receiving reports for assets that do not belong to you, but instead to a partner in your supply chain. When everyone has a VDP, the process of passing along vulnerability reports to the proper channel of your own supply chain network becomes infinitely more streamlined. Requiring all your vendors to have a VDP sets you up to be able to ensure proper vulnerability identification and remediation processes are in place, which will limit the risk to your own environment. 

3. Applications and Workloads: Thorough Testing of Applications

When the community is empowered to report vulnerabilities, there is a vast and diverse force continuously testing against your applications and infrastructure. The vulnerabilities reported through a VDP establish a feedback loop that can be plugged directly back into the development process to help level up an organization’s secure development practices. Every vulnerability reported by an outside finder should be analyzed, perpetually asking the question, “How could we have caught this earlier?” The more continuous testing by unique outside perspectives, the better feedback for development teams to build better applications from the ground up.

Implement a VDP for Your Zero Trust Security

VDP is a strong validation tool to ensure that the work teams are putting into creating an architecture truly meets the intent Zero Trust model. Having a vast network of ethical hackers who are continuously searching to find issues and ensure they are reported to the proper channel provides unparalleled value for the technology and security teams of any organization. HackerOne is the leading provider of VDP services, helping organizations to establish mature channels to accept vulnerabilities, as well as providing the follow-on analysis and triage capabilities to assess vulnerabilities as they are reported. To learn more about how to integrate VDP for your Zero Trust security program, contact the experts at HackerOne.

The 8th Annual Hacker-Powered Security Report

HPSR blog ad image